MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0cb9ffbc77206540a648b96e790d884f5662c114e831533e1eb31b63157e3953. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0cb9ffbc77206540a648b96e790d884f5662c114e831533e1eb31b63157e3953
SHA3-384 hash: 329c1a4806e9f2902424764acb57f53502af252fd589ef331d6c7b02d87e583f6164aa7f54fa076fefa95e9f585dd885
SHA1 hash: a49b452f2e230e68903fbde8ffb16f18134f1930
MD5 hash: 6cfd66231ad6321329aa7c193b35906f
humanhash: mars-mike-golf-steak
File name:6cfd66231ad6321329aa7c193b35906f
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'591'448 bytes
First seen:2022-11-23 09:54:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 17b2ad48aed5c3e9ae0df2624b0fa2b2 (2 x LgoogLoader, 1 x RemcosRAT, 1 x RedLineStealer)
ssdeep 24576:4BOnnnnnnnnnnnnnkOuQ/AsSvfmSnN51vVpZAxrQwf4J4DDZKJtzG1tUofc4rNnZ:4CIVvfbN5VTZIQ0weKgqeql41
TLSH T17875D06064EF834EF5AC84BD071A998EDCF6D1833921576327DE3AEE6104240FEDE199
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b088cacacacac8b0 (1 x RemcosRAT)
Reporter zbetcheckin
Tags:32 exe RemcosRAT signed

Code Signing Certificate

Organisation:corebuilds.co
Issuer:Go Daddy Secure Certificate Authority - G2
Algorithm:sha256WithRSAEncryption
Valid from:2022-04-17T07:13:41Z
Valid to:2023-04-15T16:56:47Z
Serial number: 8e164cade59ab0bf
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: de50430ac8005168aa46210bb8d58a088be3e4f57b2786e299ff299d9cd818a2
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
336
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SUBM70N.docx
Verdict:
Malicious activity
Analysis date:
2022-11-23 08:56:07 UTC
Tags:
opendir trojan exploit cve-2017-11882 loader
Link:
https://app.any.run/tasks/919eeeab-8f7c-4e2d-86a5-7edb5bb2863e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/337539/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.29398.10122.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/637dedc194f9bac087b31e71/reports/a6b18233-110e-44db-93be-1ecaaecedabc/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dc740655-cfc9-4786-a285-99a61571985d
Result
Threat name:
Remcos, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1119580
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Self deletion via cmd or bat file
Sigma detected: Remcos
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected RedLine Stealer
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 752302 Sample: XJ7MyqLLzd.exe Startdate: 23/11/2022 Architecture: WINDOWS Score: 100 70 api.ip.sb 2->70 90 Snort IDS alert for network traffic 2->90 92 Malicious sample detected (through community Yara rule) 2->92 94 Antivirus detection for URL or domain 2->94 96 16 other signatures 2->96 9 XJ7MyqLLzd.exe 10 2->9         started        14 Quivafe_mef.exe 13 2->14         started        signatures3 process4 dnsIp5 72 5bjm17gbwugr1fegkb.ywfzmoyzqhnlmm2pw4u 9->72 56 C:\Users\user\...\Quivafe_mef.exe, PE32 9->56 dropped 58 C:\Users\...\Quivafe_mef.exe:Zone.Identifier, ASCII 9->58 dropped 98 Self deletion via cmd or bat file 9->98 100 Uses schtasks.exe or at.exe to add and modify task schedules 9->100 16 Quivafe_mef.exe 19 9->16         started        21 cmd.exe 1 9->21         started        23 schtasks.exe 1 9->23         started        74 192.168.2.1 unknown unknown 14->74 76 www.sssupersports.com 14->76 78 5bjm17gbwugr1fegkb.ywfzmoyzqhnlmm2pw4u 14->78 102 Writes to foreign memory regions 14->102 104 Allocates memory in foreign processes 14->104 106 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->106 108 Injects a PE file into a foreign processes 14->108 25 svchost.exe 2 14->25         started        27 ngentask.exe 14->27         started        file6 signatures7 process8 dnsIp9 60 www.sssupersports.com 104.21.44.248, 443, 49701, 49703 CLOUDFLARENETUS United States 16->60 62 5bjm17gbwugr1fegkb.ywfzmoyzqhnlmm2pw4u 16->62 46 C:\Users\user\AppData\Local\...\svchost.exe, PE32+ 16->46 dropped 48 C:\Users\user\AppData\Local\...\advapi32.dll, PE32 16->48 dropped 50 C:\Users\user\AppData\...\library[1].bin, PE32 16->50 dropped 52 C:\Users\user\AppData\...\resource[1].bin, PE32+ 16->52 dropped 80 Writes to foreign memory regions 16->80 82 Allocates memory in foreign processes 16->82 84 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->84 86 Injects a PE file into a foreign processes 16->86 29 svchost.exe 3 16->29         started        32 ngentask.exe 2 16 16->32         started        88 Uses ping.exe to check the status of other devices and networks 21->88 36 PING.EXE 1 21->36         started        38 conhost.exe 21->38         started        40 chcp.com 1 21->40         started        42 conhost.exe 23->42         started        file10 signatures11 process12 dnsIp13 110 Antivirus detection for dropped file 29->110 112 Multi AV Scanner detection for dropped file 29->112 114 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 29->114 118 3 other signatures 29->118 44 InstallUtil.exe 29->44         started        64 zoz.mastercoa.co 192.30.89.75, 49702, 52814 CLOUDSINGULARITYCA Canada 32->64 66 geoplugin.net 178.237.33.50, 49704, 80 ATOM86-ASATOM86NL Netherlands 32->66 54 C:\ProgramData\remcos\logs.dat, data 32->54 dropped 116 Installs a global keyboard hook 32->116 68 127.0.0.1 unknown unknown 36->68 file14 signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0cb9ffbc77206540a648b96e790d884f5662c114e831533e1eb31b63157e3953/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Suspicious
First seen:
2022-11-23 06:35:08 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
19 of 40 (47.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bs477pdxebsubjsixfxhsdmij5lgfqiu5ayvgpq6wmnwgfl6hfjq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/221123-lw87aace37/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Deletes itself
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
e9179a4fc42063dba8720c99cae58b707d78b3167456176148e8278b222efc39
MD5 hash:
09c74d90efae3418264f56eb79f0b253
SHA1 hash:
35b6b67b81906aeaaf9e1cd4b0e62799883d1136
Link:
https://www.unpac.me/results/600c9be9-3b38-4772-b826-80d590a877a4/
SH256 hash:
0cb9ffbc77206540a648b96e790d884f5662c114e831533e1eb31b63157e3953
MD5 hash:
6cfd66231ad6321329aa7c193b35906f
SHA1 hash:
a49b452f2e230e68903fbde8ffb16f18134f1930
Link:
https://www.unpac.me/results/600c9be9-3b38-4772-b826-80d590a877a4/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0cb9ffbc7720/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0cb9ffbc77206540a648b96e790d884f5662c114e831533e1eb31b63157e3953

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 0cb9ffbc77206540a648b96e790d884f5662c114e831533e1eb31b63157e3953

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2431490/
Cape
Cape
https://www.capesandbox.com/analysis/337539/

Comments


Avatar
zbet commented on 2022-11-23 09:54:11 UTC

url : hxxp://54.79.28.10/270/vbc.exe