MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba410d1931172915171c7769f798d6aaa1eab9f923c98f178f615ad75a6544f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 11

Intelligence 11 IOCs YARA 10 File information Comments

SHA256 hash:	ba410d1931172915171c7769f798d6aaa1eab9f923c98f178f615ad75a6544f2
SHA3-384 hash:	2c399a844ea4653c22696c03869dd395943ac9ec88ef3e107b16d019f00c7a8e090e854ad0230e7f05874a90ade5da58
SHA1 hash:	b281e7b9efc530d9500bda69bfbfce873e72d7a3
MD5 hash:	b462baa7065d8d16821794a2f179464b
humanhash:	william-apart-lima-vegan
File name:	INQUIRY LIST ITEMS.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'005'568 bytes
First seen:	2021-06-23 13:18:01 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	24576:rjDrhNzLJiJZyiBUlc2oCfz6quU4XEKnKd0+6Di:rX9NkZy/vo+zbuDXjnKdgD
Threatray	865 similar samples on MalwareBazaar
TLSH	2925F13039EAA029F173AF395EF474D69AAFB7632702D86D2055034F4B23942DE9153E
Reporter	James_inthe_box
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

126

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

INQUIRY LIST ITEMS.exe

Verdict:

Malicious activity

Analysis date:

2021-06-23 13:21:58 UTC

Tags:

rat remcos keylogger

Link:

https://app.any.run/tasks/468f353c-ec34-4a49-889f-29e177125574

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.867-1.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fdeb39bb-9b06-4ae7-a676-465d1ae39f9d

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/806598

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Detected Remcos RAT

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Yara detected AntiVM3

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/ba410d1931172915171c7769f798d6aaa1eab9f923c98f178f615ad75a6544f2/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2021-06-23 13:17:16 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 46 (43.48%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xjaq2gjrc4urkfy4o5u7pggwvkq6vopzepey6f4pmfnnowtfitza._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

149e5cb565e56469e6ff5c929185e203c92be0d8541faf0cf38da0003ae211d3

RemcosRAT

45ce5d0d1198fd183287729fd73b38c417180d9972d95c21dceecdf2990f6b51

RemcosRAT

4969dc5e2b7349e189cdc079c2e9e02014e559d1315564b6d6fd18eeb252c605

RemcosRAT

706a8a414b5cf5b0af00dc98bc373f48b48e07a7770e2270b5cb6f546f482aba

RemcosRAT

99a3a2770ee51389df0ed5f4a4a9788f98d92229a41f563279e181b41c528326

RemcosRAT

b445a79380a50d3f1447597a287e3dda84286ee66d76d0fbda22a04edba1d16e

RemcosRAT

b4d78c02fa2b8e9ef61a925c1fac4750d4a7d17030ae548833f7cfb5d9d67ed3

RemcosRAT

c2f19d09b75e7e3a3fc37523b1b65b63850819c18882947359eacd8ef9c833f3

RemcosRAT

dbdffd74b6ea1de962cb1e64468cbc4cac545311c1bc3eddfed142fb57125002

RemcosRAT

+ 855 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:kash rat

Link:

https://tria.ge/reports/210623-r5edx1wrr2/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Remcos

Malware Config

C2 Extraction:

kashbilly.ddns.net:5050

Unpacked files

SH256 hash:

4e458277d95c2ccd7c83e37a26fa9b9bed2fa5594d532d2fb3dd02721d91e9f8

MD5 hash:

9ecbc5d52d2187422253dd5736f801f2

SHA1 hash:

7b61705965e379d20d35a1e5fa4dcbcd65be5890

Detections:

win_remcos_g0

Link:

https://www.unpac.me/results/57eeba09-488f-44d9-9caf-742d86009cd0/

SH256 hash:

18a01cfee65098b0cdc7b92f49c87446aca438513dc1e83e3572ed690dbe9dac

MD5 hash:

93a1da3ed01bfa2ef4808d086a4d47a2

SHA1 hash:

35baa372c64d6f903ffeb77566d2db3bd43510bb

Link:

https://www.unpac.me/results/57eeba09-488f-44d9-9caf-742d86009cd0/

SH256 hash:

fb7d89112e862fb66eeab49158de207e5d98e0f1c63f3a984dee6a98d6064ddf

MD5 hash:

950be15109fa1d27e41966cb8deb20f9

SHA1 hash:

2fe1c24bbe99cf074f4ebabd319dcfc4a4da45cf

Link:

https://www.unpac.me/results/57eeba09-488f-44d9-9caf-742d86009cd0/

SH256 hash:

ba410d1931172915171c7769f798d6aaa1eab9f923c98f178f615ad75a6544f2

MD5 hash:

b462baa7065d8d16821794a2f179464b

SHA1 hash:

b281e7b9efc530d9500bda69bfbfce873e72d7a3

Link:

https://www.unpac.me/results/57eeba09-488f-44d9-9caf-742d86009cd0/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.54

Link:

https://yomi.yoroi.company/submissions/ba410d1931172915171c7769f798d6aaa1eab9f923c98f178f615ad75a6544f2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	pe_imphash Create hunting rule

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample