MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7cba555a1c46f44681642bc427c09871be248a7f9764c8a058b7f7469832aa7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7cba555a1c46f44681642bc427c09871be248a7f9764c8a058b7f7469832aa7
SHA3-384 hash: 176af87e597d3d4dcac00444f9294c4ee27a173f7a1297aa1654a2aafbcc83381c8d74e886e473a03c15a7b92214ad80
SHA1 hash: 9a6372ba131f2c68f6144c7c1051ca2c732251eb
MD5 hash: 753550f808e35eb0694004365c277364
humanhash: montana-december-hotel-twelve
File name:753550f808e35eb0694004365c277364.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:856'576 bytes
First seen:2021-09-17 19:06:34 UTC
Last seen:2021-09-17 20:19:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e56b8f875592e725f8372fa466f75b12 (2 x RemcosRAT, 1 x OskiStealer, 1 x Smoke Loader)
ssdeep 12288:RNnBrnT39eHh9pAE6pPnrvQHOgJ8q//CS4/FZ4KPvnk6LHC7WWnMvwfHVBPggseE:35nReHhXknrvJ5K/vtKHngseB
Threatray 595 similar samples on MalwareBazaar
TLSH T12F055CA2A7D04CB2F0192D7DCCDB76A0193DBEF0BE445D864A951A19AB309707D3B48F
dhash icon 4cca4c67d3261aca (6 x RemcosRAT, 4 x Formbook, 2 x AveMariaRAT)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
254
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
753550f808e35eb0694004365c277364.exe
Verdict:
Malicious activity
Analysis date:
2021-09-17 19:17:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c20559b5-1f01-4c28-b548-090a949fd9bc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/188834/
Detection(s):
SecuriteInfo.com.W32.Delf.AMV.18250.3207.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger
Link:
https://www.filescan.io/uploads/6175301edb358dd15ed92bbd/reports/999f4cc9-ab35-472d-b131-e634038f24a9/overview
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4ee28675-1b2f-497d-822b-6b64bbaf7e74
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/852964
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 485395 Sample: IgpEoWeRub.exe Startdate: 17/09/2021 Architecture: WINDOWS Score: 100 44 parhatcsafxz.ac.ug 2->44 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus / Scanner detection for submitted sample 2->60 62 5 other signatures 2->62 9 IgpEoWeRub.exe 1 22 2->9         started        14 Wwfhgzo.exe 13 2->14         started        16 Wwfhgzo.exe 14 2->16         started        signatures3 process4 dnsIp5 52 cdn.discordapp.com 162.159.129.233, 443, 49730, 49731 CLOUDFLARENETUS United States 9->52 42 C:\Users\Public\Libraries\...\Wwfhgzo.exe, PE32 9->42 dropped 74 Writes to foreign memory regions 9->74 76 Creates a thread in another existing process (thread injection) 9->76 78 Injects a PE file into a foreign processes 9->78 18 mshta.exe 2 3 9->18         started        22 cmd.exe 1 9->22         started        24 cmd.exe 1 9->24         started        54 162.159.130.233, 443, 49740 CLOUDFLARENETUS United States 14->54 26 logagent.exe 14->26         started        28 DpiScaling.exe 16->28         started        file6 signatures7 process8 dnsIp9 46 aertdfvaz.ac.ug 35.205.61.67, 6968 GOOGLEUS United States 18->46 48 sergio.ac.ug 79.134.225.25, 49738, 49773, 6968 FINK-TELECOM-SERVICESCH Switzerland 18->48 50 4 other IPs or domains 18->50 64 Contains functionality to inject code into remote processes 18->64 66 Delayed program exit found 18->66 30 reg.exe 1 22->30         started        32 conhost.exe 22->32         started        34 cmd.exe 1 24->34         started        36 conhost.exe 24->36         started        68 Contains functionalty to change the wallpaper 26->68 70 Contains functionality to steal Chrome passwords or cookies 26->70 72 Contains functionality to steal Firefox passwords or cookies 26->72 signatures10 process11 process12 38 conhost.exe 30->38         started        40 conhost.exe 34->40         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e7cba555a1c46f44681642bc427c09871be248a7f9764c8a058b7f7469832aa7/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-09-17 19:07:13 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=47f2kvnbyrxui2awik6ee7ajq4n6esfh7f3ezcqfrn7xi2mdfktq._file
Verdict:
malicious
Similar samples:
078025707e0069438637644d4b57c0ab3f20c21fc738117589b15716d4e429d5
RemcosRAT
0840ac6a8ee445eed007f29220dad3dd03e59cf161524623c831596673c7e8d0
RemcosRAT
08c2e043056e5885236672d75e1f62ca87cffebb47457efc644611a065bfebcb
RemcosRAT
1d4f1e01cbbd896a55a83dd107e381fe0a572bd2c9327cbb82a9510eb4832e99
RemcosRAT
1f715d5b757b50e756c70424d15902f064ad12df112413e518b78c22a7372e9a
RemcosRAT
6780919c60b1e4b3f1ef9cfb03bdd492f51ebc505ccddbd47be023d66d429eaf
RemcosRAT
688f62abf01d9eba0c4557f284290a119ee887c1d7f2d5da48014447404cacb9
RemcosRAT
8f4dcda8ef498f0d5f7dbbf978a3e9588bef94f5ee91a3659349d60b1f2447ec
RemcosRAT
97784d55f348119ac397f0b22324efed0aa7b1c1c181bb2b6b4e740acfa02d0a
RemcosRAT
c9b74e819b296f329399e9867d40d7b87477be291ee5509bdde6a7d90778fc44
RemcosRAT
+ 585 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:9.17 persistence rat
Link:
https://tria.ge/reports/210917-xsmpnabbak/
Behaviour
Modifies registry key
Suspicious use of WriteProcessMemory
Adds Run key to start application
Blocklisted process makes network request
Remcos
Malware Config
C2 Extraction:
sergio.ac.ug:6968
ramosasdj.ac.ug:6968
parhatcsafxz.ac.ug:6968
heartdoaz.ac.ug:6968
aertdfvaz.ac.ug:6968
Unpacked files
SH256 hash:
519197f521aa39b7a7ab34b4500a304a7329d967115c2e48fe1b6eb201e39af1
MD5 hash:
3da921c9355d01d335cf03159a950030
SHA1 hash:
3be3f4ea8f289a123dcd1f6ac97c6f34a503c9cf
Link:
https://www.unpac.me/results/69c31af8-0f28-4c8f-b27a-00019af65d98/
SH256 hash:
e7cba555a1c46f44681642bc427c09871be248a7f9764c8a058b7f7469832aa7
MD5 hash:
753550f808e35eb0694004365c277364
SHA1 hash:
9a6372ba131f2c68f6144c7c1051ca2c732251eb
Link:
https://www.unpac.me/results/69c31af8-0f28-4c8f-b27a-00019af65d98/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e7cba555a1c46f44681642bc427c09871be248a7f9764c8a058b7f7469832aa7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe e7cba555a1c46f44681642bc427c09871be248a7f9764c8a058b7f7469832aa7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/948788/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/188834/

Comments