MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0b1ba178d886a9d71fb7ffd5b169bf023021e13c545e3cd8d15461221dd2006. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	c0b1ba178d886a9d71fb7ffd5b169bf023021e13c545e3cd8d15461221dd2006
SHA3-384 hash:	5131953a63a25d35f3fe919f89ef35dc89d807cbe9e2c00b7db0bee088a542980945527e8c4b56d98eaa38acd6ddd8ac
SHA1 hash:	20dfdd65a715575754c903ffcbe871ce82f2736b
MD5 hash:	611eb8ef2416aa09b16bbce28e1ec33a
humanhash:	cup-cup-mango-black
File name:	New REMCOS TES.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	899'584 bytes
First seen:	2020-07-13 14:37:11 UTC
Last seen:	2020-07-14 18:22:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	dada6f26441f1a1d2f2cf25a83bd8107 (16 x AgentTesla, 6 x MassLogger, 3 x FormBook)
ssdeep	12288:nPaxsvwR995OWKptn/2hWBCprrQEiMqtYmLHzVT2Mbx8o79o60qAWllFxRIz7QMP:2M092htZ8qtYs5T287WqASEAMMu
Threatray	1'092 similar samples on MalwareBazaar
TLSH	45158D22F2D18432C1722A3C9D1B97646D2AFE007E28AE476BF55C8C5F7978178352E7
Reporter	James_inthe_box
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/25437/

Detection(s):

SecuriteInfo.com.Adware.Generic4.BBFB.UNOFFICIAL

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a process with a hidden window

Deleting a recently created file

Running batch commands

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process by context flags manipulation

Setting a global event handler for the keyboard

Connection attempt to an infection source

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/c0b1ba178d886a9d71fb7ffd5b169bf023021e13c545e3cd8d15461221dd2006/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-07-13 14:36:44 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

28 of 29 (96.55%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ycy3uf4nrbvj24p3p76vwfu36arqehqtyvc6htmncvdbeio5eada._file

Verdict:

malicious

Label(s):

remcos

emotet

hawkeyekeylogger

RemcosRAT

4ea16682c6d48eb737c1857beceadc3d3077921c03fa62d9dad44d551d92729d

RemcosRAT

53136d19559089e0674af4ad81621b99a031741edcc486eb3d402fd180b1b77e

RemcosRAT

7720da8dd623a00812870efdb75c2f2571417599ebfabcff48d2bd95cd029ea2

RemcosRAT

83eb442b175e4fe5a2fde6e8d72618eee280398f89a81da1f9c118d2c46032d4

RemcosRAT

9930543939f97818319ed031530d9e084994331aa4b06a304faeb321bbcc63db

RemcosRAT

a1c561c21720c4f1c3626276db6afc2c12b1aae9304c78518763eb78454f84b8

RemcosRAT

c232e05f633d3e2bd0a1486a955d7f72eb9155408a635666306d922b333809b2

RemcosRAT

c86bcfe4e22cb50054b44e38fc4fb79624c4ed5bf9a26174754dbb5c1a6baff8

RemcosRAT

eb1230ab4a5408a3d264bb51f1ff311fcf52aa97d52b801738cd5add365e77d2

RemcosRAT

+ 1'082 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

persistence rat family:remcos

Link:

https://tria.ge/reports/200713-jp48dz38zj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of SetThreadContext

Adds Run entry to start application

Loads dropped DLL

Executes dropped EXE

Remcos

Malware Config

C2 Extraction:

185.140.53.209:1990

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

URLhaus

https://urlhaus.abuse.ch/url/412467/

Cape

https://www.capesandbox.com/analysis/25437/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample