MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd35cae0b96e7e0e19d837c418128aa3336fb5e714bc04fb2c1d90c46a7a2124. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd35cae0b96e7e0e19d837c418128aa3336fb5e714bc04fb2c1d90c46a7a2124
SHA3-384 hash: 2296730f59790d3eb61f33af99a73987a17424726cfacb9ebe68e49b35b307ea952d427674564caa94c372d5d8af7ce3
SHA1 hash: b8adf28da2c33f19b09ca03463d9707aff15e362
MD5 hash: 4ccbe3a8fa850367d5efde685a350d80
humanhash: lake-bakerloo-happy-kentucky
File name:4ccbe3a8fa850367d5efde685a350d80
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'075'200 bytes
First seen:2021-06-18 07:39:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 44ae77ffd352712ced0978b5ee3ef88c (2 x RemcosRAT, 1 x Formbook)
ssdeep 24576:mt+Le+UAcIAJScTn9t884Wz7vxLdkHq/XQBy:mt+rOTn7R6
Threatray 230 similar samples on MalwareBazaar
TLSH 8C357C2DB28154B3C93316BD6D0AB39865BE3E51769C9C8A37B439057F783843D390AB
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4ccbe3a8fa850367d5efde685a350d80
Verdict:
Malicious activity
Analysis date:
2021-06-18 07:43:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b45c2e3c-5273-421c-8bd3-b5e8a2cc881e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/166788/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader39.48961.6160.20467.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3940b0ee-a1ba-414e-9066-5c398f1b2064
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/804194
Signature
Multi AV Scanner detection for submitted file
Tries to evade analysis by execution special instruction which cause usermode exception
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cd35cae0b96e7e0e19d837c418128aa3336fb5e714bc04fb2c1d90c46a7a2124/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-06-18 07:40:23 UTC
AV detection:
22 of 46 (47.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zu24vyfznz7a4goyg7cbqeukumzw7nphcs6aj6zmdwimi2t2eesa._file
Verdict:
malicious
Similar samples:
0da92ee5ab7eeb708288a5738697bf61857dfdc9ab3115dbb9e94392ea786696
RemcosRAT
36f34d118ee0769d818d0cdb9b7562262e23233f97fd78c9280e8d5a7c390636
RemcosRAT
3f5ccdc99b29651852d447f8587f5cfa5e108ea10dba0eed36d436a4b6e73719
RemcosRAT
72a21c420bc7b744d977b3b0d68f486257784cac7a44c9b29602b0d23fe0e744
RemcosRAT
79e4617ae582f1bb2d40997fc5acad76293cc91dfeacbf23145052b4a8487d26
RemcosRAT
8fb001ff8eff89d8c472579c21683a55aff13ff9599bef6a3e5571b2c919691b
RemcosRAT
b9cf4ce7fc7e9291433169038a63f0f4e3d36fb1826cda150ea52b2257ac7c12
RemcosRAT
dc2e0df15f7f02466eb06fd8691336a2b9e958fa0c2cd2a129d47a9231b0ca03
RemcosRAT
dce7bd6ffb24e1022633df291493bc759eda61266bc34c9753ab7912c31b7e96
RemcosRAT
e07f10ac73d25b9b70a35c53eaf8a976f0edc117b40cd6a582dbd08ef55bdab5
RemcosRAT
+ 220 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:derrick persistence rat
Link:
https://tria.ge/reports/210618-2y5rf22bcs/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
top.killedifabused1.xyz:12489
Unpacked files
SH256 hash:
5381c6276fc0f552d71efe7fb4d43a9e1a1e776c4cb7a572f72207b777ff2a32
MD5 hash:
3e9b080fb62948db627a904b7af653ea
SHA1 hash:
93a66126bdeb846724b41d44c6a7cac15c5ed636
Link:
https://www.unpac.me/results/4d078bca-4715-422d-8c1e-11f7a8247c44/
SH256 hash:
cd35cae0b96e7e0e19d837c418128aa3336fb5e714bc04fb2c1d90c46a7a2124
MD5 hash:
4ccbe3a8fa850367d5efde685a350d80
SHA1 hash:
b8adf28da2c33f19b09ca03463d9707aff15e362
Link:
https://www.unpac.me/results/4d078bca-4715-422d-8c1e-11f7a8247c44/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cd35cae0b96e7e0e19d837c418128aa3336fb5e714bc04fb2c1d90c46a7a2124

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EnvVarScheduledTasks
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC (ab)using Environment Variables in Scheduled Tasks
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe cd35cae0b96e7e0e19d837c418128aa3336fb5e714bc04fb2c1d90c46a7a2124

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1375300/
Cape
Cape
https://www.capesandbox.com/analysis/166788/

Comments