MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe1291793c9992efdb89799f37f0cf50cb9ef51f3a10d97d20431a2e4fadae70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe1291793c9992efdb89799f37f0cf50cb9ef51f3a10d97d20431a2e4fadae70
SHA3-384 hash: 2b3ea6eb6f201e524ced3c6e378fa2701e7604dbe91c8b72856171a018fb2650f406f56a70168b850ee326a4e3917a53
SHA1 hash: f38c38f3e9d80b3b3855266c30a993e56ab61bca
MD5 hash: 2e11cb22fcff3e1fbf803fea30380e75
humanhash: tennis-vermont-delaware-johnny
File name:2e11cb22fcff3e1fbf803fea30380e75
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:846'850 bytes
First seen:2021-08-16 17:45:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1abe4551dd4f8ef04deab38d0027e326 (4 x RemcosRAT, 1 x Smoke Loader, 1 x NetWire)
ssdeep 12288:WhxUck0fyI/Xv94r0umLKC+pvbIAsrxPz+o8wccO:WhGdkF4r0uvnDIFpP6
Threatray 527 similar samples on MalwareBazaar
TLSH T1B2059E52E4A1C837D5533778DE1FA99A8C157F01183828823BE47C49CF37B923AB57A6
dhash icon b0b0303a34363034 (4 x RemcosRAT, 1 x Smoke Loader, 1 x NetWire)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
150
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2e11cb22fcff3e1fbf803fea30380e75
Verdict:
Malicious activity
Analysis date:
2021-08-16 17:46:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4497feef-3c91-4343-8212-6f544dc0168a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/179669/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Banker1.36771.17657.15231.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Launching a process
Creating a file in the %temp% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/260ce95c-58eb-4c9d-8fac-860cfb74bc84
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/833777
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fe1291793c9992efdb89799f37f0cf50cb9ef51f3a10d97d20431a2e4fadae70/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-08-16 17:46:16 UTC
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7yjjc6j4tgjo7w4jpgptp4gpkdfz55i7hiins7jaimnc4t5nvzya._file
Verdict:
malicious
Similar samples:
0d182038f62a038b380a4d3c3769d5eb389b08b194b7dce13606252e7e1aff1c
RemcosRAT
38ba862149962bc5a10825a2b818391624cda439fcb3f6212b75d84eeeb4f70c
RemcosRAT
43749e8d0c848f2143447b979748f3605e7773abe0550da6ec111473003247c3
RemcosRAT
44e3a5d07ad41e0c1e023eeb97798f0822d706abb3406b61466d32a7d29c8726
RemcosRAT
46a376d25369d059b1c149d8fb4821aa3ddb504bb381a02f3d5e4e019a41ed4d
RemcosRAT
4c0c348d5fe6d35084087f5df83a5d5f15aa75a30b1dc37204f701383a7685eb
RemcosRAT
9325090b7a2b8058a946f11388db15813a8927708aa54bf9aa6b5925f2b22d1d
RemcosRAT
ebe0b8890392475537625aeefaec22b5f0115011e135117d7afd9325eb47fad8
RemcosRAT
f1751a576879ffed0fed1eee73ab099833ef0c019c6307cab9919275927ba6b6
RemcosRAT
f353dc700a77a88665e2d6cb4f73396ba3b4437cc3ee9a6a7e095de5f77277c5
RemcosRAT
+ 517 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/210816-smwh8fkqj6/
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Windows directory
Adds Run key to start application
Loads dropped DLL
Modifies system executable filetype association
Unpacked files
SH256 hash:
795b2b5d6668147d7924ac96f90741ddc2a2b5003f455fb842b613a286fbf8fc
MD5 hash:
53011b69a7231aea23d66805a681144b
SHA1 hash:
e3d0d157e763c865e79ccc5bedc2fd5fd90413f7
Link:
https://www.unpac.me/results/e323c2c5-a420-4b63-8fe5-3d76aa72f1ec/
SH256 hash:
71eddc0484878e19584bad3c131a1edc02a3233cbad69f9fc3c75096ab9650a3
MD5 hash:
4e8d160fa195351e2710fa0beda2c973
SHA1 hash:
abd6d306e891f66d3afc4d129d221bd14f7b7ee7
Link:
https://www.unpac.me/results/e323c2c5-a420-4b63-8fe5-3d76aa72f1ec/
SH256 hash:
fe1291793c9992efdb89799f37f0cf50cb9ef51f3a10d97d20431a2e4fadae70
MD5 hash:
2e11cb22fcff3e1fbf803fea30380e75
SHA1 hash:
f38c38f3e9d80b3b3855266c30a993e56ab61bca
Link:
https://www.unpac.me/results/e323c2c5-a420-4b63-8fe5-3d76aa72f1ec/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fe1291793c9992efdb89799f37f0cf50cb9ef51f3a10d97d20431a2e4fadae70

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:MAL_Neshta_Generic
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:win_neshta_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe fe1291793c9992efdb89799f37f0cf50cb9ef51f3a10d97d20431a2e4fadae70

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1539504/
Cape
Cape
https://www.capesandbox.com/analysis/179669/

Comments


Avatar
zbet commented on 2021-08-16 17:45:35 UTC

url : hxxp://198.23.251.109/rpm/vbc.exe