MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a415a8e3922c0026ce33f3663d90894e209ef6dea4e30de47018cdd58a6b2fbc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a415a8e3922c0026ce33f3663d90894e209ef6dea4e30de47018cdd58a6b2fbc
SHA3-384 hash: b3f977d58474d31be5e6213eff69985af9c5e459eeecb8aa5717012ede2999103e7c89d3d354daa987651480b0b52e2b
SHA1 hash: 326fd539ed0556df76e0790350f8279ae5320325
MD5 hash: 3c617e084b9c154cfe958ae087fa5c26
humanhash: illinois-alanine-east-alanine
File name:3c617e084b9c154cfe958ae087fa5c26.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:199'586 bytes
First seen:2020-11-05 07:32:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bc5ce990cf54f8d435a68eb97512f73e (1 x RemcosRAT, 1 x NetSupport)
ssdeep 3072:0zNWMKKRZYchObK91C8sV6Xmoo4LEpYyiDfoLFR68gUOD4iJpvw5rXKWgS/uJPuo:0ZuuObR8sVImcyYyCoZU6ejV0rXkS0vV
Threatray 213 similar samples on MalwareBazaar
TLSH 3714D005B3C980F3E051053078ADA6B3ED3CFE3667A0725AE785CD695CB4261E509FAB
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/83085/
Detection(s):
PUA.Win.Packer.RarSfx-1
Create hunting rule

PUA.Win.Packer.RarSfxModificat-1
Create hunting rule

SecuriteInfo.com.Adware.Generic2.VPP.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Sending a UDP request
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process from a recently created file
Setting a keyboard event handler
DNS request
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/521014
Signature
Antivirus detection for dropped file
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Detected Remcos RAT
Installs a global keyboard hook
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 309605 Sample: CNwds4WMxY.exe Startdate: 05/11/2020 Architecture: WINDOWS Score: 100 28 encrushias328.sytes.net 2->28 32 Malicious sample detected (through community Yara rule) 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 Detected Remcos RAT 2->36 38 3 other signatures 2->38 9 CNwds4WMxY.exe 1 11 2->9         started        signatures3 process4 file5 24 C:\Users\...\ididertsew324qqwsace.sfx.exe, PE32 9->24 dropped 12 cmd.exe 1 9->12         started        process6 process7 14 ididertsew324qqwsace.sfx.exe 10 12->14         started        18 conhost.exe 12->18         started        file8 26 C:\Users\user\...\ididertsew324qqwsace.exe, PE32 14->26 dropped 48 Multi AV Scanner detection for dropped file 14->48 20 ididertsew324qqwsace.exe 1 2 14->20         started        signatures9 process10 dnsIp11 30 encrushias328.sytes.net 20->30 40 Antivirus detection for dropped file 20->40 42 Multi AV Scanner detection for dropped file 20->42 44 Machine Learning detection for dropped file 20->44 46 6 other signatures 20->46 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a415a8e3922c0026ce33f3663d90894e209ef6dea4e30de47018cdd58a6b2fbc/
Threat name:
Win32.Exploit.BypassUac
Create hunting rule
Status:
Malicious
First seen:
2017-10-18 02:18:41 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uqk2ry4sfqacntrt6ntd3eejjyqj55w6utrq3zdqddg5lctlf66a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
2724b91c1bc89c7b25a91efd5e2da4455efc769600fc7735715582ba12201085
RemcosRAT
51358357df23c81216cfed7bb144fcf65b611e622a661fa9fd5beaea4d749bb3
RemcosRAT
582e6c2f0efae023abdac592f802ff5330b95eb4f66cdcad52f73b04e67cad57
RemcosRAT
5f4e4a43a01b235d781c6888198b18750529dda9fc4727727940115090e06a6d
RemcosRAT
753883fa972dda966abb3adad3cfc94f0a82ca128d1908df58bac3ba93e60bd3
RemcosRAT
762d689595557fa3064907433659411b95132e554f7d17fcf62d1a77db51e3e5
RemcosRAT
81783c63ad44bdb77b3db79ec3cafb33222395e89d765c4ffbab36ea6b9c96eb
RemcosRAT
9160a75fe7bd27c3cb8141039d4c7383162b199454dfa285dd7d11f9fcfe52b1
RemcosRAT
aad53b1b6e50e7ee426f0790b5497cb7d63704a6775248f258db1263762761bb
RemcosRAT
f7ca26d121ee9ccd739a78656ce737c0c48e0d1c6cca667da547fa2bd3c6c80e
RemcosRAT
+ 203 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos rat
Link:
https://tria.ge/reports/201105-l5esgdjxqa/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
encrushias328.sytes.net:200
Unpacked files
SH256 hash:
a415a8e3922c0026ce33f3663d90894e209ef6dea4e30de47018cdd58a6b2fbc
MD5 hash:
3c617e084b9c154cfe958ae087fa5c26
SHA1 hash:
326fd539ed0556df76e0790350f8279ae5320325
Link:
https://www.unpac.me/results/9ce3f02b-8794-46d2-8e40-1e6ecc273c20/
SH256 hash:
b75fb6f10eb70f75dc380b2a6e62e6b200aea27f3d597ed600ebd1e78f45957c
MD5 hash:
74579dfcd11dcc3e1b7d18304601d4db
SHA1 hash:
8b4e213608ec979ff9bfa2f421960dcb11ef378a
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/9ce3f02b-8794-46d2-8e40-1e6ecc273c20/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/83085/

Comments