MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6e2a0f4f64aa78699c8e7e56f33c391d085e655a8a0579f5fa43c42cd580ca7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 3


Intelligence 3 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6e2a0f4f64aa78699c8e7e56f33c391d085e655a8a0579f5fa43c42cd580ca7
SHA3-384 hash: d8397c2c21f7384b34ad110780b45a4dd9f64de481eb7adbf1774d752b77b29a2b4d2d0d9f1d849d8c6eb96306188934
SHA1 hash: 3648542765ddca0d006f3bf2da2b252ef8850144
MD5 hash: 829858ba2b43bbe3dcd1738f96c32110
humanhash: sodium-high-chicken-robin
File name:e6e2a0f4f64aa78699c8e7e56f33c391d085e655a8a0579f5fa43c42cd580ca7
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:512'000 bytes
First seen:2020-03-23 16:27:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1c90f697d23ab8f4fcb9f1d9005df35e (1 x RemcosRAT)
ssdeep 12288:+sOcB+foVvv9kE+rkhar74mqoah3XVw2j1rIYO1SdB:nOcB+wVH9mCaShn/vo+
Threatray 1'274 similar samples on MalwareBazaar
TLSH B1B436B5B95DDE95E025A4388C22F5EF90AEFC64FF29981372D03B0F01789469FD2816
Reporter Marco_Ramilli
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_remcos_g0
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann<at>fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe e6e2a0f4f64aa78699c8e7e56f33c391d085e655a8a0579f5fa43c42cd580ca7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/211169/
  
URLhaus
https://urlhaus.abuse.ch/url/211178/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::EVENT_SINK_AddRef

Comments