MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 993528adce97be31c6c1e1c01f4877f229b10e8f06b87d8cbcc2f95b46866872. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 8 File information Comments

SHA256 hash:	993528adce97be31c6c1e1c01f4877f229b10e8f06b87d8cbcc2f95b46866872
SHA3-384 hash:	7cd0ee58b2703e8a8ff0f2b0ab17dd5f85dee8ae4e47f6d3a2f52b68c7b3f48b77808841560ef75d89d68ad99d908364
SHA1 hash:	f212be1953068232db365ef40595297e4a273aa7
MD5 hash:	1c216b0e1b9e57aaae50dd7448664b46
humanhash:	zulu-white-green-apart
File name:	1c216b0e1b9e57aaae50dd7448664b46.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	821'248 bytes
First seen:	2021-09-27 14:02:50 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'473 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:E7AimIdnjq1O+Wg16qOmORF71hRoWMHU8LtDEbMCioLE1HG7UYSGa4mocfJMGBGt:qdtYHOT79oxfCoCDE1HG7p1
Threatray	650 similar samples on MalwareBazaar
TLSH	T1CC05F09C761075EFC85BC976CEA42C64EA20B5B7530BD203E02715AD9A0DADBCF154F2
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

abuse_ch

RemcosRAT C2:
31.210.20.224:22420

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
31.210.20.224:22420	https://threatfox.abuse.ch/ioc/227069/

Intelligence

File Origin

# of uploads :

# of downloads :

135

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1c216b0e1b9e57aaae50dd7448664b46.exe

Verdict:

Malicious activity

Analysis date:

2021-09-27 14:19:33 UTC

Tags:

rat remcos

Link:

https://app.any.run/tasks/81b8385c-b474-4098-9694-91682e35b217

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/192137/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file in the %temp% directory

Delayed writing of the file

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1b859fcd-b08e-41dc-bb0c-5a946d2fcbf2

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/859209

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Detected Remcos RAT

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/993528adce97be31c6c1e1c01f4877f229b10e8f06b87d8cbcc2f95b46866872/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-09-15 01:08:14 UTC

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=te2srloos67ddrwb4hab6sdx6iu3cdupa24h3df4yl4vwrugnbza._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

41ab72f9ce1e64f569029d8b3f8c2fdf680fb75113b8d7451bc8d988cd5f6bd2

RemcosRAT

5000f900d0d52fb1b6634d0437711ab10c9184d080c852f17b2fb114a35446a8

RemcosRAT

77ce24c903d75a340e3d5664091c7b72a2529640931e662b80b8dc3fb9226929

RemcosRAT

860e16c192167d5dd823b8e533858cdada7aa9b3173254f2f57031af68b84e0c

RemcosRAT

87284733f84447db5f12697e7ce2fb44671cbf404e040cf85085b223eab02b95

RemcosRAT

a3faa214333ce59ed895410e011c4cbd44fe51b26ed5bf2a0ed54e225616f893

RemcosRAT

b2beeab94f7cbc38143e2a050c263476419bb48d2ec37470df5b1ee0da812f50

RemcosRAT

bfd45ef21e21655c921b457242c1d4e05a1e979d0051a4195192d8e17b7bed38

RemcosRAT

d83290b80bf412884168a6d24a06fad12edb578cc612ea555476b422a4499613

RemcosRAT

+ 640 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost rat

Link:

https://tria.ge/reports/210927-rcpanahbfk/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Remcos

Malware Config

C2 Extraction:

fax-joh.dyn-ip24.de:22420

Unpacked files

SH256 hash:

905d862e6225f5cf2d058551f5946ff701bceb652081004da0de09ec01ac375f

MD5 hash:

f4ae53f4b286ae0de3ba2a198e5e44b3

SHA1 hash:

b8c2304a7866ff1f437f76ff356c231f50d1493c

Link:

https://www.unpac.me/results/2a125f96-da19-4b16-91ca-8fc4b3237e4e/

SH256 hash:

ad4a7895d529d5164302bb88596964ab42ff125bf0f5544418c80b6d438cb587

MD5 hash:

43ababb6b0a02907aad43084f12b10d9

SHA1 hash:

b60ba705891d5a666d64300181b475a46714ffa8

Link:

https://www.unpac.me/results/2a125f96-da19-4b16-91ca-8fc4b3237e4e/

SH256 hash:

d50db54d0287d66ab2d897abbf801eff7f7d947fcaba4fc47d9598aac988f85b

MD5 hash:

5374f07f10cfe91adcc2c60d5aed9044

SHA1 hash:

7c433b6330159f3ea616fab3fb381ae4e61935c4

Detections:

win_remcos_g0

Link:

https://www.unpac.me/results/2a125f96-da19-4b16-91ca-8fc4b3237e4e/

Parent samples :

6f92daf1987fdbeb08911e7081215c3bf8d5241428011e635ed1c61db6230bb0
8378cff1c00e9259db81de361f9e5ebfc5eb1e932c0d21c5b003360c46a7eb43
993528adce97be31c6c1e1c01f4877f229b10e8f06b87d8cbcc2f95b46866872
af9fa73ff6907f77d55aac6376f3f2e73160fc97afec3656e77da8d5e0a6a488

SH256 hash:

993528adce97be31c6c1e1c01f4877f229b10e8f06b87d8cbcc2f95b46866872

MD5 hash:

1c216b0e1b9e57aaae50dd7448664b46

SHA1 hash:

f212be1953068232db365ef40595297e4a273aa7

Link:

https://www.unpac.me/results/2a125f96-da19-4b16-91ca-8fc4b3237e4e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/993528adce97be31c6c1e1c01f4877f229b10e8f06b87d8cbcc2f95b46866872

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/192137/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample