MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2fad2958e6dd09d0d980d4e5d158c2a2eb18963d47fc95779c22bc2d203cb8e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a2fad2958e6dd09d0d980d4e5d158c2a2eb18963d47fc95779c22bc2d203cb8e
SHA3-384 hash: 878716b51643f70fcc9994ad05e3f95686c027255f33f80ca49205038b28edeeba960dacef6404982934dd824bf1477f
SHA1 hash: 42c87894f183c3612e1662f531003bbe7478f875
MD5 hash: 6cfceeb676d49151e8c2fec9c4209789
humanhash: pluto-east-equal-single
File name:6cfceeb676d49151e8c2fec9c4209789
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:2'904'080 bytes
First seen:2022-03-15 15:18:59 UTC
Last seen:2022-03-15 18:57:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 01d1b984e99e67b6f7ae46199d7dfd92 (12 x RemcosRAT)
ssdeep 49152:K9SRQo3DNrOKFcHxALBpIHo9HYdZvXYEj4UDEbVhqTig2Iug/xRNzacq:KMRQo3DNry23M80F4WyhqTi5Iug/xRN8
Threatray 10'068 similar samples on MalwareBazaar
TLSH T1E0D5336C49F729A9C987A43185A6E533A2583ED4A9CC2D876DFF3F27B8E550DC3C4840
File icon (PE):PE icon
dhash icon c4d48eaa8ad4d4f8 (1'000 x RemcosRAT, 1 x Worm.Ramnit, 1 x Vjw0rm)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
219
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
6cfceeb676d49151e8c2fec9c4209789
Verdict:
Suspicious activity
Analysis date:
2022-03-16 04:34:56 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/ca745ecc-40ef-4fab-afb0-c3fdc44fc739

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/250953/
Detection(s):
SecuriteInfo.com.Variant.Zusy.416847.2732.22543.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for analyzing tools
Сreating synchronization primitives
Launching cmd.exe command interpreter
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Launching a process
Changing a file
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Sending a custom TCP request
Running batch commands
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking the User Account Control
Forced shutdown of a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/6230ae7c0cd58dbd929f7257/reports/e5f384e2-d05d-47a1-bda5-2dbdb52e92e3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c849b954-e38a-4988-bdf8-9a5106a46d02
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/957188
Signature
Antivirus detection for dropped file
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a2fad2958e6dd09d0d980d4e5d158c2a2eb18963d47fc95779c22bc2d203cb8e/
Threat name:
Win32.Spyware.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-03-15 12:04:02 UTC
AV detection:
26 of 37 (70.27%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1fed413e1cf6bf9886f077ac4ebe4c86b566917bf3b0cd806805acbb89b27558
RemcosRAT
4ccc8a0286b73b62f34fee2f3927c12a73aa47f272f40a4ba7085d84dc1785aa
RemcosRAT
4d3b3b7bcb7d186bd6cd61954cb858c00d1395dffc221f4f70ee3be2b5def793
RemcosRAT
57e117773ebe7caaac7d1db9759f5c8313d15db896f7b736459c65164770a5f5
RemcosRAT
6f476c63a6d699d1f0166313deb1e0f623c689882de8411bcd4f0b4f880526dd
RemcosRAT
99f100122f5280ac44bc01f3bb7df9d3bd69681335e5f50d4ddfeca6e8ac3cb1
RemcosRAT
cecec27d948d08eca8d94d9393903ce0af037d7375094ad4e988633d27af0415
RemcosRAT
e4b26e2c09188228c4db16281887a17e90baaf95c7b691fa75d05af9f79ff20a
RemcosRAT
+ 10'058 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:rh1 evasion persistence rat themida trojan
Link:
https://tria.ge/reports/220315-sp67nsdbd6/
Behaviour
Modifies registry class
Modifies registry key
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Deletes itself
Loads dropped DLL
Themida packer
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Remcos
UAC bypass
Malware Config
C2 Extraction:
185.29.9.125:2404
Unpacked files
SH256 hash:
e28343f66e12ece15bfc243ac679ed359d5a85cf636257a8d5db18ad1172ff5f
MD5 hash:
1b53365794a5e37b5c5fb79dbb0a396e
SHA1 hash:
dbe7a3a3d179f18c8150cf15f0809114858ba10b
Link:
https://www.unpac.me/results/dbe958a8-c37d-4570-9662-5b3c8c063ac3/
SH256 hash:
a2fad2958e6dd09d0d980d4e5d158c2a2eb18963d47fc95779c22bc2d203cb8e
MD5 hash:
6cfceeb676d49151e8c2fec9c4209789
SHA1 hash:
42c87894f183c3612e1662f531003bbe7478f875
Link:
https://www.unpac.me/results/dbe958a8-c37d-4570-9662-5b3c8c063ac3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a2fad2958e6d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.50
Link:
https://yomi.yoroi.company/submissions/a2fad2958e6dd09d0d980d4e5d158c2a2eb18963d47fc95779c22bc2d203cb8e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe a2fad2958e6dd09d0d980d4e5d158c2a2eb18963d47fc95779c22bc2d203cb8e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2087388/
  
URLhaus
https://urlhaus.abuse.ch/url/2076488/
  
URLhaus
https://urlhaus.abuse.ch/url/2098447/
Cape
Cape
https://www.capesandbox.com/analysis/250953/

Comments


Avatar
zbet commented on 2022-03-15 15:19:00 UTC

url : hxxp://nbs.vizzhost.com/drop/185rms.jpg