MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f2fc689de26cd7461adc91dad9e369d3250df1819466f565ff0623e3c874755. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 9

Intelligence 9 IOCs YARA 7 File information Comments

SHA256 hash:	9f2fc689de26cd7461adc91dad9e369d3250df1819466f565ff0623e3c874755
SHA3-384 hash:	64e5891108701dd033741efe8fcb21f2fe7646b4d37343a67f749083a8e2955e0ee8c04b0133b885f829aedc3d1bb456
SHA1 hash:	3e756310feada7cc02aae1b454435049fd4109fa
MD5 hash:	4d60cc163ccab4b013fa1ec3d5d9cbc2
humanhash:	sad-magnesium-seventeen-harry
File name:	docs-9035.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	957'768 bytes
First seen:	2021-02-20 11:26:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f57b4e4642b7bb0d416dbb81ca606420 (1 x Loki, 1 x RemcosRAT)
ssdeep	12288:EucK08u8Bjz2kUCaz/F3IBBH1eqGyOJlRtLAPjBLFEGeNFK9uzc3QK1jCzbLfWL9:EPKvBvHbMK9IZqfLtDocp3
Threatray	182 similar samples on MalwareBazaar
TLSH	7E155DF2990A4B21F01B373DE48AE63416A5B9BD3D0953A6CE943B078B5B3583D9407F
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

253

Origin country :

n/a

Vendor Threat Intelligence

Detection:

DLAgent07

Link:

https://www.capesandbox.com/analysis/118113/

Detection(s):

Win.Dropper.Fareit-9832696-0

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

DNS request

Sending a custom TCP request

Creating a file

Deleting a recently created file

Launching a process

Connection attempt

Creating a file in the %AppData% subdirectories

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Setting a global event handler for the keyboard

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/613275

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Detected Remcos RAT

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Svchost Process

System process connects to network (likely due to code injection or exploit)

Writes to foreign memory regions

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9f2fc689de26cd7461adc91dad9e369d3250df1819466f565ff0623e3c874755/

Threat name:

Win32.Spyware.Noon

Status:

Malicious

First seen:

2021-02-20 07:48:56 UTC

AV detection:

21 of 28 (75.00%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=t4x4nco6e3gxiynnzeo23hrwtuzfbxyydfdg6vs76brd4pehi5kq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

2f85c41ee13d69e68454d97153252e8ba9a3a0e85573427eac0600d41fa6824d

RemcosRAT

5527aee4e45fad012be08beb8622e0471286523fa3abb1719d1f71deedf323eb

RemcosRAT

558791ef8ee4a269644ecce15552270a2e8f287603308069084793370ba9451d

RemcosRAT

6cef436fd5577158e43bd7cc85ea84cdac90044d8e9f93c254ee7ed119fa7aed

RemcosRAT

71f60a985d2cc9fc47c6845a88eea4da19303a96a2ff69daae70276f70dcdae0

RemcosRAT

926da3334135961ff0c19ecf4358201ba4734ab01186061c423deeb081ec1cff

RemcosRAT

b1e15b9a8dad8e09e6a44215449f0b4f9fb269f6e00a3106a520780e43c2efd8

RemcosRAT

d96b554a08cd2f503d6a1ffe5303b34f8bd6f91b369bd95e9d16642b4fece2cb

RemcosRAT

faf6463f13ccaac3980d0d71fdb44e4f56d4a519612e215e021af67140d7e855

RemcosRAT

+ 172 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos persistence rat

Link:

https://tria.ge/reports/210220-7g1bcp65kj/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Remcos

Malware Config

C2 Extraction:

style.ptbagasps.co.id:42024

Unpacked files

SH256 hash:

742d9dde82f369f53ebd096e97446b429793401ab681f63e6b24b87ebc1bbc06

MD5 hash:

6a9a262f0ad021baff8e22a6dd4a53ae

SHA1 hash:

160189d345c18854b631a20011103edd2fdd136f

Link:

https://www.unpac.me/results/2898c962-9570-47c6-97de-c1f7a486195a/

SH256 hash:

9f2fc689de26cd7461adc91dad9e369d3250df1819466f565ff0623e3c874755

MD5 hash:

4d60cc163ccab4b013fa1ec3d5d9cbc2

SHA1 hash:

3e756310feada7cc02aae1b454435049fd4109fa

Link:

https://www.unpac.me/results/2898c962-9570-47c6-97de-c1f7a486195a/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

exe 9f2fc689de26cd7461adc91dad9e369d3250df1819466f565ff0623e3c874755

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/118113/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample