MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb02d2d2301b7b9fb6a36b47f26a0bf46c9a3312cf15593322c93f41ac802ba1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb02d2d2301b7b9fb6a36b47f26a0bf46c9a3312cf15593322c93f41ac802ba1
SHA3-384 hash: 660815e451f7949927007bfa8fbfda60ac81fe8d95ded9bf197b8f5a042564d4753ee797d6de9e09f4de3f662de60f85
SHA1 hash: 7178f07b7eec5db4fe95c8db4c794f2f826bf281
MD5 hash: 0f083554d2182485b54c0d6835344d1d
humanhash: apart-hot-island-diet
File name:0f083554d2182485b54c0d6835344d1d.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:47'160 bytes
First seen:2021-02-01 18:12:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 768:CqFDxT49mLRcyIa6tNGfUV94A5M5C8FTZ3ETssszenaKPLQiEqHhSczjzna4ky56:dSQNI0TyTsNm/vhRzjzwy0
Threatray 1'493 similar samples on MalwareBazaar
TLSH 472382D016C8999DE27BD33B327251A32F70361272ABC94E941167F6BCA0FD95E63903
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0f083554d2182485b54c0d6835344d1d.exe
Verdict:
Suspicious activity
Analysis date:
2021-02-01 18:14:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/32a54455-5300-4ee9-ac60-1b87109d126f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/114999/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Creating a file
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/595723
Signature
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Country aware sample found (crashes after keyboard check)
Detected Remcos RAT
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cb02d2d2301b7b9fb6a36b47f26a0bf46c9a3312cf15593322c93f41ac802ba1/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-02-01 18:13:06 UTC
AV detection:
8 of 28 (28.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zmbnfurqdn5z7nvdnnd7e2ql6rwjumysz4kvsmzcze7udleafoqq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
01fc5b16efa52a016379ce1a7908c6a71e7acacdabe58430a38ee9133d4e014b
RemcosRAT
157447fce775d3e303f51839e30994daedd62b93460ef617385ef8027585647d
RemcosRAT
1664c6a330c5b318458518ea71b2a9995a91c79281a050278c3aa2388663a986
RemcosRAT
2c32a940a48680ede0f03b2de30890a25c983ce91e2b7737d993a5ccb42677ba
RemcosRAT
581bd1167bd9b40944de9a2d8842ed8aa841fdfc69d896c24520873095e0ac03
RemcosRAT
88478956ea6c8ea5423e2c30e23fbbf893f4ebbcaa3718d407ac418bf9964c0e
RemcosRAT
ab77af2c0fe4a39b3e2ec7b7450ef36999baf7c66316f4b3934d5a60e124d50c
RemcosRAT
dde6436d3e8a969f96e4ccec6904631d562efad960e0e9a6a2a865174750f3d6
RemcosRAT
f412da03defe68cc6e1f264449adf519a4c5470c51e7b502854f7fbf358f8516
RemcosRAT
facb3b1bbd388588efa04a3d0a5ba963af70d863494dd180b876d590f8b1bb51
RemcosRAT
+ 1'483 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/210201-4fst8b59ta/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
cb02d2d2301b7b9fb6a36b47f26a0bf46c9a3312cf15593322c93f41ac802ba1
MD5 hash:
0f083554d2182485b54c0d6835344d1d
SHA1 hash:
7178f07b7eec5db4fe95c8db4c794f2f826bf281
Link:
https://www.unpac.me/results/ad2ed54b-9629-4382-955e-7c1319f21745/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/cb02d2d2301b7b9fb6a36b47f26a0bf46c9a3312cf15593322c93f41ac802ba1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe cb02d2d2301b7b9fb6a36b47f26a0bf46c9a3312cf15593322c93f41ac802ba1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/978553/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/114999/

Comments