MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 226d0ea20dccb9f0b091d02ccacaec73b537fc9b61157eff759b74d742d48b00. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 226d0ea20dccb9f0b091d02ccacaec73b537fc9b61157eff759b74d742d48b00
SHA3-384 hash: d205a9bcc84033e70f1e750839bc15ffaea91d91c29ef923edb662b5e8ad559a29ef4bfe005ef4db92da667bb9897ac8
SHA1 hash: af1a1a0fc3565f7dcbeceab6928655e52d917627
MD5 hash: e92654f27c4cd3ad6a3a12f3a0be1469
humanhash: johnny-fanta-bacon-friend
File name:Scan3094-03.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:310'140 bytes
First seen:2021-10-07 06:11:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:b8LxBqW4Ci9iLUGoOeMqci94cR7hbFbSPVx6tgsnzcbD2rFKquh3dyLN:nW4n8GOeMJLcRDSPH6tioFK9htyh
Threatray 704 similar samples on MalwareBazaar
TLSH T19F641203F2D1C9B7E1A01F3245F5B938E3BA435CE0595C838374ED6B2AA29E78358C46
File icon (PE):PE icon
dhash icon 4f07090d0d014f8c (47 x SnakeKeylogger, 17 x Formbook, 13 x AgentTesla)
Reporter lowmal3
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
153
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Scan3094-03.exe
Verdict:
Malicious activity
Analysis date:
2021-10-07 06:12:17 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/6e50f1c8-72cf-4c88-bd5a-6abe24b8e34d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/195609/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/615e8fb4e3d213d202b975c0/reports/cc1d5b08-4f57-4cc2-86fa-71a406c39f20/overview
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/866044
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Deletes itself after installation
Detected Remcos RAT
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Uses dynamic DNS services
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 498472 Sample: Scan3094-03.exe Startdate: 07/10/2021 Architecture: WINDOWS Score: 100 50 edwardjamie.duckdns.org 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Multi AV Scanner detection for dropped file 2->56 58 10 other signatures 2->58 11 Scan3094-03.exe 17 2->11         started        15 remcos.exe 16 2->15         started        signatures3 process4 file5 40 C:\Users\user\AppData\Local\...\nmtlvwk.dll, PE32 11->40 dropped 62 Contains functionalty to change the wallpaper 11->62 64 Contains functionality to steal Chrome passwords or cookies 11->64 66 Contains functionality to inject code into remote processes 11->66 70 3 other signatures 11->70 17 Scan3094-03.exe 5 5 11->17         started        42 C:\Users\user\AppData\Local\...\nmtlvwk.dll, PE32 15->42 dropped 68 Injects a PE file into a foreign processes 15->68 20 remcos.exe 15->20         started        signatures6 process7 file8 36 C:\Users\user\AppData\Roaming\...\remcos.exe, PE32 17->36 dropped 38 C:\Users\user\...\remcos.exe:Zone.Identifier, ASCII 17->38 dropped 22 wscript.exe 1 17->22         started        process9 signatures10 60 Deletes itself after installation 22->60 25 cmd.exe 1 22->25         started        process11 process12 27 remcos.exe 16 25->27         started        31 conhost.exe 25->31         started        file13 44 C:\Users\user\AppData\Local\...\nmtlvwk.dll, PE32 27->44 dropped 72 Multi AV Scanner detection for dropped file 27->72 74 Machine Learning detection for dropped file 27->74 76 Injects a PE file into a foreign processes 27->76 33 remcos.exe 2 1 27->33         started        signatures14 process15 dnsIp16 46 edwardjamie.duckdns.org 23.105.131.220, 3956, 49747, 49748 LEASEWEB-USA-NYC-11US United States 33->46 48 192.168.2.1 unknown unknown 33->48
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/226d0ea20dccb9f0b091d02ccacaec73b537fc9b61157eff759b74d742d48b00/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-10-06 05:05:06 UTC
AV detection:
14 of 45 (31.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ejwq5iqnzs47bmer2awmvsxmoo2tp7e3mekx573vtn2noqwurmaa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1730338ca0fbfe0985bed5638fc8599a6dd38761ab8b89e3d8a076947a320028
RemcosRAT
6f2111247977f79b9772ee487e9e96ee536b8dc901c27af2b2f309fc0f66f6c2
RemcosRAT
6f476c63a6d699d1f0166313deb1e0f623c689882de8411bcd4f0b4f880526dd
RemcosRAT
772a319b31a1922eadd022f30aa60680e911f758d4c81c4dbf16614cf7791f0a
RemcosRAT
9a50c056a96999f841ea1ef7bb6674da47579f5cafe02e295c75e980b36219a9
RemcosRAT
a895ff58cb18d3a5fa3900d36f150c9a1bd213240f77ef8218fec015d6355825
RemcosRAT
af8ee88bf85615f2c305ce230560485be949dbb7355640e0498bf93f154df714
RemcosRAT
b3e18d1026779e01b6bc834a8da488eeb669e5e366ef8d495c109c0f1424d3c1
RemcosRAT
b9c5a6059ee5150b5837e446196c4349571d80336b438056f687d7044cd246b9
RemcosRAT
e4b26e2c09188228c4db16281887a17e90baaf95c7b691fa75d05af9f79ff20a
RemcosRAT
+ 694 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat upx
Link:
https://tria.ge/reports/211007-gx614acbej/
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Loads dropped DLL
UPX packed file
Executes dropped EXE
Remcos
Unpacked files
SH256 hash:
226d0ea20dccb9f0b091d02ccacaec73b537fc9b61157eff759b74d742d48b00
MD5 hash:
e92654f27c4cd3ad6a3a12f3a0be1469
SHA1 hash:
af1a1a0fc3565f7dcbeceab6928655e52d917627
Link:
https://www.unpac.me/results/f470c104-00ea-4f63-afb1-473a1c25b94e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/226d0ea20dccb9f0b091d02ccacaec73b537fc9b61157eff759b74d742d48b00

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 226d0ea20dccb9f0b091d02ccacaec73b537fc9b61157eff759b74d742d48b00

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/195609/

Comments