MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d94aa8eba8dce581912552261b549bb8bcf04e8380fa68dc525c0d94236b761b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 8

Intelligence 8 IOCs YARA 10 File information Comments

SHA256 hash:	d94aa8eba8dce581912552261b549bb8bcf04e8380fa68dc525c0d94236b761b
SHA3-384 hash:	ae4a89d0fb65732c3c80a036ef35409f21f5b1cc319d0a7847c5e88ff4481787dcf83d8785e73eac25a0ff919b8bfb28
SHA1 hash:	0019eab67d15bf22a9e90345bf7281b4f0c11d5f
MD5 hash:	cb3b77181a200f9b066fd29e4431ad0f
humanhash:	saturn-paris-freddie-potato
File name:	TT SWIFT COPY.scr
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	139'264 bytes
First seen:	2021-01-27 15:46:55 UTC
Last seen:	2021-01-27 19:45:32 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	20fa7021831ab23270faf65321b1b2e3 (1 x RemcosRAT)
ssdeep	1536:nz2K0+KowzEQVKnQrIskYv67Z6ojCaXDdoDIlB:zSuwoLyaBo6B
Threatray	3 similar samples on MalwareBazaar
TLSH	23D383EA7802C9BED57F42F4151C35704402BCF4A80B58DF6AD7B24847B8EF4E4A6B96
Reporter	cocaman
Tags:	RemcosRAT scr

Intelligence

File Origin

# of uploads :

# of downloads :

186

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

TT SWIFT COPY.scr

Verdict:

No threats detected

Analysis date:

2021-01-27 15:49:22 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/bd2fb26d-2682-4c48-ba0c-36f2c84c46fe

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Guloader

Link:

https://www.capesandbox.com/analysis/114628/

Detection(s):

PUA.Win.Packer.ProtectSharewar-2

PUA.Win.Packer.ProtectSharewar-3

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Launching a process

Unauthorized injection to a recently created process by context flags manipulation

Result

Threat name:

Remcos GuLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/592045

Signature

Connects to many ports of the same IP (likely port scanning)

Contain functionality to detect virtual machines

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected GuLoader

Yara detected Remcos RAT

Yara detected VB6 Downloader Generic

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d94aa8eba8dce581912552261b549bb8bcf04e8380fa68dc525c0d94236b761b/

Threat name:

Win32.Spyware.Eoif

Status:

Suspicious

First seen:

2021-01-27 09:32:42 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

16 of 29 (55.17%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3ffkr25i3tsydejfkitbwve3xc6patudqd5grxcslqgzii3loynq._file

Verdict:

suspicious

RemcosRAT

7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267

RemcosRAT

e7cf4a0d3f94afea480bf5e64a658029d02191330244697ba9afd81dd5b56386

RemcosRAT

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos rat

Link:

https://tria.ge/reports/210127-szc691mkpe/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Remcos

Unpacked files

SH256 hash:

d94aa8eba8dce581912552261b549bb8bcf04e8380fa68dc525c0d94236b761b

MD5 hash:

cb3b77181a200f9b066fd29e4431ad0f

SHA1 hash:

0019eab67d15bf22a9e90345bf7281b4f0c11d5f

Link:

https://www.unpac.me/results/a6bd5665-4cf5-4c5e-9946-6c79f148ca83/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d94aa8eba8dce581912552261b549bb8bcf04e8380fa68dc525c0d94236b761b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator