MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb7b058c625b1306c70d8a76546af054bd769347ca067f5db5e1b0b1c7306298. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 8

Intelligence 8 IOCs YARA 3 File information Comments

SHA256 hash:	eb7b058c625b1306c70d8a76546af054bd769347ca067f5db5e1b0b1c7306298
SHA3-384 hash:	5e4c6c77f0126a91dbbc498d4d69f39db1f35fe7811134e6bcdaa94978ed48dd2304c83422b0aaf6f763ca23abd50a90
SHA1 hash:	fb315323dc2c712531b5375f02153301fb66ec5d
MD5 hash:	642c9603a31dc53d9fada1b344718ce0
humanhash:	double-paris-washington-hamper
File name:	eb7b058c625b1306c70d8a76546af054bd769347ca067f5db5e1b0b1c7306298
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	934'624 bytes
First seen:	2021-03-23 08:08:53 UTC
Last seen:	2021-03-23 08:50:18 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	82e197e1404146c794e828a0a2df0e59 (3 x RemcosRAT)
ssdeep	12288:hen+VGUlKPgkcXwpPRGy300T6HGmiIl+W6qWx/cEj96KomSH0BYV3WsOVROl:jVGUlKPgkc0kWT2Not+EEKcUCWsNl
Threatray	719 similar samples on MalwareBazaar
TLSH	10158D22B682C837C0332A754D6BA7B1653EFF502D21594B7BA81E1DAF75AC03D17293
Reporter	JAMESWT_WT
Tags:	185.158.115.38 RemcosRAT TORG-ALYANS LLC

Intelligence

File Origin

# of uploads :

# of downloads :

113

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2182021-931.bin

Verdict:

Malicious activity

Analysis date:

2021-02-23 11:42:45 UTC

Tags:

installer

Link:

https://app.any.run/tasks/9ff0f923-acb3-4b40-bc51-2b2ec82d904a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/126468/

Detection(s):

PUA.Win.Packer.BorlandCpp-9

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/649751

Signature

Contains functionality to detect sleep reduction / modifications

Hijacks the control flow in another process

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/eb7b058c625b1306c70d8a76546af054bd769347ca067f5db5e1b0b1c7306298/

Threat name:

Win32.Downloader.Penguish

Status:

Malicious

First seen:

2021-02-23 22:43:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 28 (82.14%)

Threat level:

3/5

Verdict:

malicious

Label(s):

remcos

RemcosRAT

04c950e9fb1cf6ff2de10fd17f04191f8e938189766482ef856efa2581df8dbb

RemcosRAT

06fa1b160e322bd7710c9110b1e4e873795b5c2680b8bbe70bbaf23484533459

RemcosRAT

298b7204317915aa463fecd43ee99abbb9020e993dc0ffdcc5e382d0f590a7b8

RemcosRAT

7c201535a28746b62adfa831cfccac096903f5b17ee83b8364fc890fa70a59fd

RemcosRAT

91e13d173fb96f025e17161b61686fa06272a048eececeb7d4e95ecdcb3de4b8

RemcosRAT

a3fedff31a0349bc1b17791e2382179f465c870b3abd6b49040b3091be722f51

RemcosRAT

b782581b1ca3da09fdf3ecbb173ee3ca1f313f5f325f407df976601cad8ce839

RemcosRAT

ebb6267e5c3bf10ec8ccba29d6fd2c7b747cef8b758db1544caf9edc7f117d7b

RemcosRAT

ef6ac1293cdfda22c8d940f96c5433f406a4c3666e6941e4f094a8cf50d04ac1

RemcosRAT

+ 709 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/210323-8bvydbqpex/

Unpacked files

SH256 hash:

c7fbdc61eb62c05e40295617e2db75877672931f751a770d2629e6eab6075f2c

MD5 hash:

abf6c724b20844d5b0073988a58faf1e

SHA1 hash:

7a8269d5b2ae623f8148ce9863f48f7e12ce036b

Link:

https://www.unpac.me/results/50e24832-a370-41fd-ba60-a0bac64c4360/

SH256 hash:

eb7b058c625b1306c70d8a76546af054bd769347ca067f5db5e1b0b1c7306298

MD5 hash:

642c9603a31dc53d9fada1b344718ce0

SHA1 hash:

fb315323dc2c712531b5375f02153301fb66ec5d

Link:

https://www.unpac.me/results/50e24832-a370-41fd-ba60-a0bac64c4360/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Azorult

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/eb7b058c625b1306c70d8a76546af054bd769347ca067f5db5e1b0b1c7306298

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_win32_parallax_payload_1 Create hunting rule
Author:	@VK_Intel
Description:	Detects Parallax Injected Payload v1.01
Reference:	https://twitter.com/VK_Intel/status/1227976106227224578

Rule name:	crime_win32_rat_parralax_shell_bin Create hunting rule
Author:	@VK_Intel
Description:	Detects Parallax injected code
Reference:	https://twitter.com/VK_Intel/status/1257714191902937088

Rule name:	MAL_crime_win32_rat_parallax_shell_bin Create hunting rule
Author:	@VK_Intel
Description:	Detects Parallax injected code
Reference:	https://twitter.com/VK_Intel/status/1257714191902937088

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/126468/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample