MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6e24ae319f72f87dbf9d5e6fc2394737b938f7eb391a39c5043114458f31733. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b6e24ae319f72f87dbf9d5e6fc2394737b938f7eb391a39c5043114458f31733
SHA3-384 hash: 07507ca709c01cea9fd1b3eee30266d47236d60cc0974137d75004eb83746c2f12424bdc58796be28c7055177973719f
SHA1 hash: 8988e593978d2698c715cb99576c50fda14a2f8f
MD5 hash: 98c0e98f67c2d48305bedad1b4664df4
humanhash: robin-cold-alpha-sixteen
File name:SLAX3807432211884DL772508146394DO.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'000'408 bytes
First seen:2021-02-19 07:08:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash df0d362df6a4fc505777ae182bd2795b (5 x RemcosRAT)
ssdeep 12288:Rt1rtR29DwSwNy6ZgFwg0jPacng2WnAH+QIMYUCoDaMycZ+rfF8hWf:RnxhSwNy6eFGC+jv+QIPUtDocoJf
Threatray 79 similar samples on MalwareBazaar
TLSH 682581F2990A4B20F05B273CE48AE63416E5B8BD3D18476ACED47B469B5F7183C9107B
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: mail81.arn-jil.com
Sending IP: 185.189.151.50
From: Nolian Siria<operations@arn-jil.com>
Subject: Incoming shipment via Fedex #934859980854
Attachment: SLAX3807432211884DL772508146394DO.gz (contains "SLAX3807432211884DL772508146394DO.exe")

RemcosRAT C2:
salonirang.duckdns.org

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DLAgent07
Create hunting rule
Link:
https://www.capesandbox.com/analysis/117902/
Detection(s):
Win.Dropper.Fareit-9832696-0
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Launching a process
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/612345
Signature
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b6e24ae319f72f87dbf9d5e6fc2394737b938f7eb391a39c5043114458f31733/
Threat name:
Win32.Infostealer.BestaFera
Create hunting rule
Status:
Malicious
First seen:
2021-02-18 21:29:04 UTC
AV detection:
18 of 47 (38.30%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=w3revyyz64xypw7z2xtpyi4uon5zhd36woi2hhcqimiuiwhtc4zq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
035cba8ea6bbe0336a0221e86b571e530764939150df17f636fd23ad30db3f27
RemcosRAT
0d03646fdaee92061ac0ffa4ba7c737d0ef101858b30bd7432148f7e9faf279a
RemcosRAT
20fe5347a7254b7f5d75c7fce2542b88abdb8d1939afe621544c61d35e45bdee
RemcosRAT
2a344d464465069aa8739a45ecba1b6de4ef4ba4cc2b8128af5a54112c507058
RemcosRAT
350d9e0fce3c72fb6c63235194c1e9c986d38c13866e756f85c31faa95f4ef2b
RemcosRAT
71f60a985d2cc9fc47c6845a88eea4da19303a96a2ff69daae70276f70dcdae0
RemcosRAT
7372fe2e6401cdbca755f752e7e8407a8a5fbaf81ca5e692705a9819977dc447
RemcosRAT
969c356e48ffb2e13979513881838131bf9f61f5bfbe14e4314fece49d9e01ad
RemcosRAT
d00cdc47ecf61320c65927dd2cd3ec52e5d1496264ba527b019eebca8d9b3410
RemcosRAT
f436b8e7b214f3f56d0c62326e37653f87184760b406ab4f6eae79a5c34297b1
RemcosRAT
+ 69 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat
Link:
https://tria.ge/reports/210219-gqgmbnjq3s/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
salonirang.duckdns.org:54603
Unpacked files
SH256 hash:
391c2ac01bb4043074b99c538316b0fcb285dcc5308bda12a1c7a8a7c7d6860b
MD5 hash:
26d99a8e97cd080f9919491be6fab7ed
SHA1 hash:
e49027f7da2f6543b30ceba76bdac9fe31919c9b
Link:
https://www.unpac.me/results/4c19a89e-b8a3-4079-92e4-acc84ab77332/
SH256 hash:
742d9dde82f369f53ebd096e97446b429793401ab681f63e6b24b87ebc1bbc06
MD5 hash:
6a9a262f0ad021baff8e22a6dd4a53ae
SHA1 hash:
160189d345c18854b631a20011103edd2fdd136f
Link:
https://www.unpac.me/results/4c19a89e-b8a3-4079-92e4-acc84ab77332/
SH256 hash:
b6e24ae319f72f87dbf9d5e6fc2394737b938f7eb391a39c5043114458f31733
MD5 hash:
98c0e98f67c2d48305bedad1b4664df4
SHA1 hash:
8988e593978d2698c715cb99576c50fda14a2f8f
Link:
https://www.unpac.me/results/4c19a89e-b8a3-4079-92e4-acc84ab77332/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b6e24ae319f72f87dbf9d5e6fc2394737b938f7eb391a39c5043114458f31733

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

gz 1246a978dcf52cc4316d20012be40508011112c1667c609954a0299b8a4c1f10

RemcosRAT

Executable exe b6e24ae319f72f87dbf9d5e6fc2394737b938f7eb391a39c5043114458f31733

(this sample)

  
Dropped by
MD5 498020ba342b504fde2cc6fd20e962b2
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/117902/
  
Dropped by
SHA256 1246a978dcf52cc4316d20012be40508011112c1667c609954a0299b8a4c1f10

Comments