MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2a8ae610f1847b1344ffaa1c252543a9e4f5208b0644be9d8f5d7d6770c9ae2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 8

Intelligence 8 IOCs YARA 9 File information Comments

SHA256 hash:	f2a8ae610f1847b1344ffaa1c252543a9e4f5208b0644be9d8f5d7d6770c9ae2
SHA3-384 hash:	066f44514e9ce0ddb606e0148818547ffa8963b272bfd900c8ae53401ce66b8e69afc3647a3bad81a3414e456c0b4970
SHA1 hash:	e35736baefe7d20118c3c74aef44d2caf1c4e4fc
MD5 hash:	120086943c1ef794d7886da90fc49d7a
humanhash:	lactose-thirteen-yellow-dakota
File name:	Ups file de.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	457'728 bytes
First seen:	2020-11-20 07:53:51 UTC
Last seen:	2020-11-27 09:54:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	80fca5ec032b0bbe3966043646d2c605 (1 x RemcosRAT, 1 x Loki)
ssdeep	6144:iNGMVDi7nvpqLwwkLufwSDJxAO8QCOVXS16fO4Ya6Qs4N5y9KPaibeyzKvplE:ioMZiTIww2FSD7rCOJqIb6Q1xaiqyD
Threatray	1'532 similar samples on MalwareBazaar
TLSH	C6A4CF017482C472D472163205F8EB751A39BE312F24B6EFA7D4BB3D9F751C16232A6A
Reporter	abuse_ch
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

131

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a file

Running batch commands

Launching a process

Modifying an executable file

Unauthorized injection to a recently created process

DNS request

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for recently created files

Setting a global event handler for the keyboard

Connection attempt to an infection source

Enabling autorun by creating a file

Result

Gathering data

Result

Threat name:

Remcos

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/543817

Signature

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Detected Remcos RAT

Detected unpacking (creates a PE file in dynamic memory)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f2a8ae610f1847b1344ffaa1c252543a9e4f5208b0644be9d8f5d7d6770c9ae2/

Threat name:

Win32.Spyware.BtcWare

Status:

Malicious

First seen:

2020-11-20 07:54:18 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6kuk4yipdbd3cncp7kq4eusuhkpe6uqiwbsex2oy6xl5m5ymtlra._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

26cfb1b24425c97fc4588631b23ca93def5d84efb2300d81bdbbb48443207292

RemcosRAT

344e6fbb3b331ae13507bca32206ceea89837dc6c02eeadeeee979d8312199b6

RemcosRAT

346c5380b5669b73b9fc43a1a17c31ea17985488e9ea947d93a1c6858ebab5e1

RemcosRAT

485c1301f4bc84bc2d274f53222cf7ca5fbd8af8728d1aaa977a6574f577fb87

RemcosRAT

763d415415add2ffc6d482373e211c8c8b647ee46ade5e8dacce10f79d515e2b

RemcosRAT

a66b740c103035f94d2d78140ead520be0e9ee0c218ab7dc17ebb3cfa2ea4f86

RemcosRAT

c032e316eefbacca4b3ddfe7fc2ee9ac5f86daea767232d2322f7fdfe4b18993

RemcosRAT

e85de613abef99e65212dcd6f8077b03763fa37fa81e7921907c9e9c3859b632

RemcosRAT

e86d9b9cdf1f341e2c2f811a31d371204d181385f6c32282057b976d25f53591

RemcosRAT

+ 1'522 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos rat spyware

Link:

https://tria.ge/reports/201120-8patfm7b26/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetThreadContext

Reads user/profile data of web browsers

Remcos

Malware Config

C2 Extraction:

u875414.nvpn.to:2404
u875414.duckdns.org:2404
u875414.ddns.net:2404
u875414.nsupdate.info:2404

Unpacked files

SH256 hash:

f2a8ae610f1847b1344ffaa1c252543a9e4f5208b0644be9d8f5d7d6770c9ae2

MD5 hash:

120086943c1ef794d7886da90fc49d7a

SHA1 hash:

e35736baefe7d20118c3c74aef44d2caf1c4e4fc

Link:

https://www.unpac.me/results/0672734f-d688-4acf-8067-0d384d7a78ef/

SH256 hash:

c1f3014efaf2118b11c25949e395c114ab71a7363fb2912875339b3191a938bc

MD5 hash:

4d22e69c7664bdadfaacf22ea9cd43e2

SHA1 hash:

a66ba2f18dad08b883efd6eb7403fd219921490f

Detections:

win_remcos_g0

win_remcos_auto

Link:

https://www.unpac.me/results/0672734f-d688-4acf-8067-0d384d7a78ef/

Parent samples :

8698337edbeaff1bcd719babffa69ff876d5ee74349886e5cba349b7cae7e19f
1a1924da9d272ea46f8a0a62d7e2ecf01746e9a7621c8b1c36950788c3a3bd8c
73034f52ab0662e125659b9771ecd27259b03e3635fbeda5d7252f53fb2bbc7f
d9eeb6c02f3837b46eafecd72f433a538511cf6280b8238a76baa6a55be2c856
bd4ef5e45ec6e18bc4fc2225588ea4d01151f8f82aeb073a75868bdbcfc66b5a
c4417a6bdfb8727b6cb186c09a2e3700ec563324bb60d22544a6ee5b8a2eda29
a7154f13f8a8a66f47afafe4099e6e760aef60af8eb8d66de0d8ee83cfe1ef8b
a01cd6294d3b5bdf73771b113493d8a5c2df3f105db7d084b0729345a32a4453
5cad6293fe826e616a0ff23c931f174e22fd52fafd874a038419e8dad3681fd6
f2a8ae610f1847b1344ffaa1c252543a9e4f5208b0644be9d8f5d7d6770c9ae2
b5734fe9e898335433674437790e741440b75c6a749ceb7455555c88303daedc
00b65900131d5d5cac9d48c65ff2e53677418d7c50f0c09480af43e80845bef3
1a6757ed0fa8dfc6a0ecc4dcfecc7dacb2b4ff435c15eefeb9edde8b913e1811
6da5a41c6dd6f0ddc638a3bccceeae8132814f605971a2f9eb1af58040f60eb8

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_remcos_g0 Create hunting rule
Author:	Daniel Plohmann <daniel.plohmann<at>fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample