MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1cbde001232b05773813dca161a55e63f8e082b7b53f900a4e235d2753bd1957. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1cbde001232b05773813dca161a55e63f8e082b7b53f900a4e235d2753bd1957
SHA3-384 hash: 773ed5638f8aee7a6a1c6ffa2110930f34ed4f3a0c56e87cdc4396a8f0edc284a5ad61b48bb8487103ab10807402cb88
SHA1 hash: 39770df35ca056118ccfbeebbc9b9230f7f032ec
MD5 hash: 40441e12c570b3de968483bb9b04d5ca
humanhash: edward-pip-eleven-quiet
File name:40441e12c570b3de968483bb9b04d5ca
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:766'976 bytes
First seen:2021-07-13 14:36:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:b2qGcAa8yoJg0mOUx7bZkoONx+eRJx+pSjqd5dVm8fQSsTbCxGyfsXN5GnTOdU+5:SlcAB9J87bGfx+Mc528LsXi
Threatray 1'912 similar samples on MalwareBazaar
TLSH T149F45A3823BEA609F63BFF719F90F2459FA6A7769225D14D5CC8020A5821D80FEB7531
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
40441e12c570b3de968483bb9b04d5ca
Verdict:
Suspicious activity
Analysis date:
2021-07-13 14:44:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8ccf69ab-9796-4274-b578-f4e413dc99b9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171459/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.925-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/03199552-a0ad-49c4-9953-19e650a31825
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/815660
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates an autostart registry key pointing to binary in C:\Windows
Detected Remcos RAT
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 448073 Sample: elmPEd3zO7 Startdate: 13/07/2021 Architecture: WINDOWS Score: 100 74 Found malware configuration 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 Multi AV Scanner detection for dropped file 2->78 80 11 other signatures 2->80 11 elmPEd3zO7.exe 3 2->11         started        15 Windows Audio Jack Device Pictures.exe 2 2->15         started        17 Windows Audio Jack Device Pictures.exe 2 2->17         started        process3 file4 64 C:\Users\user\AppData\...\elmPEd3zO7.exe.log, ASCII 11->64 dropped 90 Contains functionality to detect virtual machines (IN, VMware) 11->90 92 Contains functionality to steal Chrome passwords or cookies 11->92 94 Contains functionality to capture and log keystrokes 11->94 100 2 other signatures 11->100 19 elmPEd3zO7.exe 1 5 11->19         started        96 Drops executables to the windows directory (C:\Windows) and starts them 15->96 98 Injects a PE file into a foreign processes 15->98 23 Windows Audio Jack Device Pictures.exe 15->23         started        25 Windows Audio Jack Device Pictures.exe 17->25         started        signatures5 process6 file7 60 C:\...\Windows Audio Jack Device Pictures.exe, PE32 19->60 dropped 62 Windows Audio Jack...exe:Zone.Identifier, ASCII 19->62 dropped 82 Creates an autostart registry key pointing to binary in C:\Windows 19->82 27 cmd.exe 1 19->27         started        30 cmd.exe 1 19->30         started        signatures8 process9 signatures10 84 Uses ping.exe to sleep 27->84 32 Windows Audio Jack Device Pictures.exe 3 27->32         started        36 PING.EXE 1 27->36         started        39 conhost.exe 27->39         started        86 Uses cmd line tools excessively to alter registry or file data 30->86 88 Uses ping.exe to check the status of other devices and networks 30->88 41 conhost.exe 30->41         started        43 reg.exe 1 30->43         started        process11 dnsIp12 58 Windows Audio Jack...ce Pictures.exe.log, ASCII 32->58 dropped 70 Injects a PE file into a foreign processes 32->70 45 Windows Audio Jack Device Pictures.exe 1 4 32->45         started        66 127.0.0.1 unknown unknown 36->66 file13 signatures14 process15 dnsIp16 68 yjune71021.duckdns.org 194.5.97.131, 3030, 49733 DANILENKODE Netherlands 45->68 102 Detected Remcos RAT 45->102 104 Installs a global keyboard hook 45->104 49 cmd.exe 1 45->49         started        52 iexplore.exe 45->52         started        signatures17 process18 signatures19 72 Uses cmd line tools excessively to alter registry or file data 49->72 54 conhost.exe 49->54         started        56 reg.exe 1 49->56         started        process20
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1cbde001232b05773813dca161a55e63f8e082b7b53f900a4e235d2753bd1957/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-13 09:45:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
27 of 46 (58.70%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
20099b68fc7896261434a79ffe3398f80a268118b180dce7a7af8c9b7260ec58
RemcosRAT
305ff91660cc5f742e0689b4e929725c874941242ffffb85247dde1b84ca8e79
RemcosRAT
88fc70b1b309fd00d08629db01c91f1b7de5f3d459eee1e31782aee3f8172771
RemcosRAT
8e5a258f2297547817ed841d8839ea907cfce98782c5bc2f3a9e7d10310fed08
RemcosRAT
d1d03bfd052d4da26771988a7d52eeceedb30f423f31649f9ff25cd117ddd274
RemcosRAT
fab65de1f3e246271e811162c07c12a2e1199dc2c92dc0da16f1350f35934098
RemcosRAT
feefe7ced3cbfed22efa37a37aca19f34f7c8821497a022b44d5e1007c20ba5a
RemcosRAT
+ 1'902 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:friday july evasion persistence rat trojan
Link:
https://tria.ge/reports/210713-md85f9dq5s/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Modifies registry key
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Remcos
UAC bypass
Malware Config
C2 Extraction:
yjune71021.duckdns.org:3030
Unpacked files
SH256 hash:
d0e58cfb57d7bbfd6b5a94af101fc4f6388f08f194f5258be8ff5da170787b5a
MD5 hash:
d900548bc843751a2530775891f8b370
SHA1 hash:
62af03b929a22ab26ef4237e2c8c66c5050c72e1
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/5fb15194-c8a4-4909-b104-df35e8bbfa90/
SH256 hash:
299fc0c42a17653a0051889720c4a78c3046ce6c90dcfc1ed06f6b9be97fdf48
MD5 hash:
50b986dc5cd85e6ca5ffe9d692abd581
SHA1 hash:
dde8d8ebb2b80326f967c44751605fb89861568a
Link:
https://www.unpac.me/results/5fb15194-c8a4-4909-b104-df35e8bbfa90/
SH256 hash:
1d283f2ec8139bd0e547b376d92e4c7ebc4f8ef6962538acb790b073df67cacc
MD5 hash:
a1b3e9d8f95ce54e9f27fb207dcf2f83
SHA1 hash:
cb72323db12b462d95b4e5800b7f38f13d8231eb
Link:
https://www.unpac.me/results/5fb15194-c8a4-4909-b104-df35e8bbfa90/
SH256 hash:
5f5257e30cfc2caab058013ffc60f90fb8a5d780a14834e1371054290b7658e4
MD5 hash:
b0e14c3526d6623ae9b7b5f5e0efde76
SHA1 hash:
f7d127bff2dfb1100ebd55fdd12dfb7a2b382fdc
Link:
https://www.unpac.me/results/5fb15194-c8a4-4909-b104-df35e8bbfa90/
SH256 hash:
1cbde001232b05773813dca161a55e63f8e082b7b53f900a4e235d2753bd1957
MD5 hash:
40441e12c570b3de968483bb9b04d5ca
SHA1 hash:
39770df35ca056118ccfbeebbc9b9230f7f032ec
Link:
https://www.unpac.me/results/5fb15194-c8a4-4909-b104-df35e8bbfa90/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/1cbde001232b05773813dca161a55e63f8e082b7b53f900a4e235d2753bd1957

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 1cbde001232b05773813dca161a55e63f8e082b7b53f900a4e235d2753bd1957

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1450614/
Cape
Cape
https://www.capesandbox.com/analysis/171459/

Comments


Avatar
zbet commented on 2021-07-13 14:36:08 UTC

url : hxxp://ebie.xyz/chungx.exe