MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca6d1749f9645475aa7ab0ca268e31ba00817a8c70467c4d6d88bb2ca54d596d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 3 Comments

SHA256 hash: ca6d1749f9645475aa7ab0ca268e31ba00817a8c70467c4d6d88bb2ca54d596d
SHA3-384 hash: eb48154289efad999ed00246ef6525eb116c1677247aa2bbedeeed25b40f68f727997412c8e8e7ed8a9eec2a65af7c21
SHA1 hash: e2531f4fac0b8fcfdf87ab86b5d73a18229416c2
MD5 hash: a6be592fb62d3e95befa3d40fe603f10
humanhash: finch-michigan-kentucky-pennsylvania
File name:ca6d1749f9645475aa7ab0ca268e31ba00817a8c70467c4d6d88bb2ca54d596d
Download: download sample
Signature RemcosRAT
File size:343'040 bytes
First seen:2020-06-29 07:27:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 6144:k6RLqSY6oAlR1OqkhT4NTdseAeFfVxjvZwTfD9gTG9HO5pKpA+Nr:k6RL8gP1OFhsjs+Ff3jvGThgTaHO5B2
TLSH BC749DC6B644A917CD5E42FA4032D87053323D79A5B2E6892CCA7CEF3AF73D21596807
Reporter @JAMESWT_MHT
Tags:RemcosRAT

Intelligence


File Origin
# of uploads :
1
# of downloads :
22
Origin country :
IT IT
Mail intelligence
No data
Vendor Threat Intelligence
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Status:
Malicious
First seen:
2020-06-25 05:46:00 UTC
AV detection:
26 of 31 (83.87%)
Threat level
  5/5
Result
Malware family:
remcos
Score:
  10/10
Tags:
rat family:remcos
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Remcos
Malware Config
Extraction:
youngboss1994.ddns.net:1965

Yara Signatures


Rule name:ach_RemcosRAT
Author:abuse.ch
Rule name:win_remcos_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_remcos_g0
Author:Daniel Plohmann <daniel.plohmann<at>fkie.fraunhofer.de>

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments