MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 d661d0e5f0c691ce7a9602857de9d47e75802967d4375d6e9e01c0d7178b7f7f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
RemcosRAT
Vendor detections: 3
| SHA256 hash: | d661d0e5f0c691ce7a9602857de9d47e75802967d4375d6e9e01c0d7178b7f7f |
|---|---|
| SHA3-384 hash: | 61ac0adf3e6dc0cee1ae0afd7a4d412698c06e5c1be8c39f016c7d6c9e3d4b1709a1e4db786972f4199a3767d56862b0 |
| SHA1 hash: | 1b10608a4667263abc19d5dcda9ce4f0ff6fed04 |
| MD5 hash: | 66df0c33ed280cd37fec690523328dd6 |
| humanhash: | venus-golf-johnny-berlin |
| File name: | d661d0e5f0c691ce7a9602857de9d47e75802967d4375d6e9e01c0d7178b7f7f |
| Download: | download sample |
| Signature | RemcosRAT |
| File size: | 923'138 bytes |
| First seen: | 2020-04-22 16:43:01 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | b3c9e045d417df46fe280c152c347ff2 (2 x RemcosRAT) |
| ssdeep | 12288:VUlsfhvpESpJSvqhk5QGCpglwBkVvflNHqp+2vSb:VNZZJSChk5rYkxUs |
| Threatray | 788 similar samples on MalwareBazaar |
| TLSH | 33156C67B39584F3C0625A78CC1797A4AC27BF113D3498867FE13F5E6E7A2813826193 |
| Reporter |  nbd33 |
| Tags: | COVID-19 RemcosRAT scr |
Intelligence
File Origin
# of uploads :
1
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
Win32.Trojan.Remcos
Status:
Malicious
First seen:
2020-04-22 00:57:09 UTC
File Type:
PE (Exe)
Extracted files:
82
AV detection:
27 of 31 (87.10%)
Threat level:
5/5
Verdict:
malicious
Label(s):
remcos
Similar samples:
+ 778 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_NX | Missing Non-Executable Memory Protection | critical |
| CHECK_PIE | Missing Position-Independent Executable (PIE) Protection | high |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| COM_BASE_API | Can Download & Execute components | ole32.dll::CoCreateInstance ole32.dll::CreateStreamOnHGlobal |
| WIN32_PROCESS_API | Can Create Process and Threads | kernel32.dll::CloseHandle kernel32.dll::CreateThread |
| WIN_BASE_API | Uses Win Base API | kernel32.dll::LoadLibraryExA kernel32.dll::LoadLibraryA kernel32.dll::GetSystemInfo kernel32.dll::GetStartupInfoA kernel32.dll::GetDiskFreeSpaceA kernel32.dll::GetCommandLineA |
| WIN_BASE_IO_API | Can Create Files | kernel32.dll::CreateFileA kernel32.dll::FindFirstFileA version.dll::GetFileVersionInfoSizeA version.dll::GetFileVersionInfoA |
| WIN_REG_API | Can Manipulate Windows Registry | advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA |
| WIN_USER_API | Performs GUI Actions | user32.dll::ActivateKeyboardLayout user32.dll::CreateMenu user32.dll::FindWindowA user32.dll::PeekMessageA user32.dll::CreateWindowExA |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.Malicious Windows PE32 Executable - Dropper for Remcos