MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a362c422dd9a2c24a7cc96dc14244742d24274b78da4b0a27157ac9e7c38b04a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 6 File information Comments

SHA256 hash:	a362c422dd9a2c24a7cc96dc14244742d24274b78da4b0a27157ac9e7c38b04a
SHA3-384 hash:	078368302a67cd9464164fd18602c69365991aa3373f07c8448cd3499d3999b8a78855cb3a9b18fbf2b25234ec704f29
SHA1 hash:	2f23b9b4603fc89bc4f8616b9a3b1ee8c5f74b8d
MD5 hash:	ba8a6e47aa879cca4370ee1d3aed79df
humanhash:	item-berlin-item-oxygen
File name:	6aoBH1azTKmchrm.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	940'544 bytes
First seen:	2020-10-24 06:33:52 UTC
Last seen:	2020-10-24 13:25:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:jmLs0OswD3pbZ/8cUpXA2ReVmb3sGYtPTPP9CySrqOaIhX4irIeNHVISkKX8+3jo:5lMA2QVS0LX9IXI2N8+3jnkE8
Threatray	867 similar samples on MalwareBazaar
TLSH	3415DF2612857F00FA7E2B3BDAA49840A3FAFD016613DD2E9CE034CE55B1F55A907B17
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT UPS

abuse_ch

Malspam distributing RemcosRAT:

HELO: grace
Sending IP: 52.143.119.158
From: UPS Customer Service <pkinfo@ups.com>
Subject: UPS - Package Arrival Notification
Attachment: UPS Detail.img (contains "6aoBH1azTKmchrm.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

124

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/75177/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.34887160.22519.17212.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Creating a file

DNS request

Connection attempt

Setting a global event handler for the keyboard

Connection attempt to an infection source

Enabling autorun by creating a file

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/508568

Signature

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Detected Remcos RAT

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM_3

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a362c422dd9a2c24a7cc96dc14244742d24274b78da4b0a27157ac9e7c38b04a/

Threat name:

ByteCode-MSIL.Trojan.Wacatac

Status:

Malicious

First seen:

2020-10-23 18:56:01 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=unrmiiw5tiwcjj6ms3obijchiljee5fxrwslbitrk6wj47bywbfa._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

2ac56457e5dfd887f318ab16bbc8fa9711095b8cb4cae99f5a34358c9a8502f0

RemcosRAT

71d7c76b658053e46f6dff1e25fc4ed32bdbe2afd879ce510ce79d327c34bc31

RemcosRAT

94f225b0d4018228ee1c69317cd8f369f3c343378145e41cdf939d4dd30b988d

RemcosRAT

9693d78b6cb6fcdb5e129c278d307d7fa6bef2fff302498909640051f22b730e

RemcosRAT

a7154f13f8a8a66f47afafe4099e6e760aef60af8eb8d66de0d8ee83cfe1ef8b

RemcosRAT

b530ffc8af72cb51943f2fb8f38bc778c4544f57b61de593960dd4a97327ca64

RemcosRAT

c032e316eefbacca4b3ddfe7fc2ee9ac5f86daea767232d2322f7fdfe4b18993

RemcosRAT

c1db0bc7089675799a66c321a0401a402b94e0d455037b0cbd76e54188de43c8

RemcosRAT

ef93be06b93e89bc68dd92ca713f40e320a654c49a241a6884785acf964b8ba9

RemcosRAT

+ 857 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

rat family:remcos

Link:

https://tria.ge/reports/201024-avg9ky9tpe/

Behaviour

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Remcos

Unpacked files

SH256 hash:

8fd5eee882ad494be15f1c049fa0f20e6a16795c64f53bf385541f2f9279f17d

MD5 hash:

b8861be3a5e378d1bd0aa1745bd57f90

SHA1 hash:

0bac7e2654f9c089fb4cc2c1a21fe056f087d9ed

Link:

https://www.unpac.me/results/f4b3afb5-2a91-452f-a86a-a44ec49fe822/

SH256 hash:

bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049

MD5 hash:

a92cc1f6e0a2742350dfda6726db14c0

SHA1 hash:

e5404e3ed46498deb8ad8966a774540c2b8e9c1e

Link:

https://www.unpac.me/results/f4b3afb5-2a91-452f-a86a-a44ec49fe822/

SH256 hash:

b1c7113019717dfed0a8d439d9757633f89d3dcf596f87854c6c08f51be32eb0

MD5 hash:

bf5b18e4225828766aaa6208ab71448b

SHA1 hash:

f1cab5582d717fcd4a2b2bb052d64138f86d9ea6

Link:

https://www.unpac.me/results/f4b3afb5-2a91-452f-a86a-a44ec49fe822/

SH256 hash:

0f2574db1d5043944e5c9ed2d83bfc450032382659b9a3150dd17cb75b18fe5b

MD5 hash:

14e8e83ee21b6a0be310741ccf866721

SHA1 hash:

216902b0fcf0d206ae3f667bf4535a0232cbb9b4

Detections:

win_remcos_g0

win_remcos_auto

Link:

https://www.unpac.me/results/f4b3afb5-2a91-452f-a86a-a44ec49fe822/

Parent samples :

fc0abbcd2fbe032bc1bda90e14e1d029dfcf42ab6b98def50a47ff8823aa2349
76d694e6cd2c80db5b3e4a46497548a424e0f1babf5c36402cc48060ebe5ced0
fc7fd37bff4982766c447be231c86ac253be2ec80f18f693ff50b46f66c0f054
2ac56457e5dfd887f318ab16bbc8fa9711095b8cb4cae99f5a34358c9a8502f0
a362c422dd9a2c24a7cc96dc14244742d24274b78da4b0a27157ac9e7c38b04a
b35741dc7b3748ad255394b04aa0b6f2a25fda177ba6ad504a2b802f555c33b2
3e369df40fa1613981245f3c71f9dd443dab8933e854b15de9735b5be53ef8fb

SH256 hash:

a362c422dd9a2c24a7cc96dc14244742d24274b78da4b0a27157ac9e7c38b04a

MD5 hash:

ba8a6e47aa879cca4370ee1d3aed79df

SHA1 hash:

2f23b9b4603fc89bc4f8616b9a3b1ee8c5f74b8d

Link:

https://www.unpac.me/results/f4b3afb5-2a91-452f-a86a-a44ec49fe822/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a362c422dd9a2c24a7cc96dc14244742d24274b78da4b0a27157ac9e7c38b04a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator