MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e2f12a9f3c0111297fc6741ed27cd226789500a9aa012a738c524a20ffbc837. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 6

Intelligence 6 IOCs YARA 7 File information Comments

SHA256 hash:	9e2f12a9f3c0111297fc6741ed27cd226789500a9aa012a738c524a20ffbc837
SHA3-384 hash:	7038b0588e997925c354a02885b65872b1622104d1fbdfef74fa1ac53cf6e905aeb7edce35b99163b807ee022cace201
SHA1 hash:	0693385d984a0bfef3f9ac9d5320e9467dc220dd
MD5 hash:	b5bd8d66e3db84f2ab18713465ed4637
humanhash:	edward-item-eight-kentucky
File name:	#20102141 Quotation.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	714'720 bytes
First seen:	2021-03-17 15:52:55 UTC
Last seen:	2021-03-18 07:38:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	8bf672a41053f2797940aae8ccd5c211 (2 x RemcosRAT, 1 x NetWire)
ssdeep	12288:Dcmw61oKvfK189V4k3vymEyhVPznPMP8PGF7a34UWKg:oC1Y189SkKmnEEf3Xg
Threatray	2 similar samples on MalwareBazaar
TLSH	75E47D61A1A104F2D0535A799C26626844AABE713EB45D4637FC2D0CBFFF7803E2CD96
Reporter	James_inthe_box
Tags:	exe RemcosRAT signed

Code Signing Certificate

Organisation:	AAAruntest
Issuer:	AAAruntest
Algorithm:	sha1WithRSA
Valid from:	2021-03-17T10:39:53Z
Valid to:	2039-12-31T23:59:59Z
Serial number:	-626eaec753253e5fbb50591a266a983b
Thumbprint Algorithm:	SHA256
Thumbprint:	b0af2470793eb6150385e78ab6d8e8e3811a3121de59dd264994224a3629ac0c
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

121

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

#20102141 Quotation.exe

Verdict:

Suspicious activity

Analysis date:

2021-03-17 15:54:26 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/48249fd7-b4e4-4bbb-bc3f-9ac413467276

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/124576/

Detection(s):

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

DNS request

Sending a custom TCP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/642441

Signature

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9e2f12a9f3c0111297fc6741ed27cd226789500a9aa012a738c524a20ffbc837/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2021-03-17 15:52:33 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 28 (60.71%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=tyxrfkptyairff74m5a62j6nejtysuaktkqbfjzyyusked73za3q._file

Verdict:

unknown

RemcosRAT

f4f27e005b5381e5d1eb3d1d95cd4ae5c963c7601934254ebe266f08cfaf78d2

RemcosRAT

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/210317-7r51q77etj/

Behaviour

Modifies system certificate store

Script User-Agent

Suspicious behavior: GetForegroundWindowSpam

Unpacked files

SH256 hash:

9e2f12a9f3c0111297fc6741ed27cd226789500a9aa012a738c524a20ffbc837

MD5 hash:

b5bd8d66e3db84f2ab18713465ed4637

SHA1 hash:

0693385d984a0bfef3f9ac9d5320e9467dc220dd

Link:

https://www.unpac.me/results/52e347c4-8bba-46a1-843c-03e7e189db17/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9e2f12a9f3c0111297fc6741ed27cd226789500a9aa012a738c524a20ffbc837

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/124576/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample