MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02d3ff621a1778737ee5207686d5f8a0f2f8c661908e3ba7cdfab8221321c8b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 14

Intelligence 14 IOCs 1 YARA 2 File information Comments

SHA256 hash:	02d3ff621a1778737ee5207686d5f8a0f2f8c661908e3ba7cdfab8221321c8b5
SHA3-384 hash:	687b28e4e62f504c5112cd65596e656bd91ee933be9ea7d35f741743ba13bdad9c052703837f1f29306505351c5fdeb5
SHA1 hash:	6eb2e0a7ef81a3a279aa27243bbc33cc8721de76
MD5 hash:	b4700f790e051120ca76a0fdc59867a2
humanhash:	florida-single-dakota-twelve
File name:	OFFER INQUIRY.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'169'920 bytes
First seen:	2022-03-11 06:57:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:Fz1Mxqd4ZQT45XdthLen+H8XJO+jViqeQwdhgIDz:Br4hXXhS+HN+jViq5wdhgK
Threatray	2'531 similar samples on MalwareBazaar
TLSH	T17245E0E0EF5C87BDDC10727AD1A845700EB5194E2420FF1AA28E11DD4A67FCF49E652E
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

abuse_ch

RemcosRAT C2:
79.134.225.54:6060

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
79.134.225.54:6060	https://threatfox.abuse.ch/ioc/393626/

Intelligence

File Origin

# of uploads :

# of downloads :

247

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/249292/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

obfuscated packed replace.exe

Link:

https://www.filescan.io/uploads/622af303b94fb38cb459f461/reports/12458b2a-a04a-4542-a8a6-637a97364de3/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/25db41a8-6f54-470c-8f72-ca0f60a6b0d3

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/954690

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Sigma detected: Suspicious Add Scheduled Task From User AppData Temp

Sigma detected: Suspicius Schtasks From Env Var Folder

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/02d3ff621a1778737ee5207686d5f8a0f2f8c661908e3ba7cdfab8221321c8b5/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-03-11 06:58:14 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 27 (77.78%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=alj76yq2c54hg7xfeb3invpyudzprrtbschdxj6n7k4ceezbzc2q._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

6a4b5aab71a352d6ae6140f99a28b0c38df78a8985b3383f1bc424ca74e046fe

RemcosRAT

724b6b5e627086ff22b9f2d2c045faa880dea62f513a694058b452aa1b6cad6f

RemcosRAT

7b5f70276fe64b0ec64ff186af6706b1dbbf2e2dc69e4b1546745b293121116f

RemcosRAT

9cb0764ab0006460601b25b788c41cf1cd05b40ae92e5928ff13cd8267591767

RemcosRAT

b0ac37aec0eef942e0ff9c35828584b8d887f951ec13afbd80cdc4ce23595ae4

RemcosRAT

bd250e1cb4f8d322a5464549dc067ac7bcbecfc2d4fca46c40af8d23173011d3

RemcosRAT

c530ab34e439bbcaf995290504072a5f77ec085e2ef485e4ef324b7a957f5738

RemcosRAT

e12fdcfde01952915157328b7afec8830f172814db0ce8d8658d427088b728d0

RemcosRAT

+ 2'521 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:more rat

Link:

https://tria.ge/reports/220311-hrh8hsgdh9/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

.NET Reactor proctector

Remcos

Malware Config

C2 Extraction:

kashbilly.ddns.net:6060

Unpacked files

SH256 hash:

d130b2d5440d69b92d127640decd8feca9661fbc03a93a39023b3ec8b589dec7

MD5 hash:

085c646c94caa963841ffc1bfa6d20eb

SHA1 hash:

cf06f6590c32379cfb01db776398df15d341f741

Link:

https://www.unpac.me/results/5b92cc81-415c-48e2-b37c-53876d6b8dd6/

Parent samples :

8c45a06d9b4a601333c206c47747108e511e9609b184a26de49b925e463ed808
0d08258ee5cde4341d641b04c11d01427309a865ef0ae0601d5a8663ae3a79eb
287899f0c2ed9274def6614ce3f658335cb1f832e1afbfc1d8e3076bdf097054
e9f0de091b5fd4d63fb10f0deca4e360a78341675f2bbef4c03f8cb89c081844
451ab9846f3c63a6b5f2e25ab5f58bb4180cf414062f52e280bd98eafea81963
36eae83dd16e98d3f62475ff48c33f731651e41ff52b0558b509d7a4d665e0b8

SH256 hash:

8d83a5eb231f70d9e9d0c38ce9773c49909cf3acc51422db84fbee3ad74a7939

MD5 hash:

e303734ac3a8b38f3a3ef9df1115ad2a

SHA1 hash:

c9af18054d6a78651c17642e6b2f1ac1cfaadcdb

Link:

https://www.unpac.me/results/5b92cc81-415c-48e2-b37c-53876d6b8dd6/

SH256 hash:

9b00e2fa33ad72dec22a5e107ab6886da72bbe0bed89a721e877c1dc3ce6a662

MD5 hash:

b4c9c16228f0ee1de70ffc6264fb720c

SHA1 hash:

437049e452a511e220abdb32df695cdf07f5a7d0

Link:

https://www.unpac.me/results/5b92cc81-415c-48e2-b37c-53876d6b8dd6/

SH256 hash:

40ec3c21778be3dfa17f2dd084a736dce44868a483b0f67725e679ec6dbd3bc5

MD5 hash:

95b91e80e0cb02c15416ab4383562b77

SHA1 hash:

22cf293f0a0c0d3f2ed5d1121c1648aa5da807ec

Link:

https://www.unpac.me/results/5b92cc81-415c-48e2-b37c-53876d6b8dd6/

SH256 hash:

02d3ff621a1778737ee5207686d5f8a0f2f8c661908e3ba7cdfab8221321c8b5

MD5 hash:

b4700f790e051120ca76a0fdc59867a2

SHA1 hash:

6eb2e0a7ef81a3a279aa27243bbc33cc8721de76

Link:

https://www.unpac.me/results/5b92cc81-415c-48e2-b37c-53876d6b8dd6/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/02d3ff621a17/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/02d3ff621a1778737ee5207686d5f8a0f2f8c661908e3ba7cdfab8221321c8b5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/249292/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample