MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e13521b893056a15f7437d4a84e8dbde785c47466d1f4f75fe8690c16deeac25. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e13521b893056a15f7437d4a84e8dbde785c47466d1f4f75fe8690c16deeac25
SHA3-384 hash: 49127ded66d2934e7c664eefa2292f4b9b18f5895425b9e425e08577bb66af98f5144ff654b9ffb0a7e1b67170592598
SHA1 hash: fd2ef3bf1f09479545134437b864b3397e81874b
MD5 hash: 518454edd1875ea6cc1db084005dbf2a
humanhash: one-vegan-july-cat
File name:Remmy11.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:578'048 bytes
First seen:2021-01-13 07:35:55 UTC
Last seen:2021-01-13 09:38:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 13f6eb96e7165e986a0d233796ec15e0 (5 x Formbook, 5 x RemcosRAT, 1 x Loki)
ssdeep 12288:HIEte0eqcppvppikkkkkCuGnKrIdR8E1ACfVsBeWj5si8S:7treqlTnKkiEsZNOS
Threatray 978 similar samples on MalwareBazaar
TLSH F8C4AD89FA80D6F0C92C93306A3BCC3B47237C6965B4540D75DD7E673BBB963002669A
Reporter abuse_ch
Tags:exe Hostwinds RemcosRAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: hwsrv-824517.hostwindsdns.com
Sending IP: 23.238.43.35
From: imports@welfare.top
Subject: Request For Quotation And Price List
Attachment: attachments.iso (contains "Remmy11.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
194
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Remmy11.exe
Verdict:
Malicious activity
Analysis date:
2021-01-13 09:57:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9b331a28-8c76-4778-8d6e-7daf84ee6c08

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/111735/
Detection(s):
SecuriteInfo.com.Variant.Jaik.42989.28641.14270.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/579928
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Remcos RAT
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e13521b893056a15f7437d4a84e8dbde785c47466d1f4f75fe8690c16deeac25/
Threat name:
Win32.Dropper.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-13 03:25:51 UTC
AV detection:
17 of 46 (36.96%)
Threat level:
  3/5
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
01c59004eb5e4390f96dc41ca001c9bd036068645fb55a922cded1ee1ecf014c
RemcosRAT
03ce96851d1e23ce614c9f24d97727c68f0f1156a442ff0eaecff89299dd90e9
RemcosRAT
3101eed05f09d6c47096bfea7ffc2367a7f83325618b602b6e808bcfb9bd6989
RemcosRAT
4c61692f5b36f6b2b136958c7c315113899a1bdb1cfe7415f37c0acfdaab01a7
RemcosRAT
5af5665fcaf756eec2ab43c07645c814438102dba39e782a030025635a8fb713
RemcosRAT
5d18283ed1cb2d7e7bd78e87821b3aa2f2ea64b01e28736098a3922fea61fe71
RemcosRAT
5fdecb2c511ec2b584766991bc2126ae802ed2618a80a227046df5379f12e745
RemcosRAT
9a923858b6e0434e961118c2e0b6fc62bfddf64e1fc69b1b8acaa323d27c1d5e
RemcosRAT
bfe8692e2e6e89e7d77482f315a22b3679e511e50eab20ba852cabc06dc4e5fa
RemcosRAT
e598d09eb75436c41fd667d85213895ce5dd4903474c5bc38a797e725a75d2e3
RemcosRAT
+ 968 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210113-h3fpkyl6nn/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Unpacked files
SH256 hash:
e13521b893056a15f7437d4a84e8dbde785c47466d1f4f75fe8690c16deeac25
MD5 hash:
518454edd1875ea6cc1db084005dbf2a
SHA1 hash:
fd2ef3bf1f09479545134437b864b3397e81874b
Link:
https://www.unpac.me/results/bf03dabc-7522-4318-9c76-1d10bbd4f74a/
SH256 hash:
9ca4c25ea2bd41dbc0d44ad9ee39efed1618dfd2d4a8b36c40f1fa16dde035ef
MD5 hash:
e673bafb8f8a36c42a1673d09cd14613
SHA1 hash:
353ff3f4b8829af9e897c071bdbcaf4e97ecc444
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/bf03dabc-7522-4318-9c76-1d10bbd4f74a/
SH256 hash:
38c350ef889e5435782bf44a2f377bd47f6353469db6be4bde2f290e72223be2
MD5 hash:
a7ad7875ad19cf8b4cccb4c79d4b5371
SHA1 hash:
3c48929b5d8c4478563975df387e096c4929d43c
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/bf03dabc-7522-4318-9c76-1d10bbd4f74a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.82
Link:
https://yomi.yoroi.company/submissions/e13521b893056a15f7437d4a84e8dbde785c47466d1f4f75fe8690c16deeac25

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

iso 26ec7ac69fedb2d1aba9ff484562e13bba7723af5b7eb7c6c0dd2eaadac0cbcf

RemcosRAT

Executable exe e13521b893056a15f7437d4a84e8dbde785c47466d1f4f75fe8690c16deeac25

(this sample)

  
Dropped by
MD5 0f79427d61d4dd657548e5f666e63c6a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 26ec7ac69fedb2d1aba9ff484562e13bba7723af5b7eb7c6c0dd2eaadac0cbcf
Cape
Cape
https://www.capesandbox.com/analysis/111735/

Comments