MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0896ba259cc40a67474db857cbca2cd43099f5b49be45c3e3a3a34a06765b7f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 6 File information Comments

SHA256 hash:	f0896ba259cc40a67474db857cbca2cd43099f5b49be45c3e3a3a34a06765b7f
SHA3-384 hash:	22c58b4b486006773797ba750666b5494a02b7f154baf52cacad43be6c4660982d1b557649cdf74f3f97b3de83900279
SHA1 hash:	24890995fabbfb50230729d5cceb4d5a92199a42
MD5 hash:	3f4f150ed7ab62f3f08315fa85a1e1f0
humanhash:	seventeen-washington-zulu-yellow
File name:	f0896ba259cc40a67474db857cbca2cd43099f5b49be45c3e3a3a34a06765b7f
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	851'968 bytes
First seen:	2021-10-08 12:50:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	976d50e20c688f6aadbee0d3008b47f5 (1 x Formbook, 1 x RemcosRAT)
ssdeep	12288:oNpYTxZSIWZyFvKOvZFRlMyaTYJxfxY93ruwD5A/FS5ZyCxUiU/OyV3fO:oNpOKAvK8RliTYDArv+t9C1UDV
Threatray	739 similar samples on MalwareBazaar
TLSH	T12E057D22A29144F6D1BF1A385F2B76D458ADBE3039F86C4657F42C087EBF2913D1D982
dhash icon	06071990494b94d4 (1 x RemcosRAT)
Reporter	JAMESWT_WT
Tags:	exe officialsw chickenkiller com RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

251

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

f0896ba259cc40a67474db857cbca2cd43099f5b49be45c3e3a3a34a06765b7f

Verdict:

Suspicious activity

Analysis date:

2021-10-08 13:00:47 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/459bc1b8-e00e-427a-b69f-b88d9ebc9ee4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

DLAgent07

Link:

https://www.capesandbox.com/analysis/196159/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader38.38798.3491.26843.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

67%

Tags:

fareit monero packed remcos

Link:

https://www.filescan.io/uploads/61603eb8e3d213d202bb9561/reports/5951ac1f-4094-42fa-bf33-5fe9419f4907/overview

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/867091

Signature

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f0896ba259cc40a67474db857cbca2cd43099f5b49be45c3e3a3a34a06765b7f/

Threat name:

Win32.Spyware.AveMaria

Status:

Malicious

First seen:

2021-04-27 08:16:15 UTC

AV detection:

27 of 29 (93.10%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6cewxiszzrakm5du3ocxzpfczvbqth23jg7elq7duoruubtwln7q._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

1fc8b21214b10720988c33582ca6415bf3d052a829ba4db3dcbd77655de4f95d

RemcosRAT

32c3d29676757629b7ceeafd699c33c14147a79fc07a54889e6f66cd5118b123

RemcosRAT

34ae6e94fd8ce101fadff4baf68d7c0b8bf606d1796b7c8199e7d45a9bc57a02

RemcosRAT

3d263b6e2cdc6e43060faf06203a211ed5f716238157fc36f3f0d5b21777c0ac

RemcosRAT

44130b6c18abaaea8d59ba7ef447b231e2bde5ae9fd572104ca51136e5e35150

RemcosRAT

995f29caf80a4902430611c45e0619adbcd60e3a9f283a562fce6bd7baebc075

RemcosRAT

b8ce8a49d849245023b3a5085b5309be738fb56797a31530ecf79d50aae8139f

RemcosRAT

ba4b51ae64c68b32d126322b51b41dce7c300c01faed97aca35ff142e121a914

RemcosRAT

f4dcc52b899bbe0d34ffbb44032c0186953c174beaf647c0556c7e71385c6bb4

RemcosRAT

+ 729 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/211008-p3gmdsecf9/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

31ffb1d8050b158b4c432cbb831f9da9b918443b7ed3ecca7e3d7a18a531e3f9

MD5 hash:

406f0b9cc6dacbdd1b715c557b941343

SHA1 hash:

77387463c87215e20a8592430665820cbb146660

Link:

https://www.unpac.me/results/b731feb3-1bcb-45b2-a434-1969b01c149e/

SH256 hash:

f0896ba259cc40a67474db857cbca2cd43099f5b49be45c3e3a3a34a06765b7f

MD5 hash:

3f4f150ed7ab62f3f08315fa85a1e1f0

SHA1 hash:

24890995fabbfb50230729d5cceb4d5a92199a42

Link:

https://www.unpac.me/results/b731feb3-1bcb-45b2-a434-1969b01c149e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f0896ba259cc40a67474db857cbca2cd43099f5b49be45c3e3a3a34a06765b7f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/196159/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample