MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2149cec22f889cc1eed0485be3a4670b2f5b20a2f40eaa24633ed54b3b795da2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2149cec22f889cc1eed0485be3a4670b2f5b20a2f40eaa24633ed54b3b795da2
SHA3-384 hash: 94ec8208bec655a18a793ebf2f4e747c80c7e61b03be3dacc2b58143149e11aa98326e228c648adc9ec8e9c8a646a191
SHA1 hash: 1d8de621f3498f46976099e776e333f5ee826e91
MD5 hash: 98e4c79e3ef45333a8f87301bca61a57
humanhash: north-apart-mango-low
File name:vbc.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:26'624 bytes
First seen:2022-08-25 13:38:51 UTC
Last seen:2022-08-27 02:28:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 384:VgyjI0uc3wUu/X/lxbLvyqhssQ+7hi950FfmSIISSSSSISSSpvKACPON:VgmuWwU+X/lxfh+sVO5ewVCGN
Threatray 75 similar samples on MalwareBazaar
TLSH T12EC2518B63B64E23F2A8C33D48EB944A8FB5C8BC64A5A51775D1128E3E17B40DBCD705
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0096cc714d86aa00 (18 x RemcosRAT, 14 x Formbook, 7 x AgentTesla)
Reporter James_inthe_box
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
357
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
vbc.exe
Verdict:
Malicious activity
Analysis date:
2022-08-25 13:41:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/29750846-3298-448b-b77b-6c604ee89de5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/301183/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending an HTTP GET request
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63077c3b393b1c8c4711656a/reports/2fb576ad-3312-4f2b-aca3-a3e7768bb870/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cf9b8603-6bac-4900-b9e1-a4bc66eefff8
Result
Threat name:
AsyncRAT, PrivateLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1057760
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AsyncRAT
Yara detected Generic Downloader
Yara detected PrivateLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 690277 Sample: vbc.exe Startdate: 25/08/2022 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic 2->41 43 Multi AV Scanner detection for domain / URL 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 9 other signatures 2->47 7 vbc.exe 16 7 2->7         started        12 Knlbdzmj.exe 14 3 2->12         started        14 Knlbdzmj.exe 3 2->14         started        process3 dnsIp4 39 172.245.142.35, 49723, 49740, 49742 AS-COLOCROSSINGUS United States 7->39 31 C:\Users\user\AppData\...\Knlbdzmj.exe, PE32 7->31 dropped 33 C:\Users\...\Knlbdzmj.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\vbc.exe.log, ASCII 7->35 dropped 49 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->49 51 Encrypted powershell cmdline option found 7->51 16 InstallUtil.exe 2 7->16         started        19 powershell.exe 17 7->19         started        53 Machine Learning detection for dropped file 12->53 21 powershell.exe 14 12->21         started        23 powershell.exe 14->23         started        file5 signatures6 process7 dnsIp8 37 172.111.234.100, 5888 SOFTLAYERUS United States 16->37 25 conhost.exe 19->25         started        27 conhost.exe 21->27         started        29 conhost.exe 23->29         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2149cec22f889cc1eed0485be3a4670b2f5b20a2f40eaa24633ed54b3b795da2/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-08-25 13:38:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=efe45qrprcomd3wqjbn6hjdhbmxvwifc6qhkujddh3kuwo3zlwra._file
Verdict:
suspicious
Label(s):
masslogger
Create hunting rule
Similar samples:
001494be88645efe8ffb546bdf58b043c2dd1770091891d30c4fd317281a518a
RemcosRAT
2306209d9706e18bd147c22e4af70a0f076fda6904eda55e2acc625edc942957
RemcosRAT
326920546c2f54782c27ab6c8b53948b8b2cbb1efe709d322c84d4d7a0806911
RemcosRAT
3f4a92916d3f26c17475017df9881acb7a6bb11f3e684e548d166e46f6363bbd
RemcosRAT
469e2d368652b3fd0eac3dfb416cb617b5f5253c87e2a381805c64d1c04e9060
RemcosRAT
960e06362417ccfbcf4fed3713537961382ee856e83eae93ef528b1512bb9bd0
RemcosRAT
9a693191c99ec28e49e610cd89af5137fb077ad8b4d7452828dbabd055e65384
RemcosRAT
a01cf716ce945824cf5cfaa67b4c62b3e1bd082416279411b18396fd51a5c54b
RemcosRAT
a5383b4e2f4ba2bd28112bfb06a100850109568b5e3fc7bcdff4c0fcf12fa6ff
RemcosRAT
ef8351385a327e1883639d1fc36d8e806f4d9f601e4630912763611b16213bb0
RemcosRAT
+ 65 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat
Link:
https://tria.ge/reports/220825-qxyt6aefc5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Uses the VBS compiler for execution
Remcos
Malware Config
C2 Extraction:
172.111.234.100:5888
Unpacked files
SH256 hash:
2149cec22f889cc1eed0485be3a4670b2f5b20a2f40eaa24633ed54b3b795da2
MD5 hash:
98e4c79e3ef45333a8f87301bca61a57
SHA1 hash:
1d8de621f3498f46976099e776e333f5ee826e91
Link:
https://www.unpac.me/results/0371ed70-a307-4eb9-9562-61574cca4662/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2149cec22f889cc1eed0485be3a4670b2f5b20a2f40eaa24633ed54b3b795da2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:pe_imphash
Create hunting rule
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/301183/

Comments