MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0da748ac698c5eae9e9f9f6d3da20ea8f30fbdbd124597aae25f521988bc858. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 5 File information Comments

SHA256 hash:	e0da748ac698c5eae9e9f9f6d3da20ea8f30fbdbd124597aae25f521988bc858
SHA3-384 hash:	656da1dc79d71e2a31a89eaa75b30873f640ff8fb443d757f3243e22ab2ef7b27104bde3140622a667783e9a7503f5bb
SHA1 hash:	9b8b0ac7c1e128df37b4897f16c4846248768193
MD5 hash:	dc04ce49f447df2bdbf66cd008f8c1ac
humanhash:	quebec-social-floor-tennis
File name:	service.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	798'136 bytes
First seen:	2021-09-15 22:06:57 UTC
Last seen:	2021-10-08 12:51:50 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c2d34edc2aca1b8c272c5cd63dd80347 (3 x NetWire, 1 x Formbook, 1 x RemcosRAT)
ssdeep	12288:2cMJCaTkjTh4b6XG3n7ybodv9cPdgGKue03SOXjVwrsqaE6MzF5Uh:2Bi94zYSFcFgG6nza2uh
Threatray	600 similar samples on MalwareBazaar
TLSH	T126055E1397D444F3C91636B5CC6BBAD09C167A1229287E466ED8EC5DCF7C680323E26E
dhash icon	48ca4c67d3260aca (3 x NetWire, 1 x Formbook, 1 x RemcosRAT)
Reporter	Racco42
Tags:	exe officialsw chickenkiller com RemcosRAT signed

Code Signing Certificate

Organisation:	Afia Wave Enterprises Oy
Issuer:	Sectigo Public Code Signing CA R36
Algorithm:	sha384WithRSAEncryption
Valid from:	2021-07-08T00:00:00Z
Valid to:	2022-07-08T23:59:59Z
Serial number:	69ad1e8b5941c93d5017b7c3fdb8e7b6
Intelligence:	53 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:	This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:	SHA256
Thumbprint:	999bbf99f3b3c1a894340918d8f2c6a358e7ec6299bab5d8fd6b9e7570abf929
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

163

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/188279/

Detection(s):

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

DNS request

Connection attempt

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/61751d619a5a1e91c5d203e9/reports/c6439316-f56a-4055-a809-5f6642f923c6/overview

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e41ec313-5a7f-4169-bc03-d0c6b58f05bf

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/851716

Signature

Contains functionality to detect sleep reduction / modifications

Contains functionality to inject threads in other processes

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e0da748ac698c5eae9e9f9f6d3da20ea8f30fbdbd124597aae25f521988bc858/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2021-08-31 19:08:34 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 28 (60.71%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4dnhjcwgtdc6v2pj7h3nhwra5khtb6632esfs6voex2sdgelzbma._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

11f6a46954cdec78fec52771521926ff6917af81f79e3dc1198a38571b7d7519

RemcosRAT

204806f363e25b8caab19fade1152cbdef6d19a2ee0f122ce2a2aa3949154f1d

RemcosRAT

700679794ef89485d9a296d15f3baf8ea3be9ec4d3657b60d62ad5dc021fbb69

RemcosRAT

7eb677c1c5c60d34da90cab2b4ea019c500b5c3db6964cc14849dbe2f9f5fa30

RemcosRAT

b9384216a5aea20cd398e51c6549bb84d6b252f3fde114010e3cc0c60b1e2b13

RemcosRAT

dc1bb96ddee60e15d3344fc4b0413634a54974ef9e854628157800c9d695f028

RemcosRAT

+ 590 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:sw persistence rat

Link:

https://tria.ge/reports/210915-11mleaecfp/

Behaviour

Modifies registry key

Suspicious use of WriteProcessMemory

Adds Run key to start application

Remcos

Malware Config

C2 Extraction:

Officialsw.chickenkiller.com:2310
official.ydns.eu:2310
hurricane.ydns.eu:2310

Unpacked files

SH256 hash:

4e1202f3e7e04b0b3ca1df164bf5381f24063c142317e774d4e5d88b2b3ac744

MD5 hash:

aa23dee2c34813d67fe9c67ec784782a

SHA1 hash:

10b2e7af7cb9d6f852e6d607875a8c9613538930

Link:

https://www.unpac.me/results/c2c6395b-b73e-40ff-91fc-a886182c60ee/

SH256 hash:

e0da748ac698c5eae9e9f9f6d3da20ea8f30fbdbd124597aae25f521988bc858

MD5 hash:

dc04ce49f447df2bdbf66cd008f8c1ac

SHA1 hash:

9b8b0ac7c1e128df37b4897f16c4846248768193

Link:

https://www.unpac.me/results/c2c6395b-b73e-40ff-91fc-a886182c60ee/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/e0da748ac698/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/e0da748ac698c5eae9e9f9f6d3da20ea8f30fbdbd124597aae25f521988bc858

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/188279/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample