MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 188d6e4d1543650210777ea153258085124a14cc564fc7c264a01eac69b797b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 188d6e4d1543650210777ea153258085124a14cc564fc7c264a01eac69b797b8
SHA3-384 hash: 1caa83fe5b385da8d96f847549ee0ee1a663d42241acd8818506fd6d8bf52dc8431298cbfa34825b293bbf054cf715de
SHA1 hash: ede6ca44dc355e91579c10aeaca6da96cb94ef65
MD5 hash: 33d70d4a937b652dcc530ceea5647304
humanhash: may-snake-nineteen-may
File name:SecuriteInfo.com.Trojan.Olock.1.13509.21702
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:740'864 bytes
First seen:2022-07-19 17:47:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:AWsdnoyc1YKD8GHb+VP/9xrjSYdoVnxpJsZWV2TYefJ6E0:AToycKKD8GHq/3+VnxJtsb
Threatray 2'592 similar samples on MalwareBazaar
TLSH T1ACF4239933DCA312C46557380910D7051BBADA8BA022EA7E2C8FE5DE1957F818F11FE7
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 44e288ae8ace7898 (3 x Formbook, 3 x SnakeKeylogger, 2 x AgentTesla)
Reporter SecuriteInfoCom
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
293
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/291955/
Detection(s):
SecuriteInfo.com.Trojan.Olock.1.13509.21702.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Running batch commands
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62d6ee66ef2b0e63a826cc1d/reports/3f2ef6fe-ba8c-4e9d-ad3c-21c9902bbd93/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/55fdc915-1013-4f0b-a0da-f76c3a201d3b
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1036711
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected unpacking (creates a PE file in dynamic memory)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 669205 Sample: SecuriteInfo.com.Trojan.Olo... Startdate: 19/07/2022 Architecture: WINDOWS Score: 100 88 Malicious sample detected (through community Yara rule) 2->88 90 Antivirus detection for dropped file 2->90 92 Yara detected AntiVM3 2->92 94 7 other signatures 2->94 11 SecuriteInfo.com.Trojan.Olock.1.13509.exe 7 2->11         started        15 remcos.exe 2->15         started        17 remcos.exe 2->17         started        19 remcos.exe 2->19         started        process3 file4 74 C:\Users\user\AppData\Roaming\SXgISIER.exe, PE32 11->74 dropped 76 C:\Users\...\SXgISIER.exe:Zone.Identifier, ASCII 11->76 dropped 78 C:\Users\user\AppData\Local\...\tmp3AA6.tmp, XML 11->78 dropped 80 SecuriteInfo.com.T...ock.1.13509.exe.log, ASCII 11->80 dropped 104 Contains functionality to steal Chrome passwords or cookies 11->104 106 Contains functionality to inject code into remote processes 11->106 108 Uses schtasks.exe or at.exe to add and modify task schedules 11->108 110 3 other signatures 11->110 21 SecuriteInfo.com.Trojan.Olock.1.13509.exe 5 5 11->21         started        24 powershell.exe 25 11->24         started        26 schtasks.exe 1 11->26         started        28 conhost.exe 11->28         started        30 schtasks.exe 15->30         started        32 remcos.exe 15->32         started        34 remcos.exe 15->34         started        signatures5 process6 file7 68 C:\ProgramData\Remcos\remcos.exe, PE32 21->68 dropped 70 C:\Users\user\AppData\Local\...\install.vbs, data 21->70 dropped 72 C:\ProgramData\...\remcos.exe:Zone.Identifier, ASCII 21->72 dropped 36 wscript.exe 1 21->36         started        38 conhost.exe 24->38         started        40 conhost.exe 26->40         started        process8 process9 42 cmd.exe 1 36->42         started        process10 44 remcos.exe 4 42->44         started        47 conhost.exe 42->47         started        signatures11 112 Detected unpacking (creates a PE file in dynamic memory) 44->112 114 Machine Learning detection for dropped file 44->114 116 Adds a directory exclusion to Windows Defender 44->116 49 remcos.exe 44->49         started        53 powershell.exe 44->53         started        55 schtasks.exe 44->55         started        process12 dnsIp13 82 194.5.98.211, 3383, 49757, 49758 DANILENKODE Netherlands 49->82 84 geoplugin.net 178.237.33.50, 49759, 80 ATOM86-ASATOM86NL Netherlands 49->84 86 192.168.2.1 unknown unknown 49->86 96 Installs a global keyboard hook 49->96 98 Injects a PE file into a foreign processes 49->98 57 remcos.exe 49->57         started        60 remcos.exe 49->60         started        62 remcos.exe 49->62         started        64 conhost.exe 53->64         started        66 conhost.exe 55->66         started        signatures14 process15 signatures16 100 Tries to steal Instant Messenger accounts or passwords 57->100 102 Tries to steal Mail credentials (via file / registry access) 57->102
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/188d6e4d1543650210777ea153258085124a14cc564fc7c264a01eac69b797b8/
Threat name:
ByteCode-MSIL.Trojan.RemcosRAT
Create hunting rule
Status:
Malicious
First seen:
2022-07-19 17:48:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dcgw4tivinsqeedxp2qvgjmaqujeufgmkzh4pqteuapky2nxs64a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
082525150d7aace7e21b3bfb469f86c2e7239593c50cebc143d7f8a66b898b83
RemcosRAT
0a7baae0933a14082beb95b1c5484dd958e333f7fc499f645c1d550d8ad124a1
RemcosRAT
21323faa5f74ccc103e64f30bc31b36e0cfc971a601b59502713151ad4f465db
RemcosRAT
41dbd50dec8697c71e8feea9912873500ae7061955e1331ac9e657041b7b57f8
RemcosRAT
5482c9775362ce202cf44b082ce747f7e69f522a903ccc031c975cc714c82a8c
RemcosRAT
79a71ca8d84005bc735e36ca64874f79ec92538e22bfead3a997b6a55000a590
RemcosRAT
b6d46263696ceeab50c8a9088bf3cedecad1bf4f8d8f452c1b1773f877d8e4a0
RemcosRAT
db8a8a4bf1e1e63ef1bd27f8131dfeb14bca74e9d68605cf71e9eac5126baa48
RemcosRAT
dfa6c38c1b3b33a94e1e884e47e0864808c8af196c260b6b8045cb4ed37d300e
RemcosRAT
+ 2'582 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
persistence spyware stealer
Link:
https://tria.ge/reports/220719-wdevtsgehm/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
NirSoft WebBrowserPassView
Nirsoft
Unpacked files
SH256 hash:
39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807
MD5 hash:
db51fe170a9e5d6ec5429a2fbd9d0353
SHA1 hash:
e30a58125fc41322db6cf2ccb6a6d414ed379016
Link:
https://www.unpac.me/results/a6126e70-9d64-4e1f-93a1-d0991a680088/
SH256 hash:
fa128ac4608828c8e0ad9460900e165836489c3335b8d239d20136d8b22e6136
MD5 hash:
b21ea113ad4a820c8cf2d1b55f15e35f
SHA1 hash:
c36a892ebc8ea194629bfca4205247aa8bb1c7aa
Link:
https://www.unpac.me/results/a6126e70-9d64-4e1f-93a1-d0991a680088/
SH256 hash:
6d8642b6b031e6a99e4e10c75945fd32401fd7e2b23ce82f7f327db7c14c7143
MD5 hash:
d35e664d9b5ea2a93fcad67f8d4da420
SHA1 hash:
ab7e599b3e47f8ba713f8406ac8a213cacc58c03
Link:
https://www.unpac.me/results/a6126e70-9d64-4e1f-93a1-d0991a680088/
SH256 hash:
f6d1cda2efe2622064025631b2a1ee8e5bdc057798de203ed5841916e662b4a1
MD5 hash:
fb7cc194309b03e66b160fe20f371762
SHA1 hash:
7b6fe95b9b6af1328d43ef9fff27919d807b9c47
Link:
https://www.unpac.me/results/a6126e70-9d64-4e1f-93a1-d0991a680088/
SH256 hash:
1c048a93fc173bacc2388da1042140aeb4d4b34c927e524d3b60946efdab1a16
MD5 hash:
d329ca03ea62e3371e4d63f5271124a3
SHA1 hash:
14c329ff4882ef1aedb93e21e18b691a93dc2f5d
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/a6126e70-9d64-4e1f-93a1-d0991a680088/
Parent samples :
47e8b33d8129bf9c75a67dd71e8db6b59b55b890a751c5c3c23d692124b0dc7b
188d6e4d1543650210777ea153258085124a14cc564fc7c264a01eac69b797b8
6d16f6ecb3a446d0c6bfa0fc7a47dabac2e63cebfa426f4502a5bcecf378c645
1c048a93fc173bacc2388da1042140aeb4d4b34c927e524d3b60946efdab1a16
SH256 hash:
188d6e4d1543650210777ea153258085124a14cc564fc7c264a01eac69b797b8
MD5 hash:
33d70d4a937b652dcc530ceea5647304
SHA1 hash:
ede6ca44dc355e91579c10aeaca6da96cb94ef65
Link:
https://www.unpac.me/results/a6126e70-9d64-4e1f-93a1-d0991a680088/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/188d6e4d1543650210777ea153258085124a14cc564fc7c264a01eac69b797b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/291955/

Comments