MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03661d07de24c7fdc11e12bc022f0f1b5a54ef2d6e578e2d34403b35d51fb44d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 03661d07de24c7fdc11e12bc022f0f1b5a54ef2d6e578e2d34403b35d51fb44d
SHA3-384 hash: 489092794688df3200caf8e97b3e32ad71fc810ee8b1c06394fad6a7d79d9688cb2c12b1bdcb680c5691451d4c6d1ace
SHA1 hash: 06a9578f6610323d7f4338bffef87a0512c083c9
MD5 hash: 28657b966ded345476cb24a91a581efd
humanhash: salami-fix-green-floor
File name:vbc (5).exe.vir
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'055'744 bytes
First seen:2022-06-21 10:11:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:pbBHsuubAqpIocODpBaD+PnpLJZObnkYo6:XM1MbsDpBA+PnpL3fYP
Threatray 1'374 similar samples on MalwareBazaar
TLSH T1B7258D591F89AEC2DCE94BBA91F30B656311AF30585FA70B1294773F063B4CA6EC019D
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon d4c4c4d4d4d4d4d4 (2 x RemcosRAT)
Reporter KdssSupport
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/281897/
Detection(s):
Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Win.Trojan.EmbeddedReversedDLL-9940922-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %AppData% subdirectories
Creating a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62b19954f4dd1ffb77a7f226/reports/f49ed921-753c-4ac2-9ecf-114029e06a01/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/074562de-7a9b-42d1-9eeb-09227f2e7aed
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1016990
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 649483 Sample: vbc (5).exe.vir Startdate: 21/06/2022 Architecture: WINDOWS Score: 76 15 Malicious sample detected (through community Yara rule) 2->15 17 Antivirus / Scanner detection for submitted sample 2->17 19 Multi AV Scanner detection for submitted file 2->19 21 3 other signatures 2->21 7 vbc (5).exe.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        process5 11 conhost.exe 9->11         started        13 timeout.exe 9->13         started       
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/03661d07de24c7fdc11e12bc022f0f1b5a54ef2d6e578e2d34403b35d51fb44d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-21 10:12:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=antb2b66etd73qi6ck6aelypdnnfj3znnzly4ljuia5tlvi7wrgq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
121dd806963977a4c80e98a91e1bccf577d74da295787f7d61ef22cc1026822e
RemcosRAT
18662d3d7b350d99657f8713079814c9fb2d11161a6721116d9654e23bb0782e
RemcosRAT
52876d1726bf1657b61f1a2e7bf932ee15ca41ff84874fc769755ea233ea10ba
RemcosRAT
59e1f561914294d4705be15059a0a4aa093b80480c3842fb005a3b3b6355f435
RemcosRAT
7a95dfe43a03318c0301489c77ecdb7f5da54842c4731a1f0c4214569155813e
RemcosRAT
8342c94ddfd4cca232e9d1cd5faed48fdce02a694b062606b938401b502a0c30
RemcosRAT
9a6542e7da5c82465fd053f020d82161a8995c3353b58ac9b3e085d70d9ecf8d
RemcosRAT
ebcb09c56c09245ba10f231b7d4bfacdb5615ee6e3820f479f0a0d6488759668
RemcosRAT
+ 1'364 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:richmind collection rat spyware stealer
Link:
https://tria.ge/reports/220621-l8gykafbd2/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Checks computer location settings
Reads user/profile data of web browsers
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
imranmhemoodcheema.ddns.net:9830
Unpacked files
SH256 hash:
c3d0531b1de660979d1091cc05196ead779d08975df23ebe9c7d988b7ff14aff
MD5 hash:
e30285b6310a71b39359ee349791daed
SHA1 hash:
08b88cdd6e1ef4eb5f20145ac1d5f587768f3f2d
Link:
https://www.unpac.me/results/e462cff6-6275-4423-85a3-fdbcbbbf3993/
SH256 hash:
b25e22b172fb1e3f38ef417d1b63712918deebd26e36a0b9064e262d2c5abf95
MD5 hash:
ce1d8ab7ed398c8c68c17760f2ec5069
SHA1 hash:
4394eb270544b7b07aa9d4ee4c0b73ff80283816
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/e462cff6-6275-4423-85a3-fdbcbbbf3993/
Parent samples :
03661d07de24c7fdc11e12bc022f0f1b5a54ef2d6e578e2d34403b35d51fb44d
9a750dd5c0f9cfaf59331c095bacf292d6621ebd094da752cefca4238613924d
SH256 hash:
2180e8271ca0d57249d947bdab53d61fa6a2faece737513a59280312c8f4952d
MD5 hash:
16550b92b42ab7e7ec87ebe73d973510
SHA1 hash:
650a2d496f5148b1bec428feac87f80040cddbe1
Link:
https://www.unpac.me/results/e462cff6-6275-4423-85a3-fdbcbbbf3993/
SH256 hash:
03661d07de24c7fdc11e12bc022f0f1b5a54ef2d6e578e2d34403b35d51fb44d
MD5 hash:
28657b966ded345476cb24a91a581efd
SHA1 hash:
06a9578f6610323d7f4338bffef87a0512c083c9
Link:
https://www.unpac.me/results/e462cff6-6275-4423-85a3-fdbcbbbf3993/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/03661d07de24/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/03661d07de24c7fdc11e12bc022f0f1b5a54ef2d6e578e2d34403b35d51fb44d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:pe_imphash
Create hunting rule
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 03661d07de24c7fdc11e12bc022f0f1b5a54ef2d6e578e2d34403b35d51fb44d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2246307/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/281897/

Comments