MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16b7219e20d78795eefeb5638857961342f773551898a950c7ef2245db1e0179. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 16b7219e20d78795eefeb5638857961342f773551898a950c7ef2245db1e0179
SHA3-384 hash: 3c7f27f8fc47550e34cea67f78ed68ed5d3dbcdc0725be5e67eb2d16f0c0de0a74a177095c2b49121edc5bacf06197f0
SHA1 hash: 01b15add5798939b8c3910c1d3afd815c606039e
MD5 hash: 550966f649e029ef5b8f7509e5387147
humanhash: xray-nineteen-vegan-west
File name:550966f649e029ef5b8f7509e5387147
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:844'288 bytes
First seen:2022-10-03 09:48:34 UTC
Last seen:2022-10-03 13:38:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:wxzG2iNVAPaK6iMcLz6EY8nSaim8i5/nRnLSO3hx5ZPvdqhbjC7zS:aK1XKv/nvHRnLSyhXqsG
Threatray 1'964 similar samples on MalwareBazaar
TLSH T11E050174136CBF6BD27A11B61853A44541FCD05335A2E38DBCE631CAA4C2FE057B39AA
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 409999c2ce989942 (4 x AgentTesla, 2 x RemcosRAT, 1 x Formbook)
Reporter zbetcheckin
Tags:32 exe JustClickAm-com RemcosRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
289
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316061/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Creating a file
Creating a process from a recently created file
Running batch commands
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
barys packed
Link:
https://www.filescan.io/uploads/633ab00ec9e2f34354326594/reports/b1e17d13-5c78-4425-90b8-ba171fc05986/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6bb535e9-c79c-4fee-82e2-3a8b70233ec4
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1082339
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 714899 Sample: qKYRmdNGRY.exe Startdate: 03/10/2022 Architecture: WINDOWS Score: 100 102 Malicious sample detected (through community Yara rule) 2->102 104 Antivirus detection for dropped file 2->104 106 Multi AV Scanner detection for dropped file 2->106 108 9 other signatures 2->108 12 qKYRmdNGRY.exe 6 2->12         started        16 remcos.exe 4 2->16         started        18 remcos.exe 2->18         started        20 remcos.exe 2->20         started        process3 file4 84 C:\Users\user\AppData\Roaming\hpdjztrrH.exe, PE32 12->84 dropped 86 C:\Users\user\AppData\Local\...\tmp5AEB.tmp, XML 12->86 dropped 88 C:\Users\user\AppData\...\qKYRmdNGRY.exe.log, ASCII 12->88 dropped 120 Uses schtasks.exe or at.exe to add and modify task schedules 12->120 122 Injects a PE file into a foreign processes 12->122 22 qKYRmdNGRY.exe 5 5 12->22         started        25 schtasks.exe 1 12->25         started        27 schtasks.exe 16->27         started        29 remcos.exe 16->29         started        31 remcos.exe 16->31         started        33 schtasks.exe 18->33         started        35 remcos.exe 18->35         started        37 schtasks.exe 20->37         started        39 remcos.exe 20->39         started        signatures5 process6 file7 78 C:\ProgramData\Remcos\remcos.exe, PE32 22->78 dropped 80 C:\Users\user\AppData\Local\...\install.vbs, data 22->80 dropped 82 C:\ProgramData\...\remcos.exe:Zone.Identifier, ASCII 22->82 dropped 41 wscript.exe 1 22->41         started        43 conhost.exe 25->43         started        45 conhost.exe 27->45         started        47 conhost.exe 33->47         started        49 conhost.exe 37->49         started        process8 process9 51 cmd.exe 1 41->51         started        process10 53 remcos.exe 5 51->53         started        56 conhost.exe 51->56         started        signatures11 110 Multi AV Scanner detection for dropped file 53->110 112 Machine Learning detection for dropped file 53->112 114 Injects a PE file into a foreign processes 53->114 58 remcos.exe 53->58         started        62 schtasks.exe 53->62         started        process12 dnsIp13 92 37.0.14.206, 49683, 49684, 6081 WKD-ASIE Netherlands 58->92 94 geoplugin.net 178.237.33.50, 49685, 80 ATOM86-ASATOM86NL Netherlands 58->94 116 Maps a DLL or memory area into another process 58->116 118 Installs a global keyboard hook 58->118 64 remcos.exe 58->64         started        67 remcos.exe 58->67         started        69 remcos.exe 58->69         started        73 15 other processes 58->73 71 conhost.exe 62->71         started        signatures14 process15 dnsIp16 96 Tries to steal Instant Messenger accounts or passwords 64->96 98 Tries to steal Mail credentials (via file / registry access) 64->98 90 192.168.2.1 unknown unknown 73->90 100 Tries to harvest and steal browser information (history, passwords, etc) 73->100 76 WerFault.exe 73->76         started        signatures17 process18
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/16b7219e20d78795eefeb5638857961342f773551898a950c7ef2245db1e0179/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-03 09:11:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
23 of 25 (92.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c23sdhra26dzl3x6wvryqv4wcnbpo42vdcmksugh54relwy6af4q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
2929451852384ac9f1b289746f767b752e04ec5d778b9538ac761cb175006948
RemcosRAT
48d97367a91454e04e0161675bc323aaea552ef9335c57090e0d471d3d28c97e
RemcosRAT
b06040b023873e257e3cc5d803186e714ad4de74fd3bb305205550e5ce5233f7
RemcosRAT
b0e78152cf5f5eca9be7cc47e833600e77db47786c09cc2be451f310c50881d9
RemcosRAT
b4c8a357a3699844596921ab6283c51f95ef326251b1e688d883128bdfee8420
RemcosRAT
bf7212910de7bff455c3b3fe4b3a1a05059fe0da0c29e69b3aef492fe2a66fc0
RemcosRAT
cce110eed95c36bf618669b1a290ee90b5152ee9c660b6b37f3e11dca7431419
RemcosRAT
+ 1'954 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost collection persistence rat spyware stealer
Link:
https://tria.ge/reports/221003-ltb4rshdek/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
37.0.14.206:6081
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8cc19765-a424-407f-89a7-0eb5f95b4708
Unpacked files
SH256 hash:
8c0d49bb0738d1fd7c33f5146ea451fd5e11bd11e83c05844c0b97b30d4eee3c
MD5 hash:
8c5f6bbf19f390b403997ba3aa7a52f4
SHA1 hash:
925ecf957643f0166bc7dd79252832ef83bf48f3
Link:
https://www.unpac.me/results/84828e5c-006f-4b4e-ba6b-2664a0bc39fa/
SH256 hash:
4f80ddfe49b270f801ab44aa899153bbe2a0fb93abed0f9fc992f74ff6ab4fde
MD5 hash:
f4ba8570299eabf8fe2d02cc1dc0606a
SHA1 hash:
5d7add32313074f5a1e9b4ab379298dee8b6217e
Link:
https://www.unpac.me/results/84828e5c-006f-4b4e-ba6b-2664a0bc39fa/
SH256 hash:
f2c6fdd10134f5e2c179dbff4e6148d26ebf4f45b6d9ab8a9e003e495fd64bb2
MD5 hash:
e83fb5f31ddb373b9727b6465b71006a
SHA1 hash:
52a3f7ad7884e35b44b29eea2fee3ab88b73eee1
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/84828e5c-006f-4b4e-ba6b-2664a0bc39fa/
Parent samples :
9d6522fa46c7e1a5ce5020bf380198b6356c3d70f298a7f03e0394d8bfd632fd
dcabfcf98e82de4170a42b3238a73040e27908f5b3adcc17245fe8281ea57afc
16b7219e20d78795eefeb5638857961342f773551898a950c7ef2245db1e0179
4a9feae7cda6d56de487622e2da600572e03bb3fd0f4efd664d36a47d2bf1086
SH256 hash:
16b7219e20d78795eefeb5638857961342f773551898a950c7ef2245db1e0179
MD5 hash:
550966f649e029ef5b8f7509e5387147
SHA1 hash:
01b15add5798939b8c3910c1d3afd815c606039e
Link:
https://www.unpac.me/results/84828e5c-006f-4b4e-ba6b-2664a0bc39fa/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/16b7219e20d7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
Link:
https://yomi.yoroi.company/submissions/16b7219e20d78795eefeb5638857961342f773551898a950c7ef2245db1e0179

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 16b7219e20d78795eefeb5638857961342f773551898a950c7ef2245db1e0179

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2346018/
Cape
Cape
https://www.capesandbox.com/analysis/316061/

Comments


Avatar
zbet commented on 2022-10-03 09:48:40 UTC

url : hxxps://justclickam.com/dxll/ORDER%20075098.exe