MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 219fc775299b765c2a1626b602f478d3642139dc243a46120281843bdb5bd5e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 219fc775299b765c2a1626b602f478d3642139dc243a46120281843bdb5bd5e9
SHA3-384 hash: 463a78e815d557de4636f4636d887636959304302f084f27b0125fde398bd40635b9bcfe34b5217444cb0be39e101d71
SHA1 hash: eba14adb59e5b8c8a37738ac94a79406ac783245
MD5 hash: 36b4a8ee8074c2577246d6352259abae
humanhash: mountain-washington-vegan-magnesium
File name:36b4a8ee8074c2577246d6352259abae
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:616'448 bytes
First seen:2021-07-01 07:55:56 UTC
Last seen:2021-08-31 10:22:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:dEFVzMFuJujIh3XhkD20JlHaNY3aGVv2H9/dNS6rjNUOxhg:qauJuAn8J5/5vSDrx
Threatray 288 similar samples on MalwareBazaar
TLSH B4D42320B21C609BE15D13B0749625C2827068CB64E5E7FD2DFE7ABE14F939E4E91F01
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
151
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
36b4a8ee8074c2577246d6352259abae
Verdict:
Malicious activity
Analysis date:
2021-07-01 07:58:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c22ec91b-8558-421f-ad2f-5bdc28af2f33

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/169081/
Detection(s):
SecuriteInfo.com.Variant.Bulz.541197.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/de705f02-8ff0-4547-bbae-d192a93f0630
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/810401
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 442812 Sample: MQr0aMBwsQ Startdate: 01/07/2021 Architecture: WINDOWS Score: 100 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 7 other signatures 2->66 8 MQr0aMBwsQ.exe 4 9 2->8         started        12 notepads.exe 5 2->12         started        14 notepads.exe 2->14         started        process3 file4 32 C:\Users\user\AppData\Roaming\notepads.exe, PE32 8->32 dropped 34 C:\Users\user\AppData\...\MQr0aMBwsQ.exe, PE32 8->34 dropped 36 C:\Users\...\notepads.exe:Zone.Identifier, ASCII 8->36 dropped 42 3 other malicious files 8->42 dropped 68 Writes to foreign memory regions 8->68 70 Injects a PE file into a foreign processes 8->70 16 MQr0aMBwsQ.exe 8->16         started        19 MQr0aMBwsQ.exe 2 3 8->19         started        22 wscript.exe 1 8->22         started        72 Machine Learning detection for dropped file 12->72 24 notepads.exe 12->24         started        38 C:\Users\user\AppData\Local\...\notepads.exe, PE32 14->38 dropped 40 C:\Users\...\notepads.exe:Zone.Identifier, ASCII 14->40 dropped 26 notepads.exe 14->26         started        signatures5 process6 dnsIp7 48 Machine Learning detection for dropped file 16->48 50 Contains functionality to steal Chrome passwords or cookies 16->50 52 Contains functionality to inject code into remote processes 16->52 58 2 other signatures 16->58 44 smartcut.duckdns.org 194.5.98.229, 3363, 49758 DANILENKODE Netherlands 19->44 46 192.168.2.1 unknown unknown 19->46 54 Installs a global keyboard hook 19->54 56 Wscript starts Powershell (via cmd or directly) 22->56 28 powershell.exe 25 22->28         started        signatures8 process9 process10 30 conhost.exe 28->30         started       
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/219fc775299b765c2a1626b602f478d3642139dc243a46120281843bdb5bd5e9/
Threat name:
Win32.Trojan.Bulz
Create hunting rule
Status:
Malicious
First seen:
2021-07-01 07:56:10 UTC
AV detection:
16 of 46 (34.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=egp4o5jjtn3fykqwe23af5dy2nsccoo4eq5emeqcqgcdxw232xuq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
27a607812f2e113484b27f50f1337cad704713a356fb24a74103d8ef027da16d
RemcosRAT
2dd7a0f3a8c01338b500b88c023560f468c8d3c61e13fb5a6e55eab69087e7bc
RemcosRAT
4969dc5e2b7349e189cdc079c2e9e02014e559d1315564b6d6fd18eeb252c605
RemcosRAT
8d0dfc2239405eebc7a9d5483492a0225963fae4c110ecbd12f1f39ce1ef937a
RemcosRAT
9d723e0a80c89b6da6e4c9aa6028ee70cce510dc0fb2fac794b155a56c6f6339
RemcosRAT
a0bb5a244b144a8e10087fd70a04580c3bb8c4c8add7da671a06f10020473004
RemcosRAT
a0fd8f81cda85af9221734e97a18c29c25a53020517d507ada3e3a1681036e54
RemcosRAT
ba410d1931172915171c7769f798d6aaa1eab9f923c98f178f615ad75a6544f2
RemcosRAT
c85d33153d768a2f98066c8ba07e58890cbac4c185e4ef45739fb03750e1088b
RemcosRAT
f198970271e10830bafa86eccc5ce43e5075a15ed43f4e1924d0e8e0824f218b
RemcosRAT
+ 278 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:panini persistence rat
Link:
https://tria.ge/reports/210701-8gqyx4xmda/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
smartcut.duckdns.org:3363
Unpacked files
SH256 hash:
e680ba95de478f262fbb57218afa76be61e140bbd7f40d0261dc01c1d899d4b8
MD5 hash:
0f700a74857e21def053571abfc6b222
SHA1 hash:
a0330344b39fb58831b96a21994af47b91d4850a
Detections:
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/e2593425-d400-40e6-aeff-d437eae0e07d/
SH256 hash:
f50a642637514c1faedaa15ef12b0c16b921db10385dbf851f322791547a85fc
MD5 hash:
6a6aa52e34848c06c6d0369e62a34e6e
SHA1 hash:
3885af649c6294b8365b259dd3b55565e69673bc
Link:
https://www.unpac.me/results/e2593425-d400-40e6-aeff-d437eae0e07d/
SH256 hash:
e31daa1fd83de488450c249673bba3b1d0153c82c34b6e22736e53aee16a9eca
MD5 hash:
ee505b47063402b5adc3524fbd7eda03
SHA1 hash:
1634e6f446a04bc2b7356909d33e894261df0d21
Link:
https://www.unpac.me/results/e2593425-d400-40e6-aeff-d437eae0e07d/
SH256 hash:
219fc775299b765c2a1626b602f478d3642139dc243a46120281843bdb5bd5e9
MD5 hash:
36b4a8ee8074c2577246d6352259abae
SHA1 hash:
eba14adb59e5b8c8a37738ac94a79406ac783245
Link:
https://www.unpac.me/results/e2593425-d400-40e6-aeff-d437eae0e07d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/219fc775299b765c2a1626b602f478d3642139dc243a46120281843bdb5bd5e9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 219fc775299b765c2a1626b602f478d3642139dc243a46120281843bdb5bd5e9

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1415698/
Cape
Cape
https://www.capesandbox.com/analysis/169081/

Comments


Avatar
zbet commented on 2021-07-01 07:55:57 UTC

url : hxxp://dreamwatchevent.com/ConsoleApp3.exe