MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 b62b1e316fbcabfe8d88212f7b49ed54c3351187c5ec73f7ff90c7698ea28876. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
RemcosRAT
Vendor detections: 14
| SHA256 hash: | b62b1e316fbcabfe8d88212f7b49ed54c3351187c5ec73f7ff90c7698ea28876 |
|---|---|
| SHA3-384 hash: | ac77f0406e864a4123968685815753105ea1cfa7f7354a64d4e9d1ee5a8f19b2540ee561e34be9c24ec9456aca1dd889 |
| SHA1 hash: | 35f739ad7246794d85487c425a299a765b18bff6 |
| MD5 hash: | f9f7b73497e53dab0f0da51e6ea7ad47 |
| humanhash: | don-magnesium-sodium-beer |
| File name: | MBL+BL INVOICE SHIPPING DOCS2.exe |
| Download: | download sample |
| Signature | RemcosRAT |
| File size: | 777'216 bytes |
| First seen: | 2021-10-20 02:30:30 UTC |
| Last seen: | 2021-10-20 11:08:31 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger) |
| ssdeep | 12288:kz1plvpa7NwiVrX9ULtFPEEWck6rCkM7srAJlhWrC5Oe8IhtMxBKURtV2br4ESZB:kz1Xpa7NwiVrXOtFPFWckUHAJl4rMkIY |
| Threatray | 783 similar samples on MalwareBazaar |
| TLSH | T152F4CFAD3650B6DFC82BCD76D9641C60EA6174AB430BE207A05716EDEE0D99BCF110F2 |
| Reporter |  GovCERT_CH |
| Tags: | exe RemcosRAT |
Intelligence
File Origin
# of uploads :
2
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Suspicious
Threat level:
5/10
Confidence:
100%
Tags:
obfuscated packed
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Result
Threat name:
Remcos
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Detection:
remcos
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Status:
Malicious
First seen:
2021-10-20 01:23:10 UTC
AV detection:
14 of 44 (31.82%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
remcos
Similar samples:
+ 773 additional samples on MalwareBazaar
Result
Malware family:
remcos
Score:
10/10
Tags:
family:remcos botnet:remotehost evasion rat
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Remcos
Malware Config
C2 Extraction:
172.94.88.26:3033
Unpacked files
SH256 hash:
6bcd9b913e1a396ee746851878c4ec71ee3b431f5fa294ed9e0c96e4a7c44bba
MD5 hash:
fcecd58404e8c4298653932248ab4b15
SHA1 hash:
b87163439c6887d6ca8273a5af92b699a089f99a
SH256 hash:
28ff4191d59a8241ab055c66ea6dbbf0f0f0a89fd73958acb02e28a1e6db8e4f
MD5 hash:
1d72140911c7e741a623cb3f6cd03e6d
SHA1 hash:
90fd6e13d05ee54cf76ffeea9be939d903fafc85
Detections:
win_remcos_g0
SH256 hash:
7b4ba24781e21b310e2749bc2f7a80b9670a4198a54d26e42079a6a1c1be6ae7
MD5 hash:
7b77d210bf6b00fd8ee8187198852052
SHA1 hash:
7f78d6294a269349fc9a49ad3c8ccb3c3d2665b4
SH256 hash:
b62b1e316fbcabfe8d88212f7b49ed54c3351187c5ec73f7ff90c7698ea28876
MD5 hash:
f9f7b73497e53dab0f0da51e6ea7ad47
SHA1 hash:
35f739ad7246794d85487c425a299a765b18bff6
Malware family:
Remcos
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | ach_RemcosRAT |
|---|---|
| Author: | abuse.ch |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer |
|---|---|
| Author: | ditekSHen |
| Description: | detects Windows exceutables potentially bypassing UAC using eventvwr.exe |
| Rule name: | pe_imphash |
|---|
| Rule name: | pe_imphash |
|---|
| Rule name: | Remcos |
|---|---|
| Author: | kevoreilly |
| Description: | Remcos Payload |
| Rule name: | remcos_rat |
|---|---|
| Author: | jeFF0Falltrades |
| Rule name: | REMCOS_RAT_variants |
|---|
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.