MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1e15b9a8dad8e09e6a44215449f0b4f9fb269f6e00a3106a520780e43c2efd8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1e15b9a8dad8e09e6a44215449f0b4f9fb269f6e00a3106a520780e43c2efd8
SHA3-384 hash: e61c729ed44fad29a5f7a8e1788232bfe3695d4c445a0ff9ba7cdb838c678d513373f76ac9c54ffae7ba6632f13a2fdd
SHA1 hash: 0a232515d6cf2970c58f58504dd8c30da41470b8
MD5 hash: 4436e740b10c60190d50d4a9260c1cc7
humanhash: early-mike-kansas-finch
File name:Signed PO202002FiveBro2A2.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:4'195'840 bytes
First seen:2021-02-11 07:28:04 UTC
Last seen:2021-02-11 10:09:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 98304:U2P4PBFBlDz1EMn0/nuVGccO/aw5z7PBEgFMoDaZyb5oasu6GDgW3VT9cHBHlW50:pP4nBlDz1EMn0/nuVGccO/aw5z7PBEgA
Threatray 38 similar samples on MalwareBazaar
TLSH 3C16B357C284D530E42D13FC6464CCEA526EFEDBA6BBD42C690E7C89D633B08D81A5D2
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: ds1196.tmddedicated.eu
Sending IP: 198.20.127.220
From: Kiran Sonawane <mumbai@fivebro.com>
Subject: New PO (Signed)
Attachment: Signed PO202002FiveBro2A2.xz (contains "Signed PO202002FiveBro2A2.exe")

RemcosRAT C2:
severdops.ddns.net:7721

Intelligence

File Origin
# of uploads :
2
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Signed PO202002FiveBro2A2.exe
Verdict:
Malicious activity
Analysis date:
2021-02-11 07:30:33 UTC
Tags:
trojan rat remcos
Link:
https://app.any.run/tasks/168d922f-cf4c-4540-9c30-bea066fec894

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/116678/
Detection(s):
SecuriteInfo.com.generic.ml.5780.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/605408
Signature
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected Remcos RAT
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b1e15b9a8dad8e09e6a44215449f0b4f9fb269f6e00a3106a520780e43c2efd8/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-02-11 02:38:41 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=whqvxgunvwhatzveiikujhylj6p3e2pw4afdcbvfeb4a4q6c57ma._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
035cba8ea6bbe0336a0221e86b571e530764939150df17f636fd23ad30db3f27
RemcosRAT
1e5a328f760c35f905390fb4bcf0eefa75936c79a43e22ca7557da0e315c72ed
RemcosRAT
2f85c41ee13d69e68454d97153252e8ba9a3a0e85573427eac0600d41fa6824d
RemcosRAT
558791ef8ee4a269644ecce15552270a2e8f287603308069084793370ba9451d
RemcosRAT
6cef436fd5577158e43bd7cc85ea84cdac90044d8e9f93c254ee7ed119fa7aed
RemcosRAT
926da3334135961ff0c19ecf4358201ba4734ab01186061c423deeb081ec1cff
RemcosRAT
aa9c1ce82c3c4c29355c38931c6cc6e1cd1414051c772de3fbf0cd9439c52965
RemcosRAT
c062b4a790666b338f7955ea792605bf0244a8d36cb1050c602727ff6d654e36
RemcosRAT
d96b554a08cd2f503d6a1ffe5303b34f8bd6f91b369bd95e9d16642b4fece2cb
RemcosRAT
faf6463f13ccaac3980d0d71fdb44e4f56d4a519612e215e021af67140d7e855
RemcosRAT
+ 28 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos rat
Link:
https://tria.ge/reports/210211-g6z2t7bkvs/
Behaviour
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Remcos
Unpacked files
SH256 hash:
b2499a2af35b550fbe7f541a14ff1225e1202324f351eecf85de6c8e9fc7c27c
MD5 hash:
5e732e4265622675313195dead01047e
SHA1 hash:
359c710a93c2f58cdc2a45de8dd48a6884a70645
Link:
https://www.unpac.me/results/f11f6789-3163-4505-b62e-35af4372543d/
SH256 hash:
b1e15b9a8dad8e09e6a44215449f0b4f9fb269f6e00a3106a520780e43c2efd8
MD5 hash:
4436e740b10c60190d50d4a9260c1cc7
SHA1 hash:
0a232515d6cf2970c58f58504dd8c30da41470b8
Link:
https://www.unpac.me/results/f11f6789-3163-4505-b62e-35af4372543d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b1e15b9a8dad8e09e6a44215449f0b4f9fb269f6e00a3106a520780e43c2efd8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip 26929c207c3f9f022704cad47d0f1ead87ddfc49ed2cc8fe12b86227b6067e1c

RemcosRAT

Executable exe b1e15b9a8dad8e09e6a44215449f0b4f9fb269f6e00a3106a520780e43c2efd8

(this sample)

  
Dropped by
MD5 12cf4745af3061dc43c79c2a2941a2bb
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/116678/
  
Dropped by
SHA256 26929c207c3f9f022704cad47d0f1ead87ddfc49ed2cc8fe12b86227b6067e1c

Comments