MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18662d3d7b350d99657f8713079814c9fb2d11161a6721116d9654e23bb0782e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 18662d3d7b350d99657f8713079814c9fb2d11161a6721116d9654e23bb0782e
SHA3-384 hash: 01bdbeb6d4dce7beae3539c6db64f604def7c3a54222e3a1ffe54b032dcc3078bdf686a2af0a89c16b4501ca0d5def7e
SHA1 hash: b86a138092415ee312fea37cbf215318ffef1e7b
MD5 hash: 90782f1578480161117a2ce287216468
humanhash: purple-social-nineteen-mockingbird
File name:EXPORT PAYMENT ACTIVITY.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'794'560 bytes
First seen:2022-04-15 07:51:20 UTC
Last seen:2022-04-20 10:22:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:M33yCANuYLFH68H9iioaRzEcVrwIkh5JUVUVFE9I9uVna2Ddyo:MnJspkU9oWTkjJUuMQuVnac
TLSH T1E8853A5D72828D66ED80D3B0D8B7AB1123684F3628896B13B7E13A39E46F3751F40797
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon e0dcd4a4c4c4c4c4 (2 x RemcosRAT)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
479
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
EXPORT PAYMENT ACTIVITY.exe
Verdict:
Malicious activity
Analysis date:
2022-04-15 07:54:17 UTC
Tags:
rat remcos keylogger stealer
Link:
https://app.any.run/tasks/f568b2f9-1e51-4198-9182-d2ea24f5e9ab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/263957/
Detection(s):
Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Win.Trojan.EmbeddedReversedDLL-9940922-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated packed
Link:
https://www.filescan.io/uploads/6259242dffe27d5119d7d90b/reports/3c5488b9-4f12-40fc-84b0-28124f455b52/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dc4cd492-7eb5-4603-b851-1aef9a83b35d
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/977339
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 609826 Sample: EXPORT PAYMENT ACTIVITY.exe Startdate: 15/04/2022 Architecture: WINDOWS Score: 100 72 Malicious sample detected (through community Yara rule) 2->72 74 Antivirus / Scanner detection for submitted sample 2->74 76 Multi AV Scanner detection for submitted file 2->76 78 6 other signatures 2->78 7 EXPORT PAYMENT ACTIVITY.exe 1 6 2->7         started        11 ImagingDevice.exe 4 2->11         started        13 ImagingDevice.exe 3 2->13         started        process3 file4 50 C:\Users\user\AppData\...\ImagingDevice.exe, PE32 7->50 dropped 52 C:\Users\...XPORT PAYMENT ACTIVITY.exe.log, ASCII 7->52 dropped 54 C:\...\ImagingDevice.exe:Zone.Identifier, ASCII 7->54 dropped 80 Writes to foreign memory regions 7->80 82 Injects a PE file into a foreign processes 7->82 15 RegAsm.exe 2 3 7->15         started        19 RegAsm.exe 7->19         started        21 cmd.exe 1 7->21         started        84 Antivirus detection for dropped file 11->84 86 Multi AV Scanner detection for dropped file 11->86 88 Machine Learning detection for dropped file 11->88 23 cmd.exe 11->23         started        25 RegAsm.exe 11->25         started        27 cmd.exe 13->27         started        29 RegAsm.exe 13->29         started        signatures5 process6 dnsIp7 56 salesumishcn.ddns.net 198.244.135.118, 49763, 49829, 9764 RIDLEYSD-NETUS United States 15->56 58 192.168.2.1 unknown unknown 15->58 60 Installs a global keyboard hook 15->60 62 Injects a PE file into a foreign processes 15->62 31 RegAsm.exe 15->31         started        34 RegAsm.exe 15->34         started        36 RegAsm.exe 15->36         started        64 Contains functionality to steal Chrome passwords or cookies 19->64 66 Contains functionality to inject code into remote processes 19->66 68 Contains functionality to steal Firefox passwords or cookies 19->68 70 Delayed program exit found 19->70 38 conhost.exe 21->38         started        40 timeout.exe 1 21->40         started        42 conhost.exe 23->42         started        44 timeout.exe 23->44         started        46 conhost.exe 27->46         started        48 timeout.exe 27->48         started        signatures8 process9 signatures10 90 Tries to steal Instant Messenger accounts or passwords 31->90 92 Tries to steal Mail credentials (via file / registry access) 31->92 94 Tries to harvest and steal browser information (history, passwords, etc) 34->94
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/18662d3d7b350d99657f8713079814c9fb2d11161a6721116d9654e23bb0782e/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2022-04-15 07:52:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
19 of 26 (73.08%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dbtc2pl3gugzszl7q4jqpgauzh5s2eiwdjtscelnszkoeo5qpaxa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:bombs collection persistence rat spyware stealer
Link:
https://tria.ge/reports/220415-jqghzacchm/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Checks computer location settings
Reads user/profile data of web browsers
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
salesumishcn.ddns.net:9764
Unpacked files
SH256 hash:
9ea334fa63d9913b40e5b75e82d3d497448b1e30dc9afb1838918c9fff67c1e9
MD5 hash:
7495e4479dfc64137205ab4cb62a4b02
SHA1 hash:
f8cf7cf0402395155d956ab25b1fd2ed141ffb70
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/a07204b4-2643-4b90-82a3-0876c4995836/
SH256 hash:
cfcd2c21f829e17c6c40195fb59098c5fdc2a3a0017e33ccb528df2fa7b23f59
MD5 hash:
c94fbfeac811032d42017c51d54f4695
SHA1 hash:
88494f94e19851edbcafabb246417614e73d86bd
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/a07204b4-2643-4b90-82a3-0876c4995836/
SH256 hash:
d0373d0dc915e251c32fdf6d3ca9b4700f26cf2e822bf61d89bd59fde9491636
MD5 hash:
6dd00d63483a92568422a8dd8bd5cf5c
SHA1 hash:
7e21ff0fa1282939680b2bbd2694c2398def2630
Link:
https://www.unpac.me/results/a07204b4-2643-4b90-82a3-0876c4995836/
SH256 hash:
18662d3d7b350d99657f8713079814c9fb2d11161a6721116d9654e23bb0782e
MD5 hash:
90782f1578480161117a2ce287216468
SHA1 hash:
b86a138092415ee312fea37cbf215318ffef1e7b
Link:
https://www.unpac.me/results/a07204b4-2643-4b90-82a3-0876c4995836/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/18662d3d7b350d99657f8713079814c9fb2d11161a6721116d9654e23bb0782e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:pe_imphash
Create hunting rule
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:t0_1
Create hunting rule
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/263957/

Comments