MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc2e0df15f7f02466eb06fd8691336a2b9e958fa0c2cd2a129d47a9231b0ca03. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 9

Intelligence 9 IOCs 1 YARA 10 File information Comments

SHA256 hash:	dc2e0df15f7f02466eb06fd8691336a2b9e958fa0c2cd2a129d47a9231b0ca03
SHA3-384 hash:	f42abd8268c7e10c020cb0bd3ea1e6eb2caed38cbc690546237f17ced52bea90ee1059fb1214a8f4857362589856a6e0
SHA1 hash:	c51acaf9fa7ac0482ccbe9fb6788930f19f640fd
MD5 hash:	4aa4270cb372efe48abfb4ec1b6dbbb6
humanhash:	jig-may-october-high
File name:	DHL1207110474 de recepción,pdf.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'092'760 bytes
First seen:	2021-06-18 00:42:00 UTC
Last seen:	2021-06-18 01:50:55 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	44ae77ffd352712ced0978b5ee3ef88c (2 x RemcosRAT, 1 x Formbook)
ssdeep	24576:qt+Le+UAcIAJScTn9t884Wz7vxLdkOq/XQBSR:qt+rOTn7R6
Threatray	100 similar samples on MalwareBazaar
TLSH	44359F56B3915873CC3326BC5D06A698A67A7D4176ACDC4A37B67C483F38341783A0EB
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

abuse_ch

RemcosRAT C2:
185.19.85.133:8231

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.19.85.133:8231	https://threatfox.abuse.ch/ioc/135604/

Intelligence

File Origin

# of uploads :

# of downloads :

148

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

DHL1207110474 de recepción,pdf.exe

Verdict:

Malicious activity

Analysis date:

2021-06-18 00:48:34 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/34ef2f62-e894-4654-a851-3589d27fde05

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/166682/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader39.48961.30880.31707.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

AVE_MARIA

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/56226daf-86d3-417e-b1a5-5fd7643d05f9

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/804038

Signature

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to evade analysis by execution special instruction which cause usermode exception

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dc2e0df15f7f02466eb06fd8691336a2b9e958fa0c2cd2a129d47a9231b0ca03/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2021-06-17 14:57:56 UTC

AV detection:

15 of 29 (51.72%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3qxa34k7p4bem3vqn7mgsezwuk46swh2bqwnfijj2r5jemnqzibq._file

Verdict:

malicious

RemcosRAT

3f5ccdc99b29651852d447f8587f5cfa5e108ea10dba0eed36d436a4b6e73719

RemcosRAT

5b721820c546923afc2b8c1030d1b0d28316295c2fe9b5debb438c7abd5d8b7c

RemcosRAT

72a21c420bc7b744d977b3b0d68f486257784cac7a44c9b29602b0d23fe0e744

RemcosRAT

747610321f9100e0dadd7c7728282b7403172ad1fc23e60eea12f4eaff28ce7e

RemcosRAT

76dd27ef96d337d45cfbc7585846d998f6b0f0a3c89255a9329862877432e098

RemcosRAT

8fb001ff8eff89d8c472579c21683a55aff13ff9599bef6a3e5571b2c919691b

RemcosRAT

b9cf4ce7fc7e9291433169038a63f0f4e3d36fb1826cda150ea52b2257ac7c12

RemcosRAT

c3677d5791ac1a6939f2ab462201f257d9a4707f57bd6ee86d6b4dfa38378e3a

RemcosRAT

dce7bd6ffb24e1022633df291493bc759eda61266bc34c9753ab7912c31b7e96

RemcosRAT

+ 90 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/210618-1psr1ajbz2/

Behaviour

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Program crash

Unpacked files

SH256 hash:

5381c6276fc0f552d71efe7fb4d43a9e1a1e776c4cb7a572f72207b777ff2a32

MD5 hash:

3e9b080fb62948db627a904b7af653ea

SHA1 hash:

93a66126bdeb846724b41d44c6a7cac15c5ed636

Link:

https://www.unpac.me/results/c11fe355-8628-4083-aa66-ac9ef9dc24aa/

SH256 hash:

dc2e0df15f7f02466eb06fd8691336a2b9e958fa0c2cd2a129d47a9231b0ca03

MD5 hash:

4aa4270cb372efe48abfb4ec1b6dbbb6

SHA1 hash:

c51acaf9fa7ac0482ccbe9fb6788930f19f640fd

Link:

https://www.unpac.me/results/c11fe355-8628-4083-aa66-ac9ef9dc24aa/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/dc2e0df15f7f02466eb06fd8691336a2b9e958fa0c2cd2a129d47a9231b0ca03

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	INDICATOR_KB_CERT_0be3f393d1ef0272aed0e2319c1b5dd0 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/166682/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample