MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2d39fb4b40ec022ad70342450d49c41bab141b7c9d519c92b574d3b09eeb0cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 2 File information Comments

SHA256 hash:	b2d39fb4b40ec022ad70342450d49c41bab141b7c9d519c92b574d3b09eeb0cd
SHA3-384 hash:	5a33a361db2e7da68ef2d5814cff05336b249aadbbc6ae8bc6cabc4d0a8f4d0967a3515fec6aa89c88e559a7c3cb9a9d
SHA1 hash:	993f193852fec50d36bbe500419a2f56ca64a75b
MD5 hash:	0024b46b8d737ed8c36f0e73c67ff8c4
humanhash:	batman-mountain-delaware-mockingbird
File name:	1dd317f01421SPOOL000000054400010001.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	336'888 bytes
First seen:	2021-06-07 05:41:56 UTC
Last seen:	2021-06-07 07:18:37 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'656 x Formbook, 12'248 x SnakeKeylogger)
ssdeep	6144:jVpHYFbkn4ffjAWviEQdXJANsjcF10wZz+YzmoahX53OIeo7nga5OXQHu8:jLHYZk4HjAWYBGBE3T3OIeYnghAHj
Threatray	1'861 similar samples on MalwareBazaar
TLSH	D9641282D3580987FDF22D3D65B39F981EB9BF329DD0620728EA744B4DB370251A154E
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

abuse_ch

RemcosRAT C2:
116.203.140.78:2404

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
116.203.140.78:2404	https://threatfox.abuse.ch/ioc/72142/

Intelligence

File Origin

# of uploads :

# of downloads :

145

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1dd317f01421SPOOL000000054400010001.exe

Verdict:

No threats detected

Analysis date:

2021-06-07 06:50:55 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d86a69e0-d4bb-4dd1-837d-85dcd9ba2b22

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/164847/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.ABHY.31107.12762.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/797873

Signature

.NET source code contains potential unpacker

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to capture and log keystrokes

Contains functionality to detect virtual machines (IN, VMware)

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Creates an undocumented autostart registry key

Detected Remcos RAT

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/b2d39fb4b40ec022ad70342450d49c41bab141b7c9d519c92b574d3b09eeb0cd/

Threat name:

ByteCode-MSIL.Downloader.Seraph

Status:

Malicious

First seen:

2021-06-07 05:42:15 UTC

AV detection:

8 of 47 (17.02%)

Threat level:

3/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wljz7nfub3acfllqgqsfbve4ig5lcqnxzhkrtsjlk5gtwcpowdgq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

10c5df44b26355f12a62e1243923e9156150f7c86c0ee0f0b25555fae9fca5bd

RemcosRAT

3ce969a94f4bc8dec526e3551626d7e3639bae986304deba85e8f29f039fe345

RemcosRAT

5b474ca6fc8158bd6f14d53bca8962f25db3392dfe324f49ddf376610bd785e4

RemcosRAT

5f4e4a43a01b235d781c6888198b18750529dda9fc4727727940115090e06a6d

RemcosRAT

753883fa972dda966abb3adad3cfc94f0a82ca128d1908df58bac3ba93e60bd3

RemcosRAT

762d689595557fa3064907433659411b95132e554f7d17fcf62d1a77db51e3e5

RemcosRAT

aad53b1b6e50e7ee426f0790b5497cb7d63704a6775248f258db1263762761bb

RemcosRAT

ac7d008a3ac44bc8dfe3edbbc8542ed5b51bcf911b67eb8e9a715ebb5250ad27

RemcosRAT

ce4962d3126223b4bd68704159cbdc7479fb2df4263fb9f3d57492e770b74a94

RemcosRAT

+ 1'851 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:host persistence rat

Link:

https://tria.ge/reports/210607-eyez6jn9na/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Modifies WinLogon for persistence

Remcos

Malware Config

C2 Extraction:

mexch.ddnsking.com:2404

Unpacked files

SH256 hash:

62223c126db41ba87370a9ea9cfc9ba7c77ff60f8743cd580b5c323ef7f1c60a

MD5 hash:

a96e9cba046ad469e338477735b86a84

SHA1 hash:

b73aa6597afd63da4ef267d39eac79a055feb8b8

Detections:

win_remcos_g0

win_remcos_auto

Link:

https://www.unpac.me/results/f992cc7c-4af9-44eb-882e-e702b9e99d61/

SH256 hash:

aa64457bce3a1c3489b3a78cface63f2c7c33fcd8f6930aa928683e2c7b4caeb

MD5 hash:

cbc24debbbe8e16d7ef5689455af728c

SHA1 hash:

fd744642e5314663d5e8e5b039312367454dfa51

Link:

https://www.unpac.me/results/f992cc7c-4af9-44eb-882e-e702b9e99d61/

SH256 hash:

985530a2b2c58a56fd1cc0c98e4077ea1b903a24d877773da98d845ec5e80417

MD5 hash:

0c9ff6e9ce1d443dcc3cb5025ed41c09

SHA1 hash:

816f27d7527fa4a71b02687dd130301f69f2895f

Link:

https://www.unpac.me/results/f992cc7c-4af9-44eb-882e-e702b9e99d61/

SH256 hash:

b2d39fb4b40ec022ad70342450d49c41bab141b7c9d519c92b574d3b09eeb0cd

MD5 hash:

0024b46b8d737ed8c36f0e73c67ff8c4

SHA1 hash:

993f193852fec50d36bbe500419a2f56ca64a75b

Link:

https://www.unpac.me/results/f992cc7c-4af9-44eb-882e-e702b9e99d61/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b2d39fb4b40ec022ad70342450d49c41bab141b7c9d519c92b574d3b09eeb0cd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/164847/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample