MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3552f29a4edea23050280c0e3ec77cd141dcb699eea5f0c8ec4349019b65ce1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 12

Intelligence 12 IOCs YARA 6 File information Comments

SHA256 hash:	e3552f29a4edea23050280c0e3ec77cd141dcb699eea5f0c8ec4349019b65ce1
SHA3-384 hash:	da08794521363aa43db0d043be7596cad29c4f0cefdc6150e467cf902cbd881573b57e19450f33ae5498892b5aab60d9
SHA1 hash:	49b8417e0ad72b287b78d3f7578bea461176a6bd
MD5 hash:	39b65fc4ba3cebabd418ab00907828b4
humanhash:	december-west-mirror-yankee
File name:	DHL file.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	683'616 bytes
First seen:	2021-05-28 13:14:12 UTC
Last seen:	2021-05-28 13:58:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep	12288:Wdroh6byWvJnY9+1Hq/gd85On8mgGz+ujrPbo3uVkyb3eCzYLrB:Ioh6byWBe+1Hq/gd8An1zXjr/aiMB
Threatray	1'812 similar samples on MalwareBazaar
TLSH	32E4F0F1F7CD88F5D9A6BD7884734C7B8177AA7E2C41000622DC363AAF7A38251A6553
Reporter	James_inthe_box
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

175

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

DHL file.exe

Verdict:

Malicious activity

Analysis date:

2021-05-28 13:21:42 UTC

Tags:

installer rat remcos keylogger

Link:

https://app.any.run/tasks/a84bc8a1-8ff4-46f7-b36f-3218bf19d6bd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/162973/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.4756.14248.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a file

Sending a UDP request

Creating a file in the %AppData% subdirectories

Unauthorized injection to a recently created process

DNS request

Setting a keyboard event handler

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Sending a TCP request to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/793848

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Detected Remcos RAT

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Installs a global keyboard hook

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/e3552f29a4edea23050280c0e3ec77cd141dcb699eea5f0c8ec4349019b65ce1/

Threat name:

Win32.Trojan.Tnega

Status:

Malicious

First seen:

2021-05-28 13:14:03 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

12 of 29 (41.38%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=4nks6kne5xvcgbicqdaoh3dxzukb3s3jt3vf6deoyq2jagnwltqq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

410ab8ce38a5fd9868cfa4a023a7f28647ce1c8c44501f13ec8fe3040d7a85c5

RemcosRAT

56855ec2eaecac2dc657e738098edcf0146b6a82bd84a5205b7f85072264c38e

RemcosRAT

74d5a7052ca7168700158a9f7c8c15f37c99355e1b84dc5a73724d605bd35604

RemcosRAT

97190ef2d03d62cbc49ab7f7edd2e8fcf202c4484a5e6873ce314e6de691abe1

RemcosRAT

9c78146f4a627174c179d84b1069dad2eb688db691b637793d3285595b773120

RemcosRAT

9c945fc31639ad3a22b019d3b159e66a8df4a28872576f429392fb4dc64ebb01

RemcosRAT

ba3269a5f9ef184b1c62c8e103f24c32b45d3f5ea57f205d012ee7bdbf7f9649

RemcosRAT

c67a752275a99a0ba74a93e5a715a591ad9db9eb010759cdf41b1e7df980e84d

RemcosRAT

f559645f8b05d3c7499f23fd4f6f8f74dad45c3b2501266db7c36b67c8e80e7a

RemcosRAT

+ 1'802 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos persistence rat

Link:

https://tria.ge/reports/210528-qqqpaysekx/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Loads dropped DLL

Remcos

Malware Config

C2 Extraction:

u876134.nsupdate.info:2404
u876134.nvpn.to:2404
u876135.nsupdate.info:2404
u876136.nsupdate.info:2404
u876137.nsupdate.info:2404

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e3552f29a4edea23050280c0e3ec77cd141dcb699eea5f0c8ec4349019b65ce1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/162973/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample