MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea1cb3f0fd43208b0ba565256830c6e96914e51c85c435efc5a7c1226c936512. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea1cb3f0fd43208b0ba565256830c6e96914e51c85c435efc5a7c1226c936512
SHA3-384 hash: 39a8eb02f1f8b92e16410eb5df8dc1ce27f00662487969797b7aee40f18080b0585807d2cde60c846e2548bf742e9e12
SHA1 hash: 97edbff0235469be89d923934adce56c8a453c8b
MD5 hash: 837ca4aca889769fbd72b07098a893ac
humanhash: nuts-network-carbon-arkansas
File name:PgydKmFk5JGRjrI.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:712'704 bytes
First seen:2020-10-13 19:42:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:QfdJsSAfE/hl59GWzlZBy3CyrYNkJDwkSga704KJWIpQE45QMJegafIKFo/C3JGu:CdJsWh7UWJy3CyrYNsDwkSOxkuk5Q
Threatray 824 similar samples on MalwareBazaar
TLSH 2DE48D9D3290B5EFC667CD36CA681C64EA20347B431BD207A11716AC9A0DB97EF142F3
Reporter GovCERT_CH
Tags:RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70600/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.jc.15511.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
DNS request
Creating a file in the %AppData% subdirectories
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Setting a global event handler for the keyboard
Connection attempt to an infection source
Enabling autorun by creating a file
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/490275
Signature
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Detected Remcos RAT
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ea1cb3f0fd43208b0ba565256830c6e96914e51c85c435efc5a7c1226c936512/
Threat name:
Win32.Trojan.Sudloader
Create hunting rule
Status:
Malicious
First seen:
2020-10-13 14:45:10 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5iolh4h5imqiwc5fmuswqmgg5furjzi4qxcdl36fu7ase3etmuja._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
26cfb1b24425c97fc4588631b23ca93def5d84efb2300d81bdbbb48443207292
RemcosRAT
485c1301f4bc84bc2d274f53222cf7ca5fbd8af8728d1aaa977a6574f577fb87
RemcosRAT
736bd7b09aa1e987edac64868cc8e5db0d86e709652e0588e2023d052f3def8f
RemcosRAT
7720da8dd623a00812870efdb75c2f2571417599ebfabcff48d2bd95cd029ea2
RemcosRAT
83eb442b175e4fe5a2fde6e8d72618eee280398f89a81da1f9c118d2c46032d4
RemcosRAT
a1c561c21720c4f1c3626276db6afc2c12b1aae9304c78518763eb78454f84b8
RemcosRAT
c86bcfe4e22cb50054b44e38fc4fb79624c4ed5bf9a26174754dbb5c1a6baff8
RemcosRAT
deeeb57609c406b43e7e77a38726a357ab063d110c06e4f1c56eb491c20659ce
RemcosRAT
e39c2e98071d4440d02e6d1aa86111536d6d01554489bd71f890455c05e424d3
RemcosRAT
eb1230ab4a5408a3d264bb51f1ff311fcf52aa97d52b801738cd5add365e77d2
RemcosRAT
+ 814 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
rat family:remcos
Link:
https://tria.ge/reports/201013-61h7ttzw1x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Remcos
Unpacked files
SH256 hash:
ea1cb3f0fd43208b0ba565256830c6e96914e51c85c435efc5a7c1226c936512
MD5 hash:
837ca4aca889769fbd72b07098a893ac
SHA1 hash:
97edbff0235469be89d923934adce56c8a453c8b
Link:
https://www.unpac.me/results/20faf8d5-c8c3-4fb3-9dd9-2a68e75fd996/
SH256 hash:
ea29b815cabc686b24c0c5fffe7952873c986d1e239f471d876544ded30289c6
MD5 hash:
4778247583148f99016f247b5771d27c
SHA1 hash:
1ba818eeaaa4a41ce06df8796cb084c367e7177f
Link:
https://www.unpac.me/results/20faf8d5-c8c3-4fb3-9dd9-2a68e75fd996/
SH256 hash:
607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b
MD5 hash:
a90baadadf904455325f7bc787185c7b
SHA1 hash:
7d833bb819d638008c98be469b05db2feaf201cd
Link:
https://www.unpac.me/results/20faf8d5-c8c3-4fb3-9dd9-2a68e75fd996/
SH256 hash:
7b69c9b882a9cc19da535e37f18a51ffa283b2ffbf2c23750691a61f6f20c96d
MD5 hash:
7006a984088c4039b9c10f971f7c9a87
SHA1 hash:
ba828464c1ff407afccf287b33feb43f04c627b8
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/20faf8d5-c8c3-4fb3-9dd9-2a68e75fd996/
Parent samples :
ea1cb3f0fd43208b0ba565256830c6e96914e51c85c435efc5a7c1226c936512
3ad976b10711565d40a43e17baa86f178a22066c982363d711db1f7edbff3ff2
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/ea1cb3f0fd43208b0ba565256830c6e96914e51c85c435efc5a7c1226c936512

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

158b539191914bf27431d508b6261b42bdd2478ae8cc56475943dceafc4001ff

RemcosRAT

Executable exe ea1cb3f0fd43208b0ba565256830c6e96914e51c85c435efc5a7c1226c936512

(this sample)

  
Dropped by
MD5 7294d9f733adda02cdf4e6cf061a1af7
  
Dropped by
SHA256 158b539191914bf27431d508b6261b42bdd2478ae8cc56475943dceafc4001ff
  
Dropped by
RemcosRAT
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70600/

Comments