MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dcfbcb0018eb4a0bcca81d7990bde125541b7c9de20c16142ba46140261a0b0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dcfbcb0018eb4a0bcca81d7990bde125541b7c9de20c16142ba46140261a0b0d
SHA3-384 hash: fc8e94e820995df529df4f57d224fa9fda2e516376753771890ec21d844945c9bd4720f16581b9a7c253413a0eb15931
SHA1 hash: 27b7a3ed4038e40927edc4bd88fd58f80d178e74
MD5 hash: e92cb564767afb2d59b12ecfc97ed86a
humanhash: hot-utah-fanta-mountain
File name:e92cb564767afb2d59b12ecfc97ed86a.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:719'872 bytes
First seen:2021-08-10 13:48:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 64b99ed56fe51c14a44881c90ac9ff50 (4 x RemcosRAT, 1 x BitRAT)
ssdeep 12288:SnE1eDMrSuUFA+/ARNb43cRuM7bUwYgsI4pR8/CH3eVgfm+7p:42HfUG+oRNb43chyXI4pR0U3eY
Threatray 450 similar samples on MalwareBazaar
TLSH T126E48E27A6765E73C1AF193C8D6B9298692FBD152E188FC725F41E4CBD3A2842D340C7
dhash icon 12b232f2b98c8681 (12 x Formbook, 12 x RemcosRAT, 2 x AveMariaRAT)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e92cb564767afb2d59b12ecfc97ed86a.exe
Verdict:
Malicious activity
Analysis date:
2021-08-10 13:53:48 UTC
Tags:
installer
Link:
https://app.any.run/tasks/fdf6cf6d-8cd1-4fbb-b38e-46f351c2906f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/177968/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Sending a custom TCP request
Sending a UDP request
DNS request
Connection attempt
Creating a file
Deleting a recently created file
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ba3082d7-f094-4795-8ab1-4ca89c92595f
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/830210
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dcfbcb0018eb4a0bcca81d7990bde125541b7c9de20c16142ba46140261a0b0d/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-08-09 23:40:42 UTC
File Type:
PE (Exe)
Extracted files:
61
AV detection:
29 of 47 (61.70%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3t54waay5nfaxtfidv4zbppbevkbw7e54igbmfblurquajq2bmgq._file
Verdict:
malicious
Similar samples:
1b945f30cc3cff4673d9a29a7f865edf107b7bfb64e5da763672449ef94fb7b9
RemcosRAT
39f47c4612520d9844a152198245ee842bdf40de4c65e35c03771252f7d7b381
RemcosRAT
4a84faebc419ed0cddbc9e37b337a3090a01051d3ed7d1650c2845369b9a1d63
RemcosRAT
4c0c348d5fe6d35084087f5df83a5d5f15aa75a30b1dc37204f701383a7685eb
RemcosRAT
62960caf3d007638be89631e502733f30c42a9ba0269e8c00457c9dec10e9136
RemcosRAT
e8b670a416ea518bd6073c440615b624fc91b70cf55e8b63bd524924c37b2970
RemcosRAT
e982ae5ea3e7d8b92372076442bd0f96a572d974a2265c609a0cc5e4b4eac9cb
RemcosRAT
+ 440 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:augusta persistence rat
Link:
https://tria.ge/reports/210810-6pbvy1mdhs/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Blocklisted process makes network request
Remcos
Malware Config
C2 Extraction:
twistednerd.dvrlists.com:8618
Unpacked files
SH256 hash:
48b578abb8f49b0ced2dc41a2f29585a714d3673a869364c77e9501689f0e684
MD5 hash:
0e4c10bb11466e060308329984855585
SHA1 hash:
4e229e872f4293cf80234bb520abb081cd1e42d6
Link:
https://www.unpac.me/results/8ac444a6-5ebb-469f-bf3e-4cba5c2ebc81/
SH256 hash:
795b2b5d6668147d7924ac96f90741ddc2a2b5003f455fb842b613a286fbf8fc
MD5 hash:
53011b69a7231aea23d66805a681144b
SHA1 hash:
e3d0d157e763c865e79ccc5bedc2fd5fd90413f7
Link:
https://www.unpac.me/results/8ac444a6-5ebb-469f-bf3e-4cba5c2ebc81/
SH256 hash:
dcfbcb0018eb4a0bcca81d7990bde125541b7c9de20c16142ba46140261a0b0d
MD5 hash:
e92cb564767afb2d59b12ecfc97ed86a
SHA1 hash:
27b7a3ed4038e40927edc4bd88fd58f80d178e74
Link:
https://www.unpac.me/results/8ac444a6-5ebb-469f-bf3e-4cba5c2ebc81/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dcfbcb0018eb4a0bcca81d7990bde125541b7c9de20c16142ba46140261a0b0d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe dcfbcb0018eb4a0bcca81d7990bde125541b7c9de20c16142ba46140261a0b0d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1521338/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/177968/

Comments