MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f78b8f13eb0533a8ad4048ec71de54b8dd7d6f02add47d775fd96c3a557face6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 12

Intelligence 12 IOCs YARA 6 File information Comments

SHA256 hash:	f78b8f13eb0533a8ad4048ec71de54b8dd7d6f02add47d775fd96c3a557face6
SHA3-384 hash:	946834b5f168b1b626075383d63f93d36b69ce736dbcc490cd83288bb9f8ec556b55cd2b6691a22204c2a6666620c010
SHA1 hash:	53ce8684a6d77d6bde689ad6ebf7296e4d68f2b2
MD5 hash:	44cac023d2240b6bb2130ebb9203cbdf
humanhash:	muppet-artist-sad-pizza
File name:	44cac023d2240b6bb2130ebb9203cbdf.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	603'430 bytes
First seen:	2021-07-06 16:01:32 UTC
Last seen:	2021-07-06 17:18:13 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep	12288:8yvi2mu5Vc7A19hP0Xe6oWVdUTOTUYZ1T3SCvscjBJ9hWbG9:Hvi5uB1bP0UW7TdBVLeQ
TLSH	7BD48C595CF4DD22FCBCFEF4EE4193461D6E6D3244A57B487AB3BEA926B10B6200D060
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

203

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

44cac023d2240b6bb2130ebb9203cbdf.exe

Verdict:

Malicious activity

Analysis date:

2021-07-06 17:02:17 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e7e184af-f66f-41ba-bec6-33426ed5f94e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/170027/

Detection(s):

SecuriteInfo.com.Trojan.MulDrop17.60550.9113.20884.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/abe0eba8-9508-4a1e-9ad0-04fd41c8f4dc

Result

Threat name:

Remcos

Detection:

malicious

Classification:

rans.phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/812413

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Detected Remcos RAT

Detected unpacking (changes PE section rights)

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Yara detected Remcos RAT

Yara detected WebBrowserPassView password recovery tool

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/f78b8f13eb0533a8ad4048ec71de54b8dd7d6f02add47d775fd96c3a557face6/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2021-07-05 22:59:13 UTC

AV detection:

20 of 29 (68.97%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=66fy6e7lauz2rlkajdwhdxsuxdox23ycvxkh25273fwduvl7vtta._file

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos rat spyware stealer

Link:

https://tria.ge/reports/210706-mdqv4l8qvs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Loads dropped DLL

Reads user/profile data of web browsers

NirSoft WebBrowserPassView

Nirsoft

Remcos

Unpacked files

SH256 hash:

f5d522964786988b764824294e1f1b0b4abcc79ca185207350132e07e4cb434e

MD5 hash:

4830a21bfe41424e1952c96528874414

SHA1 hash:

3e81af51e08ee448bbf6ef3a28d7c18a3844a276

Detections:

win_remcos_g0

Link:

https://www.unpac.me/results/f80e741d-47b8-4e9f-95ac-3b0993a83ff9/

Parent samples :

070dc47307cdec1dc80820401b39ecd316609f69815bfe7478ae16608a361fe9
f78b8f13eb0533a8ad4048ec71de54b8dd7d6f02add47d775fd96c3a557face6

SH256 hash:

a22757b0e9f26b06c2b3f1e3ec85a85c3e96e30afd4c5f31e5c50abe6fc0184d

MD5 hash:

c6e2435f0a0f9e6efc98e619b87345fd

SHA1 hash:

1ac791f3e1b55cf9b62bb6244a6a8663b9a41ed3

Link:

https://www.unpac.me/results/f80e741d-47b8-4e9f-95ac-3b0993a83ff9/

SH256 hash:

985755bad24aba6e28b7dcb1afc4c8f3aa61093578dd10cf6663d37e9f32f797

MD5 hash:

cd2fc3ed7125a84682a76fc7abe03eb7

SHA1 hash:

962aeb41d15f034aea856d2a0892272a4068ec8f

Link:

https://www.unpac.me/results/f80e741d-47b8-4e9f-95ac-3b0993a83ff9/

SH256 hash:

f78b8f13eb0533a8ad4048ec71de54b8dd7d6f02add47d775fd96c3a557face6

MD5 hash:

44cac023d2240b6bb2130ebb9203cbdf

SHA1 hash:

53ce8684a6d77d6bde689ad6ebf7296e4d68f2b2

Link:

https://www.unpac.me/results/f80e741d-47b8-4e9f-95ac-3b0993a83ff9/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.67

Link:

https://yomi.yoroi.company/submissions/f78b8f13eb0533a8ad4048ec71de54b8dd7d6f02add47d775fd96c3a557face6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

exe f78b8f13eb0533a8ad4048ec71de54b8dd7d6f02add47d775fd96c3a557face6

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1417421/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/170027/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample