MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c804518ea4c220b90493ad676e48a70265a7fc20af5fb8cf75c36b425f096c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c804518ea4c220b90493ad676e48a70265a7fc20af5fb8cf75c36b425f096c8
SHA3-384 hash: 9b2d8ddb19859d439b8b260f10be9647331d7c5765f7e007c028c799ca96386d6a0e5ce4da4fcc9ecacc0ced68d5a32c
SHA1 hash: d0aee5668cd9d8aedca5aedf1350924fb47ca939
MD5 hash: 196478f75582efb6b95a9b30a6b0afc1
humanhash: foxtrot-high-floor-ohio
File name:196478f75582efb6b95a9b30a6b0afc1
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'262'592 bytes
First seen:2022-05-14 03:06:07 UTC
Last seen:2022-05-14 03:32:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:UxBmrQPG5+6ena7LrbXjoPyMYcY4OIr4id/PszRyB:mB2x+61LjjoPtY4OIEw/0zQ
Threatray 1'597 similar samples on MalwareBazaar
TLSH T17D45AE9C3690B1DFC457CA72CDA81D60EA60B867871BD307A45312EC9D4EA9BCF116F2
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13101/52/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
411
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/270572/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit obfuscated packed
Link:
https://www.filescan.io/uploads/627f1cd7ae83652f0e9f2c7a/reports/c104503b-4690-4f5e-b50b-03399f3cfcf4/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7879eabc-3030-4c9b-a10c-496f88b3597e
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/994009
Signature
Antivirus detection for dropped file
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 626504 Sample: O1TFNyAicE Startdate: 14/05/2022 Architecture: WINDOWS Score: 100 54 Malicious sample detected (through community Yara rule) 2->54 56 Antivirus detection for dropped file 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 4 other signatures 2->60 10 O1TFNyAicE.exe 4 2->10         started        14 ios.exe 2->14         started        16 ios.exe 3 2->16         started        process3 file4 46 C:\Users\user\AppData\...\O1TFNyAicE.exe.log, ASCII 10->46 dropped 64 Contains functionality to steal Chrome passwords or cookies 10->64 66 Contains functionality to inject code into remote processes 10->66 68 Contains functionality to steal Firefox passwords or cookies 10->68 70 Delayed program exit found 10->70 18 O1TFNyAicE.exe 4 4 10->18         started        21 ios.exe 14->21         started        23 WerFault.exe 14->23         started        25 ios.exe 16->25         started        signatures5 process6 file7 40 C:\Users\user\AppData\Roaming\ios.exe, PE32 18->40 dropped 42 C:\Users\user\...\ios.exe:Zone.Identifier, ASCII 18->42 dropped 44 C:\Users\user\AppData\Local\...\install.vbs, data 18->44 dropped 27 wscript.exe 1 18->27         started        process8 process9 29 cmd.exe 1 27->29         started        process10 31 ios.exe 4 29->31         started        34 conhost.exe 29->34         started        signatures11 72 Multi AV Scanner detection for dropped file 31->72 74 Machine Learning detection for dropped file 31->74 76 Tries to delay execution (extensive OutputDebugStringW loop) 31->76 36 ios.exe 31->36         started        process12 dnsIp13 48 skygroupt6.zapto.org 62.197.136.97, 2080, 49776 SPRINTLINKUS Netherlands 36->48 50 geoplugin.net 178.237.33.50, 49778, 80 ATOM86-ASATOM86NL Netherlands 36->50 52 192.168.2.1 unknown unknown 36->52 62 Installs a global keyboard hook 36->62 signatures14
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1c804518ea4c220b90493ad676e48a70265a7fc20af5fb8cf75c36b425f096c8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-13 23:42:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
18 of 41 (43.90%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dsaekghkjqraxecjhllhnzekoatfu76cbl27xdhxlq3lijpqs3ea._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
576183a33f5247a852bc65a4dc4cbca5762bfbad1291a82572681f7075dc6123
RemcosRAT
6debeb4cbf5037ee3b4d23e3a005dc58ebb0f26ac5f5266e910187a66760a4a0
RemcosRAT
ba8d32d0c7844fdd2e5c4311fc6dc7a400d7c1ff97bebd9760d62308c669fb8f
RemcosRAT
d4729baa39aa4e1052e0999c90450a4cdcd4c4e3831c9a791fb99b94036103b4
RemcosRAT
d900c6367744e8c0fa61f90269bee13dbaa90fd4e84b5db559bef7fd6be1d851
RemcosRAT
e6a1d0c6cdb62e541492740eeabafe7f88f242d6a442fa0e2d2b4e8b1a2b1617
RemcosRAT
fafd7463254353a7e4ea4900b93f412fb84bbbddae730fc145c54331eb2533f8
RemcosRAT
+ 1'587 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat
Link:
https://tria.ge/reports/220514-dma9wsghgl/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
skygroupt6.zapto.org:2080
Gathering data
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1c804518ea4c220b90493ad676e48a70265a7fc20af5fb8cf75c36b425f096c8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 1c804518ea4c220b90493ad676e48a70265a7fc20af5fb8cf75c36b425f096c8

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2194145/
Cape
Cape
https://www.capesandbox.com/analysis/270572/

Comments


Avatar
zbet commented on 2022-05-14 03:06:14 UTC

url : hxxp://85.202.169.85/400/vbc.exe