MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9e9905267fe18dc32cc509c13f81fd346d3038d2f3ce469c203b9c7fa58c9f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9e9905267fe18dc32cc509c13f81fd346d3038d2f3ce469c203b9c7fa58c9f4
SHA3-384 hash: f5104dadd4be4c63fa722cfb7f47ca922596517af6fbc73384b7c36dabff34c8375e710dedaaa02a1de04f77f6c540b5
SHA1 hash: 1ca7671ca2093e3af9b703269df50a3c43da441a
MD5 hash: ccb6a7ffff679c91ef03ab70e74047f8
humanhash: salami-beryllium-maryland-cardinal
File name:New Inquiry.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:44'016 bytes
First seen:2020-09-28 08:18:13 UTC
Last seen:2020-09-28 09:07:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 768:aITTMeo7eIk56puXybybyVqdNNVRpOUf2h:amMlk53xOUf
Threatray 7 similar samples on MalwareBazaar
TLSH 9213344DAA59CC26DA38393CDE818A760FF16057BD35D7746CCB34CE89627850EA3A31
Reporter FORMALITYDE
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/66366/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader34.55610.28736.3454.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Sending a UDP request
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Adding an access-denied ACE
Launching the default Windows debugger (dwwin.exe)
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Setting a global event handler for the keyboard
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/476263
Signature
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Country aware sample found (crashes after keyboard check)
Detected Remcos RAT
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c9e9905267fe18dc32cc509c13f81fd346d3038d2f3ce469c203b9c7fa58c9f4/
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-09-27 09:48:30 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zhuzauth7ymnymwmkcobh6a72ndnga4nf46oi2ocao44p6syzh2a._file
Verdict:
unknown
Similar samples:
0e128c983b60048ebbd6cd52281431f2658fdf9ed7e79f9976a3ad882c822da7
RemcosRAT
1f2a1d2ae2401bab5c2d7c3d6062ddc4af9517e0f99bf89e6b6cd02a70bcd0e2
RemcosRAT
9b876e4ddeaf0d950860db4942d9be1507453ba1065a03672de41dfb287b2511
RemcosRAT
cb6c181823fd61558c1e6cefa9f1634d1676984316caa071c24268df493d3629
RemcosRAT
dedcfc0bf2fb123fe562afad7a21ba25ee9abebd7e68b3734d6593b1bdbeaa1d
RemcosRAT
e3065a6f8e49ccda273bf283c18b9344cc9ad802c1065b0fdf45cdafe92d1029
RemcosRAT
ed7c4062eb467dd8fa195a179d6c151700d4f90ea326c66a4a2411ea9ddd2e7f
RemcosRAT
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
rat family:remcos
Link:
https://tria.ge/reports/200928-bwawnestnj/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Remcos
Malware Config
C2 Extraction:
servr.jordangaming1.xyz:1977
Unpacked files
SH256 hash:
c9e9905267fe18dc32cc509c13f81fd346d3038d2f3ce469c203b9c7fa58c9f4
MD5 hash:
ccb6a7ffff679c91ef03ab70e74047f8
SHA1 hash:
1ca7671ca2093e3af9b703269df50a3c43da441a
Link:
https://www.unpac.me/results/857c131e-0cf5-489c-97c7-4105f587152c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c9e9905267fe18dc32cc509c13f81fd346d3038d2f3ce469c203b9c7fa58c9f4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe c9e9905267fe18dc32cc509c13f81fd346d3038d2f3ce469c203b9c7fa58c9f4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/66366/

Comments