MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b46e6c9e8689b4e186b8c6bebbd4000f874b7f68737b72d7408f0943c77b42b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 12

Intelligence 12 IOCs YARA 9 File information Comments

SHA256 hash:	b46e6c9e8689b4e186b8c6bebbd4000f874b7f68737b72d7408f0943c77b42b6
SHA3-384 hash:	cc2e8392c4ddfe913114c8b1d0bfc781cfce61d9f862fc684130cd4cdaddefffdda63a53e0de7dcd90f7e9833c935d05
SHA1 hash:	083ce81a9b1f6477c2a18b70505e76947e9e5538
MD5 hash:	df86b2b21f34d6e798d6637dca03ca75
humanhash:	king-chicken-lamp-sodium
File name:	df86b2b21f34d6e798d6637dca03ca75.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	667'648 bytes
First seen:	2021-02-25 11:07:49 UTC
Last seen:	2021-02-25 13:49:28 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:/Et3LLUEMthvoPTG16KLrdRRwTT8u3J+2+NjFjlyuIZWRo1CrEW:GLCsG16KLxXwn8u3kw1WRRg
Threatray	1'617 similar samples on MalwareBazaar
TLSH	BBE412222771AF15DE7907F613602EA943F5283E4B57D60C5C8AE2EB7043F9A660F907
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

136

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

swift_BILLING INVOICE.doc

Verdict:

Malicious activity

Analysis date:

2021-02-25 10:28:35 UTC

Tags:

ole-embedded trojan exploit CVE-2017-11882 rat remcos keylogger

Link:

https://app.any.run/tasks/691117d2-5574-4b29-b49c-55cd75ca70c8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/119213/

Detection(s):

SecuriteInfo.com.Trojan.GenericKDZ.73158.2294.31886.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Creating a file

DNS request

Sending a custom TCP request

Creating a file in the %AppData% subdirectories

Setting a global event handler for the keyboard

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Remcos

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/618642

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Detected Remcos RAT

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Sigma detected: Scheduled temp file as task from temp location

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/b46e6c9e8689b4e186b8c6bebbd4000f874b7f68737b72d7408f0943c77b42b6/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-02-25 11:08:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

30 of 48 (62.50%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wrxgzhugrg2odbvyy27lxvaab6duw73ion5xfv2ar4euhr33ik3a._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

4791861118e0be776fd14153e2feca7d25f5a91a6c32a997385f5ae272e3d7c8

RemcosRAT

4b8335250b1cfcb5fac9790261dd43f5efcbc187c68961ee5afd34662d0599ed

RemcosRAT

5872699b0d954f58213188b45927d5ad0708a0e2737abb2971d4ddfda06f4dea

RemcosRAT

5b10f4a23880b51923a0df3e9e3c37f40eb0d3cc93de7b463da62f936a501385

RemcosRAT

61d9f4cbc76b7889d7d17d262b63c0fd2ee40642653063b1eb6ab84397f8c57b

RemcosRAT

82027bdaf86e2d0da1c45ede5efd820a1cbaace1b1b8f7675b8115d82db75f26

RemcosRAT

d34e588c8bef9cef39708c52f7f372bcd4b5fc39e4eaf0b9193aa586a10d7cc2

RemcosRAT

dfd3c33bf7be405cea03a045f3df2d9ff35f04c7da918eb916b6f224a58eea1f

RemcosRAT

e26c95b32b64e3f7b5d72d52be2fd7cb52c7a2c1df25f5337a783a1735f806ad

RemcosRAT

+ 1'607 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos rat

Link:

https://tria.ge/reports/210225-1g7jkyearx/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Remcos

Malware Config

C2 Extraction:

shahzad73.casacam.net:2404
shahzad73.ddns.net:2404

Unpacked files

SH256 hash:

f0a09c48af16c079c37ad0914f18897976357981fe5ee6f556ab9f9f70b9a671

MD5 hash:

f984a71581f6da5732110be2a569a392

SHA1 hash:

10de05b6b35fc5dbc00c42d59a4b850bcaae01e6

Link:

https://www.unpac.me/results/ae2052cf-4270-44a0-a945-bebd57a48aa1/

SH256 hash:

76790bf29b1aa8bc135587a126541c79823de4bdc1702d9c704c1730debb7cdf

MD5 hash:

a1a0b28c32a855be9f032a370a72d179

SHA1 hash:

39bce1a16498b1d5d2e3f09ed4cd6fe9d248200f

Link:

https://www.unpac.me/results/ae2052cf-4270-44a0-a945-bebd57a48aa1/

SH256 hash:

36722676bc663a54c5565fe81abb42f46768fd17c31aa6e053643b2f63010f2e

MD5 hash:

048f0d312b51598c819bb7e43415c9b6

SHA1 hash:

63332e20ff57856003beccd48c12184b98b8f803

Detections:

win_remcos_g0

win_remcos_auto

Link:

https://www.unpac.me/results/ae2052cf-4270-44a0-a945-bebd57a48aa1/

SH256 hash:

b46e6c9e8689b4e186b8c6bebbd4000f874b7f68737b72d7408f0943c77b42b6

MD5 hash:

df86b2b21f34d6e798d6637dca03ca75

SHA1 hash:

083ce81a9b1f6477c2a18b70505e76947e9e5538

Link:

https://www.unpac.me/results/ae2052cf-4270-44a0-a945-bebd57a48aa1/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator