MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d996dec6ef44f2fa3dcb65e545a1a230c81f39c2a5aaee8adae63b673807639. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 13

Intelligence 13 IOCs YARA 9 File information Comments

SHA256 hash:	9d996dec6ef44f2fa3dcb65e545a1a230c81f39c2a5aaee8adae63b673807639
SHA3-384 hash:	da96730314b579b7d67d58616ff282225e7b26126ca1d11ecf59ba58e63021f22f61b39e8221fb10f3156ddd9316dfb1
SHA1 hash:	be7175cc0e25bdd23149f49b61b732ef3dbc2911
MD5 hash:	d259f32b74a652fd423459736e397f73
humanhash:	magazine-nuts-steak-jig
File name:	SecuriteInfo.com.Trojan.PackedNET.472.20023.2976
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	449'536 bytes
First seen:	2020-12-18 19:32:19 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:GKaVWavxJQ4lWdj0HXvPdDxpUydMdj17MU/F1dU51ZE9t8:G3WmllWeHXHdDcFZD91dQzE9O
Threatray	1'262 similar samples on MalwareBazaar
TLSH	8AA4AD7824904132C0F2577BFAA6A279B307BFD4B1D4552AB908B76B5F337898DC2631
Reporter	SecuriteInfoCom
Tags:	RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

268

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

9d996dec6ef44f2fa3dcb65e545a1a230c81f39c2a5aaee8adae63b673807639

Verdict:

Malicious activity

Analysis date:

2020-12-09 01:27:32 UTC

Tags:

rat remcos

Link:

https://app.any.run/tasks/8bb3df28-ff30-4a94-b426-02dde87adf89

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/108491/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.472.20023.2976.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file

Connection attempt

Sending a UDP request

Forced shutdown of a system process

Enabling autorun by creating a file

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Remcos MicroClip

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/566611

Signature

Allocates memory in foreign processes

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Creates an undocumented autostart registry key

Detected Remcos RAT

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected MicroClip

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/9d996dec6ef44f2fa3dcb65e545a1a230c81f39c2a5aaee8adae63b673807639/

Threat name:

ByteCode-MSIL.Trojan.DelShad

Status:

Malicious

First seen:

2020-12-03 09:16:21 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

30 of 48 (62.50%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=twmw33do6rhs7i64wzpfiwq2emgid444fjnk52fnvzr3m44aoy4q._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

232e0519807d6bd5adad7c4617644803d6e3b3524595dfd80d5eadcc001c99f1

RemcosRAT

2ac56457e5dfd887f318ab16bbc8fa9711095b8cb4cae99f5a34358c9a8502f0

RemcosRAT

4791861118e0be776fd14153e2feca7d25f5a91a6c32a997385f5ae272e3d7c8

RemcosRAT

4a94b062dbb9df940520146d100df5b019795d0f508d7ba89d24eb18725e1608

RemcosRAT

5b10f4a23880b51923a0df3e9e3c37f40eb0d3cc93de7b463da62f936a501385

RemcosRAT

82027bdaf86e2d0da1c45ede5efd820a1cbaace1b1b8f7675b8115d82db75f26

RemcosRAT

8a926e1548b8ad5379c12ec3556049bddf38a042c9c255db4674b752788f7d79

RemcosRAT

e26c95b32b64e3f7b5d72d52be2fd7cb52c7a2c1df25f5337a783a1735f806ad

RemcosRAT

f7e29cbf47c9804eb341836873ea6837be7a46639978f44d9ba2670d47e68d56

RemcosRAT

+ 1'252 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos rat

Link:

https://tria.ge/reports/201218-sx5qwqj3ex/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Remcos

Malware Config

C2 Extraction:

89.39.107.61:2606

Unpacked files

SH256 hash:

9d996dec6ef44f2fa3dcb65e545a1a230c81f39c2a5aaee8adae63b673807639

MD5 hash:

d259f32b74a652fd423459736e397f73

SHA1 hash:

be7175cc0e25bdd23149f49b61b732ef3dbc2911

Link:

https://www.unpac.me/results/b4f059e3-af24-4c1a-9a32-d4bcb4de0f1a/

SH256 hash:

83c08f0721c8b0c96e3d6a8f3ccaf5c96fbcc427d574625c34424c3429fefaa1

MD5 hash:

3c5dbcc3bb27e913e14efd8054811373

SHA1 hash:

b0eba9388abddaef9d5aa49ccd5dbab2924cced0

Link:

https://www.unpac.me/results/b4f059e3-af24-4c1a-9a32-d4bcb4de0f1a/

SH256 hash:

784b7c58ef5ebc3de7d804df737c2a1860e6765ef12dceb9b7de05695c3364d4

MD5 hash:

c728d6391f750c4ea822a46c6949e6ed

SHA1 hash:

f3ec54499b7e686185d73e55fcb760b29b094367

Link:

https://www.unpac.me/results/b4f059e3-af24-4c1a-9a32-d4bcb4de0f1a/

SH256 hash:

7cde31baa2605ecc709244d8f6c3e79f3ac2fbd3fdc96078856a5720f640e3b2

MD5 hash:

66f7c31b0e1219f3a5c73f217898ca16

SHA1 hash:

1060df4df20ac9451bbecbf41c2c39b373a2b4d0

Detections:

win_remcos_g0

win_remcos_auto

Link:

https://www.unpac.me/results/b4f059e3-af24-4c1a-9a32-d4bcb4de0f1a/

Parent samples :

9d996dec6ef44f2fa3dcb65e545a1a230c81f39c2a5aaee8adae63b673807639
fb4947b8574470e02727c7e4aef3b95d9a2b2ca05c5e83c3a3d9cec271ee1b06

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Remcos

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9d996dec6ef44f2fa3dcb65e545a1a230c81f39c2a5aaee8adae63b673807639

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator