MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11a2113e2974db7c18160ff2993c1513f6fa22ef3e86102dd1df775ebd6ea9e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 11a2113e2974db7c18160ff2993c1513f6fa22ef3e86102dd1df775ebd6ea9e0
SHA3-384 hash: 4647ca2a7ede85a28aefd9e91faab04de026f902f0c9fb5f55ed77b417ea8f805a8c5c81e6237c6d197bd6dcd71e4c59
SHA1 hash: 2204c30f72ca3f0045d01fe618ea539fd6ab5154
MD5 hash: 165ae7b926ac745a41fd1985aeb956aa
humanhash: iowa-friend-fillet-rugby
File name:165ae7b926ac745a41fd1985aeb956aa.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:615'312 bytes
First seen:2022-11-03 20:13:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:hm4wqXLMZbZoEh2eUKpOgy90zqNrG1XaFRsdbCi/4X:VXXLMFV274yUqkdbNgX
Threatray 2'938 similar samples on MalwareBazaar
TLSH T14FD4019013E709F3F4486D3DA12C29C82028B7C6BF4E5FAA347581D52913E9BB5FE589
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 30b2c4c8c8c4b030 (53 x Formbook, 41 x RemcosRAT, 20 x AgentTesla)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
165ae7b926ac745a41fd1985aeb956aa.exe
Verdict:
Malicious activity
Analysis date:
2022-11-03 20:16:08 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/ee02fb65-c1cd-4049-8363-ef18dbd3735d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/328134/
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.18458.31342.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Сreating synchronization primitives
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Creating a window
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated overlay packed
Link:
https://www.filescan.io/uploads/6364210c892b7e09f9ebec1d/reports/b5ce749f-2e17-4968-917c-c4fd290a5cba/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f0803d6d-1b7e-436b-8cd0-a6f9678a4238
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1104805
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Drops PE files to the startup folder
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Copy file to startup via Powershell
Sigma detected: Remcos
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 737466 Sample: KPd9CgIAMU.exe Startdate: 03/11/2022 Architecture: WINDOWS Score: 100 75 www.google.com 2->75 101 Malicious sample detected (through community Yara rule) 2->101 103 Antivirus detection for dropped file 2->103 105 Antivirus / Scanner detection for submitted sample 2->105 107 9 other signatures 2->107 10 KPd9CgIAMU.exe 1 2->10         started        signatures3 process4 file5 67 C:\Users\user\AppData\...\KPd9CgIAMU.exe.log, ASCII 10->67 dropped 109 Writes to foreign memory regions 10->109 111 Allocates memory in foreign processes 10->111 113 Injects a PE file into a foreign processes 10->113 14 RegSvcs.exe 3 17 10->14         started        19 powershell.exe 10 10->19         started        signatures6 process7 dnsIp8 83 45.137.22.236, 49704, 5890 ROOTLAYERNETNL Netherlands 14->83 85 geoplugin.net 178.237.33.50, 49705, 80 ATOM86-ASATOM86NL Netherlands 14->85 69 C:\ProgramData\remcos\logs.dat, data 14->69 dropped 91 Writes to foreign memory regions 14->91 93 Maps a DLL or memory area into another process 14->93 95 Installs a global keyboard hook 14->95 21 svchost.exe 13 14->21         started        23 svchost.exe 13 14->23         started        25 svchost.exe 14->25         started        29 2 other processes 14->29 71 C:\Users\user\AppData\...\SystHIOPLKem.exe, PE32 19->71 dropped 73 C:\Users\...\SystHIOPLKem.exe:Zone.Identifier, ASCII 19->73 dropped 97 Drops PE files to the startup folder 19->97 99 Powershell drops PE file 19->99 27 conhost.exe 19->27         started        file9 signatures10 process11 process12 31 chrome.exe 13 1 21->31         started        34 chrome.exe 21->34         started        36 conhost.exe 21->36         started        38 chrome.exe 23->38         started        40 chrome.exe 23->40         started        42 conhost.exe 23->42         started        44 chrome.exe 25->44         started        46 2 other processes 25->46 48 5 other processes 29->48 dnsIp13 87 192.168.2.1 unknown unknown 31->87 89 239.255.255.250 unknown Reserved 31->89 50 chrome.exe 31->50         started        53 chrome.exe 34->53         started        55 chrome.exe 38->55         started        57 chrome.exe 40->57         started        59 chrome.exe 44->59         started        61 chrome.exe 46->61         started        63 chrome.exe 48->63         started        65 chrome.exe 48->65         started        process14 dnsIp15 77 mdec.nelreports.net 50->77 79 part-0032.t-0009.t-msedge.net 13.107.246.60, 443, 49720, 49721 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 50->79 81 8 other IPs or domains 50->81
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/11a2113e2974db7c18160ff2993c1513f6fa22ef3e86102dd1df775ebd6ea9e0/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-11-03 11:10:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cgrbcprjotnxygawb7zjspavcp3puixph2dbalor353v5plovhqa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0a6b4d008994bb06574688d817089831fc7404e5e458c38e7a1464d072a8fd7a
RemcosRAT
65054687e67c867b4f3a1fe66888dbc1e43f1152d44ba8a82e98f4374d54ec1d
RemcosRAT
777eb848bf3c905f08cf9037ab3587523807806e604bb57e7da21a6a81a930ed
RemcosRAT
8f6954e1834b49a24b8e937ff093f1e534f89691ce805ce2f14553315a18e651
RemcosRAT
e76cebc404b8a79e2ab806a3e501b9d2f7260ea1d12f804320c1130be205dff6
RemcosRAT
f63f0aec05acdc4b6427334d073ead70d53709f1b47970bc04329b10f941cca1
RemcosRAT
+ 2'928 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost brand:microsoft persistence phishing rat
Link:
https://tria.ge/reports/221103-yzzs8sefc7/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Detected potential entity reuse from brand microsoft.
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Remcos
Malware Config
C2 Extraction:
45.137.22.236:5890
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/55135030-ca11-419f-a735-878d6ee59223
Unpacked files
SH256 hash:
2132d32079c5bbaee8f6c2efe2ead603c31e06b8d19112c36117d99510242e27
MD5 hash:
e243f2f83bbaf3c755019fc1e20ad561
SHA1 hash:
e7b6a22d712fef8e94febc9fbe168e67abd4d618
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/4e7652e6-40d6-4dd2-989d-ca97bf86e173/
Parent samples :
dd228418c8681d5655b1189c61249f20c9da5e1661cad7efacea62a03fcf1687
65054687e67c867b4f3a1fe66888dbc1e43f1152d44ba8a82e98f4374d54ec1d
11a2113e2974db7c18160ff2993c1513f6fa22ef3e86102dd1df775ebd6ea9e0
SH256 hash:
fd56a07f2da75c84337cbf94e0acafc09fb909cfb187a0ae214827ce2c4708bb
MD5 hash:
d93c5f59ddc41313bf36f106a2f1fe17
SHA1 hash:
97c5cd9d0689c1cd74685bc979122a13eba3fcc9
Link:
https://www.unpac.me/results/4e7652e6-40d6-4dd2-989d-ca97bf86e173/
SH256 hash:
11a2113e2974db7c18160ff2993c1513f6fa22ef3e86102dd1df775ebd6ea9e0
MD5 hash:
165ae7b926ac745a41fd1985aeb956aa
SHA1 hash:
2204c30f72ca3f0045d01fe618ea539fd6ab5154
Link:
https://www.unpac.me/results/4e7652e6-40d6-4dd2-989d-ca97bf86e173/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/11a2113e2974db7c18160ff2993c1513f6fa22ef3e86102dd1df775ebd6ea9e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 11a2113e2974db7c18160ff2993c1513f6fa22ef3e86102dd1df775ebd6ea9e0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2396489/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/328134/

Comments