MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6e6765db754d87ceddc85238d20e9fde4e28772568404d786850f8830a0b785. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 16

Intelligence 16 IOCs YARA 6 File information Comments 1

SHA256 hash:	e6e6765db754d87ceddc85238d20e9fde4e28772568404d786850f8830a0b785
SHA3-384 hash:	8c0d3e009a8bc19c7f833dc8f0d1eafd434ea06efa3001da4040f3791d009ec072e8f2e98d64ec529583f6fcfd49308e
SHA1 hash:	2317d8983e47ebdcd43dc2c81ddfcb52eaa1d4d0
MD5 hash:	f2af5834c766ad58ff228c872bfec972
humanhash:	juliet-cup-west-chicken
File name:	f2af5834c766ad58ff228c872bfec972
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	474'112 bytes
First seen:	2021-12-21 06:47:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1f15bed3346039b42bc33c9080047f8c (26 x RemcosRAT)
ssdeep	12288:OegN0jfYLclGb0bVT6e+MT2MffZS/gLSYo:wNywLclGIeMT2MXZRLSV
Threatray	1'447 similar samples on MalwareBazaar
TLSH	T14EA49D11B9C2C032D17252700D29FB759AFCBC302935557BB3DA5D9ABE700C1BB2A6A7
File icon (PE):
dhash icon	c4d48eaa8ad4d4f8 (1'000 x RemcosRAT, 1 x Worm.Ramnit, 1 x Vjw0rm)
Reporter	zbetcheckin
Tags:	32 exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

177

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ab.exe

Verdict:

Malicious activity

Analysis date:

2021-12-21 03:29:32 UTC

Tags:

loader

Link:

https://app.any.run/tasks/bdc43dd2-87b5-4628-b68d-7a7b3eb888ee

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/215571/

Detection(s):

Win.Trojan.Remcos-9753190-0

Win.Trojan.Remcos-9841897-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Setting a keyboard event handler

Sending a custom TCP request

Creating a file in the %temp% directory

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Creating a window

Searching for synchronization primitives

DNS request

Enabling autorun by creating a file

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/2817/overview

Behaviour

MalwareBazaar

MeasuringTime

CheckMutex

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware keylogger remcos

Link:

https://www.filescan.io/uploads/61c178a5ec6c6c14a9e6e8f8/reports/138ddac9-f84b-4fec-9107-bfa451187813/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6ca4a8f0-ae0d-459b-85cd-88304095e004

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/910783

Signature

.NET source code contains potential unpacker

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Detected Remcos RAT

Drops PE files to the startup folder

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Writes to foreign memory regions

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/e6e6765db754d87ceddc85238d20e9fde4e28772568404d786850f8830a0b785/

Threat name:

Win32.Trojan.Remcos

Status:

Malicious

First seen:

2021-12-21 03:21:52 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=43thmxnxktmhz3o4qury2ihj7xsofb3sk2cajv4gquhyqmfaw6cq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

1fbca7154111316e9d34ac02beb2377d20ca8426cc83669c89313a4a83358503

RemcosRAT

4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81

RemcosRAT

6862cf51b5546665e90e27a0a188ea8c468097f86b8b5d68fa0521f4cd3a9550

RemcosRAT

7a25e7868a967540a3dc4c8fa89f07444c4b714c4d2f3add235a7f0c33099c57

RemcosRAT

ef6a74a99e6f3945eda8bd082a0adbcc2df584aff03838ed1b5face974a4a6b7

RemcosRAT

+ 1'437 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:echo

Link:

https://tria.ge/reports/211221-hkr7vacdd3/

Behaviour

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops startup file

Loads dropped DLL

Executes dropped EXE

Malware Config

C2 Extraction:

194.5.212.11:666

Unpacked files

SH256 hash:

e6e6765db754d87ceddc85238d20e9fde4e28772568404d786850f8830a0b785

MD5 hash:

f2af5834c766ad58ff228c872bfec972

SHA1 hash:

2317d8983e47ebdcd43dc2c81ddfcb52eaa1d4d0

Detections:

win_remcos_g0

Link:

https://www.unpac.me/results/95554939-7bff-4f86-a915-1f59ece1e348/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e6e6765db754d87ceddc85238d20e9fde4e28772568404d786850f8830a0b785

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	REMCOS_RAT_variants Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

exe e6e6765db754d87ceddc85238d20e9fde4e28772568404d786850f8830a0b785

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1905893/

Cape

https://www.capesandbox.com/analysis/215571/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2021-12-21 06:47:13 UTC

url : hxxp://194.5.212.11/RMCS_PRO__3.3.2_.exe