MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc6e538004f2725145291a264b3f8d9835566c9950fcda9a11fc19d40fd44b26. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc6e538004f2725145291a264b3f8d9835566c9950fcda9a11fc19d40fd44b26
SHA3-384 hash: d7c24a64500436c8530f7c44042d81118c3b17e53d07370d55400c285ae7ca0d3e5272b27c18a5098e05a3c8a93aeef5
SHA1 hash: e989ee5a5149df2590e569a1e3231daadd8f7b81
MD5 hash: 0bef94ee2711756531916709dde75de8
humanhash: one-delaware-lion-music
File name:0bef94ee2711756531916709dde75de8.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:565'643 bytes
First seen:2020-08-31 12:29:50 UTC
Last seen:2020-08-31 16:35:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0f45f0ec77357570575f0585a5c340b0 (4 x ModiLoader, 1 x RemcosRAT)
ssdeep 12288:BTv++rfCT2ZzpdNDF3jJaXdg/C7+dJ5/B:BbDCS4XS6KJ5/B
Threatray 359 similar samples on MalwareBazaar
TLSH CEC43B2162E1D732D072EAF88D17A67998E6BE50D9187D81DBE83D089F36FC1341F246
Reporter abuse_ch
Tags:exe nVpn RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
protagonist.ac.ug:6969 (185.140.53.205)

Pointing to nVpn:

% Information related to '185.140.53.0 - 185.140.53.255'

% Abuse contact for '185.140.53.0 - 185.140.53.255' is 'abuse@privacyfirst.sh'

inetnum: 185.140.53.0 - 185.140.53.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU3
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2016-10-17T23:24:00Z
last-modified: 2020-07-28T20:56:03Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/53510/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Launching a process
Creating a file
Running batch commands
Creating a process with a hidden window
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Connection attempt to an infection source
Unauthorized injection to a system process
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/455432
Signature
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Fodhelper UAC Bypass
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Keylogger Generic
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 280091 Sample: hqt3XoCw3A.exe Startdate: 31/08/2020 Architecture: WINDOWS Score: 100 38 fgdjhksdfsdxcbv.ru 2->38 40 protagonist.ac.ug 2->40 56 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->56 58 Multi AV Scanner detection for domain / URL 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 8 other signatures 2->62 9 hqt3XoCw3A.exe 1 2 2->9         started        13 Rsnenet.exe 2->13         started        16 Rsnenet.exe 2->16         started        signatures3 process4 dnsIp5 48 googlehosted.l.googleusercontent.com 172.217.168.33, 443, 49727, 49760 GOOGLEUS United States 9->48 50 doc-00-58-docs.googleusercontent.com 9->50 36 C:\Users\user\AppData\Local\Rsnenet.exe, PE32 9->36 dropped 18 notepad.exe 4 9->18         started        21 ieinstal.exe 1 9->21         started        52 doc-00-58-docs.googleusercontent.com 13->52 64 Multi AV Scanner detection for dropped file 13->64 66 Machine Learning detection for dropped file 13->66 54 doc-00-58-docs.googleusercontent.com 16->54 file6 signatures7 process8 dnsIp9 34 C:\Users\Public34atso.bat, ASCII 18->34 dropped 24 cmd.exe 1 18->24         started        26 cmd.exe 1 18->26         started        42 fgdjhksdfsdxcbv.ru 21->42 44 protagonist.ac.ug 185.140.53.205, 49752, 49753, 49754 DAVID_CRAIGGG Sweden 21->44 46 192.168.2.1 unknown unknown 21->46 file10 process11 process12 28 conhost.exe 24->28         started        30 reg.exe 1 1 24->30         started        32 conhost.exe 26->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cc6e538004f2725145291a264b3f8d9835566c9950fcda9a11fc19d40fd44b26/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-08-31 12:31:03 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zrxfhaae6jzfcrjjditewp4nta2vm3ezkd6nvgqr7qm5id6ujmta._file
Verdict:
malicious
Similar samples:
090c4ff20568f647c80d5ae386bf5aedd9d8b066066a465b5300f8bd42ff1282
RemcosRAT
286c2eb8755215619d8cb48cc884091251729d5925b74444fe3b62c2c1a5acb5
RemcosRAT
3c0db9b222c66430abc435ed119d17751f1c7721d9f0a9a6aa7e17c5230eeeb9
RemcosRAT
4d1b436558291aa226a7342db8ff207bce093a7b329e10843101e7bf9974ea49
RemcosRAT
60d7b2ab0fb53d37576c2edd50231cc82e87d0c0cee85afddac247cb795164c3
RemcosRAT
6916d0f41d35a9142e598496a1e996616b4fad6d15f0f3da7ec9210b6a124586
RemcosRAT
7e9b9bbb673e25ab8ee790dbfd2a3e489c0d3a88ab73aafe671f68982f1b41da
RemcosRAT
8fa8051d68f0b059927318bc2b712fa94f7a2426e0ad00061e3c3dc2206bf955
RemcosRAT
aa2bebb80a2f29bf67f6635053d5283b3279ac9617ae5210479eb3a683d57d2e
RemcosRAT
e7a5b30eb4ad9f5b7b53bd402756a623c67cfb8d46d1148b40d8bc2d4ea43594
RemcosRAT
+ 349 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
rat family:remcos persistence
Link:
https://tria.ge/reports/200831-3k385jz8jn/
Behaviour
Modifies registry key
Script User-Agent
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Remcos
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cc6e538004f2725145291a264b3f8d9835566c9950fcda9a11fc19d40fd44b26

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_dbatloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe cc6e538004f2725145291a264b3f8d9835566c9950fcda9a11fc19d40fd44b26

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/446472/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/53510/
  
URLhaus
https://urlhaus.abuse.ch/url/447391/

Comments