MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6ed4917512a2d3ec0290fb2dab92dfabd7e5e898f0deea9738dac05bb153d35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6ed4917512a2d3ec0290fb2dab92dfabd7e5e898f0deea9738dac05bb153d35
SHA3-384 hash: db0398a38b179d3c53c153b8c0bd8f4caf56fc1638439cd3539f846e2b9588caad98712aa7eb0612e9f401c0b4b3c6f9
SHA1 hash: 5462c7c40ee3908b477ffacb2fffb583f9ceeffb
MD5 hash: d810b845d25a6b6486b56f6ba46e8e33
humanhash: butter-timing-speaker-washington
File name:Urgent RFQAP65425652032421,pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:864'768 bytes
First seen:2021-09-27 14:07:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6da2e3f69203d2c4b15426c5555b3c99 (2 x RemcosRAT, 1 x NetWire, 1 x BitRAT)
ssdeep 12288:FJ07BGWcovyyY29t38Nhrsf2xSKc+FQnuUOpukpxkMCbZL:DyVcovY29tsPrsuzc+FQuUAukpxkJ
Threatray 12 similar samples on MalwareBazaar
TLSH T1A6057D9D6216493AE233193AFE4E4798686EBD017A70FD010770DDC75D62D8038EA6FB
dhash icon ba7a6a6afa9a9ae4 (2 x RemcosRAT, 1 x NetWire, 1 x BitRAT)
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
185.140.53.130:6642

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.140.53.130:6642 https://threatfox.abuse.ch/ioc/227067/

Intelligence

File Origin
# of uploads :
1
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Urgent RFQAP65425652032421,pdf.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-27 14:08:36 UTC
Tags:
installer
Link:
https://app.any.run/tasks/07141c14-56cf-4780-99f2-0936152e1265

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/192143/
Detection(s):
SecuriteInfo.com.Trojan0052d4b21.26004.26896.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c58e0153-1bbe-43dd-a432-9c59c7b7812b
Result
Threat name:
DBatLoader
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/859201
Signature
Multi AV Scanner detection for submitted file
Yara detected DBatLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c6ed4917512a2d3ec0290fb2dab92dfabd7e5e898f0deea9738dac05bb153d35/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-09-09 22:38:11 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y3wusf2rfiwt5qbjb6znvojn7k6x4xujr4g65kltrwwaloyvhu2q._file
Verdict:
malicious
Similar samples:
0d903cb51d86a47ea9baa01286e9a7d0c325f6412bc0e5cd48a4ba95c84e6d49
RemcosRAT
11574e6b8024699ebcbd840e3dbf4adf4b93f0c5a3c120dca1bdbb29362e78af
RemcosRAT
30ae97a96ff5a50bbbc7af4239ed02c07a9fb2737edd2b121c255903d855c4ff
RemcosRAT
37d995fa34e22498b1823b9b98edb207014357a673f21b560be3f2b65cb8ef10
RemcosRAT
4f5b62c0c6d23e944096823822e7752bc4d1601607d248384346e301e92ea9c1
RemcosRAT
5cfeb31e244749101b15620775505444327ee862cdec4a3e04f6af994a8e32f4
RemcosRAT
8143a5d0347139eadfdd5d38ceaf661057603f9245c70116f31b85fb07de02aa
RemcosRAT
99432ae8c9bf8a480490367ca761f906387ac9de5f4627d2967b0ce324d871fb
RemcosRAT
db351de507bfb075469e69ffe4859653ca3b3d0729c0236a5d3f8fd935e01cde
RemcosRAT
f4f27e005b5381e5d1eb3d1d95cd4ae5c963c7601934254ebe266f08cfaf78d2
RemcosRAT
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210927-re2c1ahbgk/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
cd4b225505e84218ef7418c8e5f41acbb67c51bd43e9ddcfa25341259377d3df
MD5 hash:
b7816cb3535b2f2675804d3052295003
SHA1 hash:
db4588853aa1ec16b1f2d29b1e873a653a1ecb13
Link:
https://www.unpac.me/results/4e14eacf-2af6-4e67-ab34-b94dda77e95f/
SH256 hash:
c6ed4917512a2d3ec0290fb2dab92dfabd7e5e898f0deea9738dac05bb153d35
MD5 hash:
d810b845d25a6b6486b56f6ba46e8e33
SHA1 hash:
5462c7c40ee3908b477ffacb2fffb583f9ceeffb
Link:
https://www.unpac.me/results/4e14eacf-2af6-4e67-ab34-b94dda77e95f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/c6ed4917512a2d3ec0290fb2dab92dfabd7e5e898f0deea9738dac05bb153d35

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EnvVarScheduledTasks
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC (ab)using Environment Variables in Scheduled Tasks
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/192143/

Comments