MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 045ea058a9769c76edb8e280a8b00e7a0f317293f5e9cbfada31477adc5195d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 045ea058a9769c76edb8e280a8b00e7a0f317293f5e9cbfada31477adc5195d3
SHA3-384 hash: 5435058a3d8876be32b6953fb1cc9e753b1f295e5c624ad7a25e940ec32861d679a5ff58e1a993173accf4770a4bac91
SHA1 hash: bae453173e34d7aecf75b4ff96667e43fb90b77c
MD5 hash: a65dc16c6bea725c9e31bda92b98bd88
humanhash: nebraska-hawaii-west-butter
File name:a65dc16c6bea725c9e31bda92b98bd88
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:2'149'864 bytes
First seen:2022-06-24 17:57:17 UTC
Last seen:2022-07-22 11:27:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 29812e414ebeeea52c7ad1572c79924b (1 x Formbook, 1 x RemcosRAT)
ssdeep 49152:07iEZRvfhjUmSg7rVYcQ3HlUDPWH0iORjgpX5OdPsHjfdgZOvSuwniai:0+EZRvfOmLYcCvH0iygmdif8O2it
Threatray 1'418 similar samples on MalwareBazaar
TLSH T1BEA52204B9A2E030F5F722BC0C584729A61DFA74AF64C7CF51511BEB0A767E5ACB0276
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 44cc8890cc71b244 (1 x RemcosRAT)
Reporter zbetcheckin
Tags:32 exe RemcosRAT signed

Code Signing Certificate

Organisation:*.newrelic.com
Issuer:GlobalSign Atlas R3 DV TLS CA H2 2021
Algorithm:sha256WithRSAEncryption
Valid from:2021-12-24T23:42:11Z
Valid to:2023-01-25T23:42:10Z
Serial number: 01f4d7dc90b236c50107c07c0db71248
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 5cbd2ae123334a767ae6da601b955d0c7eb1167792a2cb0c6b9666423f4b76cf
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
4
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/283137/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Searching for the window
Creating a file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/22768/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/62b5fb0fe88d6da4ffc314a8/reports/b686a3a9-8c69-4db5-b6d1-338f13ce29da/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/17b168fa-98c1-4442-9676-17fb6fa80fec
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1019512
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 652008 Sample: aoXwWbAmZq.exe Startdate: 24/06/2022 Architecture: WINDOWS Score: 100 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected Remcos RAT 2->50 52 C2 URLs / IPs found in malware configuration 2->52 7 aoXwWbAmZq.exe 4 2->7         started        11 DllHelper.exe 2->11         started        process3 file4 38 C:\Users\user\AppVerif\DllHelper.exe, PE32 7->38 dropped 40 C:\Users\...\DllHelper.exe:Zone.Identifier, ASCII 7->40 dropped 54 Self deletion via cmd or bat file 7->54 56 Found API chain indicative of debugger detection 7->56 58 Uses schtasks.exe or at.exe to add and modify task schedules 7->58 60 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 7->60 13 DllHelper.exe 7->13         started        16 cmd.exe 1 7->16         started        18 schtasks.exe 1 7->18         started        62 Writes to foreign memory regions 11->62 64 Allocates memory in foreign processes 11->64 66 Injects a PE file into a foreign processes 11->66 20 InstallUtil.exe 11->20         started        22 InstallUtil.exe 11->22         started        24 InstallUtil.exe 11->24         started        signatures5 process6 signatures7 70 Antivirus detection for dropped file 13->70 72 Found API chain indicative of debugger detection 13->72 74 Writes to foreign memory regions 13->74 78 2 other signatures 13->78 26 InstallUtil.exe 2 2 13->26         started        76 Uses ping.exe to check the status of other devices and networks 16->76 30 PING.EXE 1 16->30         started        32 conhost.exe 16->32         started        34 chcp.com 1 16->34         started        36 conhost.exe 18->36         started        process8 dnsIp9 42 185.157.162.75, 1212 OBE-EUROPEObenetworkEuropeSE Sweden 26->42 68 Installs a global keyboard hook 26->68 44 127.0.0.1 unknown unknown 30->44 signatures10
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/045ea058a9769c76edb8e280a8b00e7a0f317293f5e9cbfada31477adc5195d3/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-06-23 23:13:40 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=arpkawfjo2ohn3ny4kakrmaopihtc4ut6xu4x6w2gfdxvxcrsxjq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1c804518ea4c220b90493ad676e48a70265a7fc20af5fb8cf75c36b425f096c8
RemcosRAT
576183a33f5247a852bc65a4dc4cbca5762bfbad1291a82572681f7075dc6123
RemcosRAT
6debeb4cbf5037ee3b4d23e3a005dc58ebb0f26ac5f5266e910187a66760a4a0
RemcosRAT
ba8d32d0c7844fdd2e5c4311fc6dc7a400d7c1ff97bebd9760d62308c669fb8f
RemcosRAT
d900c6367744e8c0fa61f90269bee13dbaa90fd4e84b5db559bef7fd6be1d851
RemcosRAT
+ 1'408 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220624-wj5y7seadm/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Deletes itself
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
035700d6b696c3def3be3e6e1a4b175baf25bf04e852019a796d4fca97adb17d
MD5 hash:
69ce85204d6b58e28f4728ed2aaacfa1
SHA1 hash:
8e6f6194d944396819b357f116013c80a91e5a44
Link:
https://www.unpac.me/results/1a8d5f63-7bda-45fa-9aa1-623c0f4dbf61/
SH256 hash:
045ea058a9769c76edb8e280a8b00e7a0f317293f5e9cbfada31477adc5195d3
MD5 hash:
a65dc16c6bea725c9e31bda92b98bd88
SHA1 hash:
bae453173e34d7aecf75b4ff96667e43fb90b77c
Link:
https://www.unpac.me/results/1a8d5f63-7bda-45fa-9aa1-623c0f4dbf61/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/045ea058a9769c76edb8e280a8b00e7a0f317293f5e9cbfada31477adc5195d3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 045ea058a9769c76edb8e280a8b00e7a0f317293f5e9cbfada31477adc5195d3

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2249100/
Cape
Cape
https://www.capesandbox.com/analysis/283137/

Comments


Avatar
zbet commented on 2022-06-24 17:57:23 UTC

url : hxxp://infinite-stars.net/files/sysadmin.exe