MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01b1f2041aaba6815657a7a7409a0843868459fa3cabf0c377a83862ac88a27f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01b1f2041aaba6815657a7a7409a0843868459fa3cabf0c377a83862ac88a27f
SHA3-384 hash: 26f2030c808c2d179c633a28cb0945e8a86a83f6b82713099b5735202dad948fc947b183a33f4be0f0f21d014af4e2b8
SHA1 hash: 571a08a4478c6aee97998122b59b8f7f2ba83f78
MD5 hash: 6db13d623c8337161d1ca3066c352162
humanhash: spaghetti-mockingbird-angel-london
File name:VESSELS DETAILS.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:2'023'936 bytes
First seen:2021-04-30 06:20:08 UTC
Last seen:2021-04-30 07:05:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:I2Yg4fOYGMkFw9b6uhKsvVro+FglwVmoLAAZD3eVrKwppVqMg/8wjS:IhPfOrFw7mIUwVfZDmVpjg/8kS
Threatray 185 similar samples on MalwareBazaar
TLSH 14959CA8311060EDC2178C3F97CA0C9181131D737A2B950A9352F3B97B7BD97EAB6785
Reporter GovCERT_CH
Tags:RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/147215/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.696-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Sending a UDP request
Adding an access-denied ACE
Modifying a system executable file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/704095
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates an undocumented autostart registry key
Creates HTML files with .exe extension (expired dropper behavior)
Delayed program exit found
Detected Remcos RAT
Drops PE files to the document folder of the user
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 400970 Sample: VESSELS DETAILS.exe Startdate: 30/04/2021 Architecture: WINDOWS Score: 100 83 xred.mooo.com 2->83 97 Multi AV Scanner detection for domain / URL 2->97 99 Found malware configuration 2->99 101 Malicious sample detected (through community Yara rule) 2->101 103 17 other signatures 2->103 11 VESSELS DETAILS.exe 1 4 2->11         started        15 Synaptics.exe 2->15         started        17 remcos.exe 2->17         started        19 2 other processes 2->19 signatures3 process4 file5 75 C:\Users\user\AppData\...\FLOKsPTUFY4P.exe, PE32 11->75 dropped 113 Creates an undocumented autostart registry key 11->113 115 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->115 117 Injects a PE file into a foreign processes 11->117 21 VESSELS DETAILS.exe 1 5 11->21         started        24 VESSELS DETAILS.exe 11->24         started        77 C:\Users\user\AppData\...\zLBrpxj3iRV1.exe, PE32 15->77 dropped 26 Synaptics.exe 15->26         started        signatures6 process7 file8 59 C:\Users\user\...\._cache_VESSELS DETAILS.exe, PE32 21->59 dropped 61 C:\ProgramData\Synaptics\Synaptics.exe, PE32 21->61 dropped 63 C:\ProgramData\Synaptics\RCX539D.tmp, PE32 21->63 dropped 28 Synaptics.exe 3 21->28         started        32 ._cache_VESSELS DETAILS.exe 4 4 21->32         started        65 C:\ProgramData\...\._cache_Synaptics.exe, PE32 26->65 dropped 34 ._cache_Synaptics.exe 26->34         started        process9 file10 79 C:\Users\user\AppData\...\eNW2aaZEomDJ.exe, PE32 28->79 dropped 119 Antivirus detection for dropped file 28->119 121 Multi AV Scanner detection for dropped file 28->121 123 Drops PE files to the document folder of the user 28->123 127 3 other signatures 28->127 36 Synaptics.exe 28->36         started        40 Synaptics.exe 28->40         started        42 Synaptics.exe 28->42         started        46 2 other processes 28->46 81 C:\Users\user\AppData\Roaming\...\remcos.exe, PE32 32->81 dropped 44 wscript.exe 1 32->44         started        125 Machine Learning detection for dropped file 34->125 signatures11 process12 dnsIp13 85 xred.site50.net 153.92.0.100, 49767, 49768, 49787 AWEXUS Germany 36->85 87 googlehosted.l.googleusercontent.com 172.217.19.97, 443, 49731, 49732 GOOGLEUS United States 36->87 91 13 other IPs or domains 36->91 67 C:\Users\user\Documents\IPKGELNTQY\~$cache1, PE32 36->67 dropped 69 C:\Users\user\Desktop\._cache_Synaptics.exe, PE32 36->69 dropped 71 C:\Users\user\AppData\Local\...\bw5zabUx.exe, PE32 36->71 dropped 73 C:\Users\user\AppData\Local\...\RCXA557.tmp, PE32 36->73 dropped 48 ._cache_Synaptics.exe 36->48         started        89 192.168.2.1 unknown unknown 44->89 51 cmd.exe 1 44->51         started        file14 process15 signatures16 95 Machine Learning detection for dropped file 48->95 53 remcos.exe 2 249 51->53         started        57 conhost.exe 51->57         started        process17 dnsIp18 93 64.44.139.178, 7200 NEXEONUS United States 53->93 105 Contains functionalty to change the wallpaper 53->105 107 Machine Learning detection for dropped file 53->107 109 Contains functionality to steal Chrome passwords or cookies 53->109 111 3 other signatures 53->111 signatures19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/01b1f2041aaba6815657a7a7409a0843868459fa3cabf0c377a83862ac88a27f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-30 06:20:21 UTC
AV detection:
33 of 47 (70.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=agy7eba2voticvsxu6tubgqiiodiiwp2hsv7bq3xva4gfleiuj7q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0b71fa3fa8549d6a826faaeb1be86b5f866242f35afdb0c0bc7a8ba6c35981e7
RemcosRAT
3c0df5607ab1e7bf906ce2be36ee0bb970c26baf19710f0c195ca9356a2d918f
RemcosRAT
5f06da67169389577ec237bfb0c3e0e9203833048f48081deed7b6201ad18c27
RemcosRAT
741ffe5460a43194d3a8cf76729abd8f6a5fb7d991e219037215920195a38c5e
RemcosRAT
a465bb35f4e7bafb2fea17156c39daee286e49c3f10463ecb8d29766e2d0b200
RemcosRAT
b61f6b794f38f736e90ae8aa04e5f71acc8d5470c08ef8841c16087b6710a388
RemcosRAT
d2d9b66c9aad0e6cc20a786a89299a8b4a65a5a344db369dfd7bfbad3fb40b55
RemcosRAT
dae93e987a854255ff55ce9f62729f17f57d3f8a56933a57cb8de89b698e81f0
RemcosRAT
f0896ba259cc40a67474db857cbca2cd43099f5b49be45c3e3a3a34a06765b7f
RemcosRAT
f138fb2bb1b74757f02ed6159d3766cd5bbae760e04907ea7520bc09dd968783
RemcosRAT
+ 175 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat
Link:
https://tria.ge/reports/210430-ac3fb8z3jj/
Behaviour
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Modifies WinLogon for persistence
Remcos
Malware Config
C2 Extraction:
64.44.139.178:7200
Unpacked files
SH256 hash:
b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2
MD5 hash:
c0ef4d6237d106bf51c8884d57953f92
SHA1 hash:
f1da7ecbbee32878c19e53c7528c8a7a775418eb
Link:
https://www.unpac.me/results/f0ef68d8-2c8e-4036-a8f4-e82dce0f8680/
SH256 hash:
8a4180af45a806c6cc6350a795a8458354458e7f0627678e105f6752a37a8507
MD5 hash:
7c921c4164b226bca6ce0811890d3342
SHA1 hash:
d5864c25d26eac24a7e6a0e1c77be7524a9b4f21
Detections:
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/f0ef68d8-2c8e-4036-a8f4-e82dce0f8680/
SH256 hash:
ae5e6b5b51c6dc6dc3ea9b59fc8799d26d2ebf112b141bfeb87f592f4c46ae40
MD5 hash:
fcc09907d87d1993eae5cd0898d00421
SHA1 hash:
987c5215be09f5f7206fadf3399d81a6548f5a17
Link:
https://www.unpac.me/results/f0ef68d8-2c8e-4036-a8f4-e82dce0f8680/
SH256 hash:
e969587901730f24d85569f0a5b3fec0be6754c4edb20f9dcea6430e4a0bf4a1
MD5 hash:
f4e04ce181bf25a30e3d0cb1ce282c9e
SHA1 hash:
24c0528a9e5c864980657f646ed5bed615291f15
Detections:
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/f0ef68d8-2c8e-4036-a8f4-e82dce0f8680/
SH256 hash:
5a5f7b5b068b394302f173a85601f10d083411889db2c671e09aaf4494c0f830
MD5 hash:
f8797484dac64d2fd4b6845f5da80218
SHA1 hash:
198482fc94488300473086e6f1ee5d016e11c564
Link:
https://www.unpac.me/results/f0ef68d8-2c8e-4036-a8f4-e82dce0f8680/
SH256 hash:
01b1f2041aaba6815657a7a7409a0843868459fa3cabf0c377a83862ac88a27f
MD5 hash:
6db13d623c8337161d1ca3066c352162
SHA1 hash:
571a08a4478c6aee97998122b59b8f7f2ba83f78
Link:
https://www.unpac.me/results/f0ef68d8-2c8e-4036-a8f4-e82dce0f8680/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/01b1f2041aaba6815657a7a7409a0843868459fa3cabf0c377a83862ac88a27f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades

File information

The table below shows additional information about this malware sample such as delivery method and external references.

449c6772b4e8eb262e01b8176c83c7df78eff38eae8adb684f22416800d42b35

RemcosRAT

Executable exe 01b1f2041aaba6815657a7a7409a0843868459fa3cabf0c377a83862ac88a27f

(this sample)

  
Dropped by
MD5 e30eed5e07cc0cdd5dd846948801b155
  
Dropped by
SHA256 449c6772b4e8eb262e01b8176c83c7df78eff38eae8adb684f22416800d42b35
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/147215/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-30 07:01:59 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection
1) [B0023] Execution::Install Additional Program