MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab08cb1279ca9edb9f2c8ca26e4785ad7db6aefaea3e952f20b50387fad0b9b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 11

Intelligence 11 IOCs YARA 6 File information Comments

SHA256 hash:	ab08cb1279ca9edb9f2c8ca26e4785ad7db6aefaea3e952f20b50387fad0b9b1
SHA3-384 hash:	3a687326bdee9fcebd20a0eefa19e2b0a2182322b9e251a10041e63af2a9e7c9c335016991951088f1bb4f21fa30c2e7
SHA1 hash:	7c57c02e4cf47b0d3449aada841ffc5f127bd41d
MD5 hash:	4ea1be50c91ccd1dbadb711fc6a66e86
humanhash:	mirror-nineteen-washington-diet
File name:	AĞUSTOS AYI PERSONEL BAZLI PRİM KAZANÇ TABLOSU.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	928'768 bytes
First seen:	2021-10-02 07:00:25 UTC
Last seen:	2021-10-02 08:26:57 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	02d9540b3caae3947bb67b457ce80180 (1 x Formbook, 1 x RemcosRAT)
ssdeep	12288:71SQXKUDd846LeAIeQw9gDgX8asea5HkmOith785jWU1bjjx:71T76LDIeQw1bnMhnj85SU1bj
Threatray	1'450 similar samples on MalwareBazaar
TLSH	T18C159F56B2E05832D8B7293BCE97A325F43AFF4628A0E4496BF51A0DCF762D43C35152
File icon (PE):
dhash icon	68c8d284a038c170 (1 x Formbook, 1 x RemcosRAT)
Reporter	abuse_ch
Tags:	exe geo RAT RemcosRAT TUR

Intelligence

File Origin

# of uploads :

# of downloads :

183

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

AĞUSTOS AYI PERSONEL BAZLI PRİM KAZANÇ TABLOSU.exe

Verdict:

Suspicious activity

Analysis date:

2021-10-02 07:03:32 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/5f274440-790f-4fc3-995c-37001f3f25e2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/194136/

Detection(s):

SecuriteInfo.com.Variant.Zusy.402582.6154.16525.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching the default Windows debugger (dwwin.exe)

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/74c5e5c9-829a-4a3d-8e4c-adc59cdfbc07

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ab08cb1279ca9edb9f2c8ca26e4785ad7db6aefaea3e952f20b50387fad0b9b1/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2021-10-02 07:01:05 UTC

AV detection:

18 of 45 (40.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vmemwetzzkpnxhzmrsrg4r4fvv63nlx25i7jklzawubyp6wqxgyq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

1d8df098798099b8106386eb335e7f793d9ce4c14c863105aa2f260cea331c44

RemcosRAT

49c1e306362700be6143f3dc9592a72ca5d9dc3d7237d9f8e4f14b5c14ea2155

RemcosRAT

6eee5d1c67a8e34e6d03d64fca1195bf26ceac2a68f454cc37e743ace0483a9f

RemcosRAT

83413a3a3f07ee931dbfecaefed51d0b01d2b13b85920bdd485f0b2ce41acba5

RemcosRAT

ab9041fe7e0a4a439521d6eb01cc16d74c00a0427c86b067120ac453ba7329d9

RemcosRAT

c409017de52a4a6ad3a0cd3ab97ad17f9be172136155bf548bef49d7777cec1a

RemcosRAT

cc6e538004f2725145291a264b3f8d9835566c9950fcda9a11fc19d40fd44b26

RemcosRAT

db28682ec511e61fa9a6425d0c7a908a99cf19b3f08c81b0e61bec26e24a15d6

RemcosRAT

e3b9a35e9155fd3c927956f03d54da02f28cc27437537d67ba302ddb4a40e57b

RemcosRAT

+ 1'440 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/211002-hs8jssdhd8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

f808a11e5b1cb4332bb4d65cdbcf1e0ca7323b15bcf73cb7462ad3eb30f05703

MD5 hash:

6cfdeebc3c72279486ddd229eb14b009

SHA1 hash:

e3a2a0a2a0fabd55415c9007f52c79fe9e19e0a7

Link:

https://www.unpac.me/results/f63156cd-dcf9-495e-bc65-4490eba757fe/

SH256 hash:

ab08cb1279ca9edb9f2c8ca26e4785ad7db6aefaea3e952f20b50387fad0b9b1

MD5 hash:

4ea1be50c91ccd1dbadb711fc6a66e86

SHA1 hash:

7c57c02e4cf47b0d3449aada841ffc5f127bd41d

Link:

https://www.unpac.me/results/f63156cd-dcf9-495e-bc65-4490eba757fe/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/ab08cb1279ca/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.94

Link:

https://yomi.yoroi.company/submissions/ab08cb1279ca9edb9f2c8ca26e4785ad7db6aefaea3e952f20b50387fad0b9b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	INDICATOR_SUSPICIOUS_EXE_DiscordURL Create hunting rule
Author:	ditekSHen
Description:	Detects executables Discord URL observed in first stage droppers

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/194136/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample