MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4487b370ba2645516192a1461cb25ed3d11d02e4d0fdce3025269ca7d63aefa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 3

Intelligence 3 IOCs YARA 4 File information Comments

SHA256 hash:	d4487b370ba2645516192a1461cb25ed3d11d02e4d0fdce3025269ca7d63aefa
SHA3-384 hash:	c6d46273d3ebbdb8c217d0146840df971d812b7b81279a79850b5ad4364db75c4f24e913271faa192a2824b0506439bd
SHA1 hash:	0fdb2de58a170bc2a49a453a72ad60c4267a4681
MD5 hash:	dcbc0a7c81014744ce61712cc9b0fe40
humanhash:	fix-georgia-pip-river
File name:	dzbooster.com_new__lsass.exe.malw
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	230'912 bytes
First seen:	2020-03-27 05:45:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	799a712c5c293210751401978a5ed06a (1 x RemcosRAT)
ssdeep	3072:a0AFrIMuN2MwLdLtoFMUkt23+tYWCaOkKmVsWSEqqpzlByjV1c5jxPjVrA50rYF:a3sptEdLSmUf+jcEq27GexPjVMK0
Threatray	778 similar samples on MalwareBazaar
TLSH	5A34CF223595C037C727103688EBC3F1267ABD94DE25A58B7FC4176D9F363A29A26343
Reporter	ov3rflow1
Tags:	malw RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Dropper.Gandcrypt-6822502-0

Win.Packed.Gandcrab-6841515-0

Gathering data

Threat name:

Win32.Trojan.Kryptik

Status:

Malicious

First seen:

2019-01-27 13:30:35 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

40 of 47 (85.11%)

Threat level:

5/5

Verdict:

malicious

Label(s):

remcos

RemcosRAT

2b554ef8cede0aaf90b2eba967599dede6795344ae5c7e876e5c3a5776894a16

RemcosRAT

2bce8926e878a8464f8c19ffe1ac202e02331ed4f9983aa0b6e55a24e87da7b6

RemcosRAT

2cabc6f640a674f2b2d3d2aec9a6c159dfde1b6d9c4111532e78b06d89fd8fc6

RemcosRAT

359ac8bb415a9af23c0ff8b6e39a868d32db5ad817cd7e577c85ab665709e634

RemcosRAT

4b5a4437b8b7bab10cfb32c06b5241f92b3a2e2861f56190b8b17a7028ec64c8

RemcosRAT

68d55bb83fc84194699a46de541bb94ff55b7c01aa9816c50bbca8f37930afb8

RemcosRAT

9d389c6cec94ab389a487a450ce3c2773978eda015fcfc09c9bf1d0370b84ff9

RemcosRAT

a93a71cdc90f1ab2f2c80db6f0c55b95f43bad13faff06c89f2c728cab630773

RemcosRAT

cbeec64cdd31f94e46005a27c264248f12a22102d6e8b9f4187e92fedb2db373

RemcosRAT

+ 768 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_remcos_g0 Create hunting rule
Author:	Daniel Plohmann <daniel.plohmann<at>fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

URLhaus

https://urlhaus.abuse.ch/url/174122/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessW KERNEL32.dll::SetProcessShutdownParameters KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetStartupInfoA KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::ReadConsoleOutputA KERNEL32.dll::SetConsoleCtrlHandler

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample