MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6a9826b1e282e624092a19865e11d9d0ae85d26e2ac511c128e0dce09196a93. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 9

Intelligence 9 IOCs YARA 9 File information Comments

SHA256 hash:	f6a9826b1e282e624092a19865e11d9d0ae85d26e2ac511c128e0dce09196a93
SHA3-384 hash:	6597e9d6217b50033c4b94caeae0264c1d4cddb80de75c8c90691712017e449f3dc5138e39dcfb9e9565c27495256ed0
SHA1 hash:	565c4d7bf2877e01c8647a0c5259f2860d8090dc
MD5 hash:	7da576fbfd96375ddefb5ac9d8b3d091
humanhash:	social-violet-nevada-queen
File name:	f6a9826b1e282e624092a19865e11d9d0ae85d26e2ac511c128e0dce09196a93
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	263'680 bytes
First seen:	2020-11-14 18:03:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	34078771387d6e214745d63ecc346d59 (3 x RemcosRAT, 2 x Tofsee, 2 x CoinMiner)
ssdeep	3072:/xOQw6KGL+qNb9vpRBPSIp3HypzFs4YcTJJzMth86PlM45jTmjjjjjjj2:/PwhENVZKB7s4dT0l1
Threatray	1'099 similar samples on MalwareBazaar
TLSH	9E44BF1076F1C933C0A3473C0464D2D06637BC26E6B8C98777E83B5A6EBA6D15BB2356
Reporter	seifreed
Tags:	RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Packed.Generickdz-9784859-0

Win.Dropper.Tofsee-9785157-0

Win.Packed.Generickdz-9785340-0

Win.Packed.Emotet-9790742-0

Win.Packed.Emotet-9790818-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching the default Windows debugger (dwwin.exe)

DNS request

Creating a file in the %AppData% subdirectories

Setting a global event handler for the keyboard

Sending a TCP request to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/535991

Signature

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Country aware sample found (crashes after keyboard check)

Detected Remcos RAT

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Uses dynamic DNS services

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f6a9826b1e282e624092a19865e11d9d0ae85d26e2ac511c128e0dce09196a93/

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2020-11-14 18:05:23 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=62uye2y6faxgeqesugmglyi5tufoqxjg4kwfchasryg44ciznkjq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

29e976622956314e13cff9fce7e829a27827214ddcfd41ccd33fc4faca45b566

RemcosRAT

2ad1cbf24005ff5f0e634bf2e5642d37ca1cd6d9fe7001cd5b91eeb84506068b

RemcosRAT

308245e3b036eaa8e2b12c92852a64e5feedd6d952789d12da2ea5da9b7acced

RemcosRAT

570e5bb05a57a95438fe1f61a116ab1d0de2bb2b0703745adea8ff45780d4a57

RemcosRAT

6274c01dd6783517a68267d2c6c2af38143ed35074cfc2372d8bc385a7c5f4e9

RemcosRAT

6c882aeb918e424cefe1068a6d3fbff5526c31e185716bf3a0d5ae0295772f09

RemcosRAT

b1e43124a401714ce72691a059cfaf3182e0e63986ab8e165d8333bf11540568

RemcosRAT

c0b1ba178d886a9d71fb7ffd5b169bf023021e13c545e3cd8d15461221dd2006

RemcosRAT

fa5850a0ba8809631d4e3f5a3f8cafa133b3d6ae37088eeb934ec13d1bc9f368

RemcosRAT

+ 1'089 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/201114-fqk97fcgzj/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Unpacked files

SH256 hash:

f6a9826b1e282e624092a19865e11d9d0ae85d26e2ac511c128e0dce09196a93

MD5 hash:

7da576fbfd96375ddefb5ac9d8b3d091

SHA1 hash:

565c4d7bf2877e01c8647a0c5259f2860d8090dc

Link:

https://www.unpac.me/results/2b59840e-3cbf-4405-9fe6-6132d7c5ff25/

SH256 hash:

aa1f0b05fcdfb1f121504887cf5044d37c2415d2dca2abcfc3c41e022fed17e0

MD5 hash:

5217f9a41409543eafb6459c8aa7ec82

SHA1 hash:

f1781b274a404d3c197ba21b318e5e9d419206ac

Detections:

win_remcos_g0

win_remcos_auto

Link:

https://www.unpac.me/results/2b59840e-3cbf-4405-9fe6-6132d7c5ff25/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AntiAVP

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f6a9826b1e282e624092a19865e11d9d0ae85d26e2ac511c128e0dce09196a93

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample