MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8185c5af3e891bdb81a646bb410777393f7ba6db6f4fc0727948c4b95264334. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	f8185c5af3e891bdb81a646bb410777393f7ba6db6f4fc0727948c4b95264334
SHA3-384 hash:	55e0334d4d4782bb9c3466a5b0aca8852adeaa7ec97f0a29c119f99ae00c850037676e0c2bfe5168080c8ce59778871f
SHA1 hash:	d6bad18b6025d9bea349f178bcbf416010c3b4bd
MD5 hash:	6c828880cf1a66e50d5f9f199421c069
humanhash:	speaker-august-artist-pizza
File name:	SecuriteInfo.com.Trojan.DownLoader33.63103.7154.21167
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'300'480 bytes
First seen:	2020-07-12 19:39:52 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e2eeb99405cc09cd01bdcfea64f8b2a7 (2 x RemcosRAT)
ssdeep	24576:/c41yQoXCpv0vw2mDP7oSaG3tf7sZhGSt5X+G0c91gXpqrwb:/cNCaSkBhurQ
Threatray	781 similar samples on MalwareBazaar
TLSH	E055AE2173918432E597A6384C8FF7E55833B9126EE1EC4A77E43D0C6F3E6917939282
Reporter	SecuriteInfoCom
Tags:	RemcosRAT

Intelligence

File Origin

# of uploads :

1

# of downloads :

84

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/24910/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader33.63103.7154.21167.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Sending a custom TCP request

Launching a process

Creating a file

Running batch commands

Creating a process with a hidden window

Deleting a recently created file

Setting a single autorun event

Unauthorized injection to a recently created process by context flags manipulation

Connection attempt to an infection source

Unauthorized injection to a system process

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f8185c5af3e891bdb81a646bb410777393f7ba6db6f4fc0727948c4b95264334/

Threat name:

Win32.Trojan.CryptInject

Status:

Malicious

First seen:

2020-07-12 15:32:07 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Verdict:

malicious

Label(s):

remcos

Similar samples:

2e1b3dec1609efaee181ea5c2865ace9ac7be4b5ee8420a71ef9fff500440377

2f0ce341108a0d177092a8e18ca880b966f96a397f23c5135cfd9c6588b0c8c1

308c96557c6be5d4519ba4bac38c23e611c7b61683cfc1063a6009e216c24f5e

59e4659462484cb2521326bf335bef31a68d99748cfc082165562c5da42336c6

6916d0f41d35a9142e598496a1e996616b4fad6d15f0f3da7ec9210b6a124586

8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464

9b1328490717e1e3c97216a17bf36b67103a40dae3bbac6865487e51fea82b32

c10cdf38e26339e4373c7e0a9a119381e703c7b8404ce0ed694fb3aae286d9b9

f158368c489837c721cb01f7bf86f18536f9948f35f2ced67827d638b8253f16

f3453d83f263aa7665cb7398e7216db55cb8d7d75b8d45cdaf889c9265ba72fb

+ 771 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

persistence rat family:remcos

Link:

https://tria.ge/reports/200712-n9n9neqpfx/

Behaviour

Script User-Agent

Suspicious use of WriteProcessMemory

Modifies registry key

Suspicious use of SetThreadContext

Adds Run entry to start application

Legitimate hosting services abused for malware hosting/C2

Remcos

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe f8185c5af3e891bdb81a646bb410777393f7ba6db6f4fc0727948c4b95264334

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/412035/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/412037/

Cape

Cape

https://www.capesandbox.com/analysis/24910/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample