MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0e41d9b327900eb04d7f027b5ebcbff42d19e654abc6b0db114792ff2538e77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	f0e41d9b327900eb04d7f027b5ebcbff42d19e654abc6b0db114792ff2538e77
SHA3-384 hash:	28c3f5eb19fe8678eb81cd59711c50b4cd3c977c821a3b9573b2d220c5892f68a0b2f85715766a3c88a73ce78abb74af
SHA1 hash:	cf5467e04e38e32073e85128f3a4cb3a77976c34
MD5 hash:	618eacc81e95925cc9f6ea3d19a4a49f
humanhash:	delta-jupiter-wisconsin-papa
File name:	618eacc81e95925cc9f6ea3d19a4a49f.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	996'824 bytes
First seen:	2021-02-18 15:38:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f634516176d90164856e0c5fab187611 (2 x FormBook, 1 x RemcosRAT)
ssdeep	12288:hvQOeYxeWRqFfr19WEdQAs50S0uCoDaMycZ+qgd:hvfSWRqVrjzutDocad
Threatray	106 similar samples on MalwareBazaar
TLSH	D1252BB29B4A4B13F01B103DEC4AF6F61765BCA1372B50FB5E9C7B055AE23A8B510076
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

160

Origin country :

n/a

Vendor Threat Intelligence

Detection:

DLAgent07

Link:

https://www.capesandbox.com/analysis/117818/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Creating a file

Deleting a recently created file

Launching a process

Creating a window

Sending a UDP request

DNS request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process

Connection attempt to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Remcos

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/611765

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Creates a thread in another existing process (thread injection)

Delayed program exit found

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Writes to foreign memory regions

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f0e41d9b327900eb04d7f027b5ebcbff42d19e654abc6b0db114792ff2538e77/

Threat name:

Win32.Infostealer.BestaFera

Status:

Malicious

First seen:

2021-02-18 12:57:03 UTC

AV detection:

18 of 29 (62.07%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6dsb3gzspeaowbgx6at3l26l75bndhtfjk6gwdnrcr4s74strz3q._file

Verdict:

malicious

RemcosRAT

512f42f440c86ec0b776da00cb7be1aac494914af73a8d47ada5b6a4b5f208eb

RemcosRAT

558791ef8ee4a269644ecce15552270a2e8f287603308069084793370ba9451d

RemcosRAT

6cf485e9d0c0f8ffbe0c4d8776adfd121f4de33fd73262d642739cc3491cac13

RemcosRAT

71f60a985d2cc9fc47c6845a88eea4da19303a96a2ff69daae70276f70dcdae0

RemcosRAT

7372fe2e6401cdbca755f752e7e8407a8a5fbaf81ca5e692705a9819977dc447

RemcosRAT

7db6416e953cbfec70e6f8993506edc77f5fe38602b9b75232f02dbf7e8b1608

RemcosRAT

d67dde5621d6de76562bc2812f04f986b441601b088aa936d821c0504eb4f7aa

RemcosRAT

d98fd8189273e4f4fcbb8b1d5b32459b5d7adcd6eaff9efef0c32ace0fdfab0e

RemcosRAT

f199f051d76eae8d5ddf0ee522868aa6878425948f4fc23c53e547995c403cbe

RemcosRAT

+ 96 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

persistence

Link:

https://tria.ge/reports/210218-hn17r7x352/

Behaviour

Suspicious use of WriteProcessMemory

Adds Run key to start application

Unpacked files

SH256 hash:

742d9dde82f369f53ebd096e97446b429793401ab681f63e6b24b87ebc1bbc06

MD5 hash:

6a9a262f0ad021baff8e22a6dd4a53ae

SHA1 hash:

160189d345c18854b631a20011103edd2fdd136f

Link:

https://www.unpac.me/results/0941dc1d-429f-44d0-90b1-91c6b4131d14/

SH256 hash:

f0e41d9b327900eb04d7f027b5ebcbff42d19e654abc6b0db114792ff2538e77

MD5 hash:

618eacc81e95925cc9f6ea3d19a4a49f

SHA1 hash:

cf5467e04e38e32073e85128f3a4cb3a77976c34

Link:

https://www.unpac.me/results/0941dc1d-429f-44d0-90b1-91c6b4131d14/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f0e41d9b327900eb04d7f027b5ebcbff42d19e654abc6b0db114792ff2538e77

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.