MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 243153293413189168a254c3f378f0907f95fcef856946deacd5b1d41589afc4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 243153293413189168a254c3f378f0907f95fcef856946deacd5b1d41589afc4
SHA3-384 hash: ef065ba9aa7f3eeeb532d26aaaaee2792acab06e972f4724404184cdc4aed4f04c89ec4960f90720037eef50fea293e8
SHA1 hash: fc2b7e12e4ff12a6c95d72e44cd5cb12ae2fae38
MD5 hash: e80b5c8bef8945a87ec3243c973b562e
humanhash: september-queen-mississippi-venus
File name:e80b5c8bef8945a87ec3243c973b562e
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'142'784 bytes
First seen:2022-03-15 16:04:41 UTC
Last seen:2022-04-20 10:20:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:euwOmSDSO6l0ezEmC6X99xR14NaKC2Yp:euf12Bl0bI7KC2Y
Threatray 2'923 similar samples on MalwareBazaar
TLSH T1783512DD32584B13EE65C3BDE6B5A01A07B4BDB09571C2199C8A39C7A1B6FEC2424F43
File icon (PE):PE icon
dhash icon 00f0e6e7edd8b300 (2 x RemcosRAT)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
4
# of downloads :
265
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
e80b5c8bef8945a87ec3243c973b562e
Verdict:
Malicious activity
Analysis date:
2022-03-16 03:52:55 UTC
Tags:
rat remcos keylogger stealer
Link:
https://app.any.run/tasks/bd5e55f5-3038-4d91-8a44-fe0a729fee5c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/250966/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6230b93d0cd58dbd929fb528/reports/66677617-98cd-4302-8eb5-342e6b1e2a1c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5bc7b413-f284-4cde-a409-64c8905f84eb
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/957208
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected unpacking (creates a PE file in dynamic memory)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 589689 Sample: 2r33JT7MKL Startdate: 15/03/2022 Architecture: WINDOWS Score: 100 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus detection for dropped file 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 11 other signatures 2->51 7 2r33JT7MKL.exe 7 2->7         started        process3 file4 33 C:\Users\user\AppData\...\eJoatLdVowBgR.exe, PE32 7->33 dropped 35 C:\...\eJoatLdVowBgR.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmp3A3F.tmp, XML 7->37 dropped 39 C:\Users\user\AppData\...\2r33JT7MKL.exe.log, ASCII 7->39 dropped 59 Detected unpacking (creates a PE file in dynamic memory) 7->59 61 Contains functionalty to change the wallpaper 7->61 63 Contains functionality to steal Chrome passwords or cookies 7->63 65 5 other signatures 7->65 11 2r33JT7MKL.exe 2 2 7->11         started        15 powershell.exe 25 7->15         started        17 schtasks.exe 1 7->17         started        19 2r33JT7MKL.exe 7->19         started        signatures5 process6 dnsIp7 43 marcobalassoneets.ddns.net 91.90.121.57, 49765, 49766, 9794 DPNETBucharestInsulei4RO Romania 11->43 67 Installs a global keyboard hook 11->67 69 Injects a PE file into a foreign processes 11->69 21 2r33JT7MKL.exe 11->21         started        24 2r33JT7MKL.exe 2 11->24         started        27 2r33JT7MKL.exe 1 11->27         started        29 conhost.exe 15->29         started        31 conhost.exe 17->31         started        signatures8 process9 dnsIp10 53 Tries to steal Instant Messenger accounts or passwords 21->53 55 Tries to steal Mail credentials (via file / registry access) 21->55 41 192.168.2.1 unknown unknown 24->41 57 Tries to harvest and steal browser information (history, passwords, etc) 24->57 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/243153293413189168a254c3f378f0907f95fcef856946deacd5b1d41589afc4/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-15 16:11:33 UTC
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eqyvgkjucmmjc2fcktb7g6hqsb7zl7hpqvuunxvm2wy5ifmjv7ca._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
38c2822b3929fe567273c89ddbdc3fb49a750199cd795f36ad6dc29bb614e4c6
RemcosRAT
6a4b5aab71a352d6ae6140f99a28b0c38df78a8985b3383f1bc424ca74e046fe
RemcosRAT
7b5f70276fe64b0ec64ff186af6706b1dbbf2e2dc69e4b1546745b293121116f
RemcosRAT
b0ac37aec0eef942e0ff9c35828584b8d887f951ec13afbd80cdc4ce23595ae4
RemcosRAT
c530ab34e439bbcaf995290504072a5f77ec085e2ef485e4ef324b7a957f5738
RemcosRAT
eb1d29174d0a65b4ff95f172d35532666fed7cd6659ec77591240777b5b76452
RemcosRAT
ebf21217cedcf7f1809418985cb120b150b12d2ec955119c73f7c3170b5f2232
RemcosRAT
+ 2'913 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:engine prof collection rat spyware stealer
Link:
https://tria.ge/reports/220315-tjhskabfar/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Checks computer location settings
Reads user/profile data of web browsers
NirSoft MailPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
marcobalassoneets.ddns.net:9794
Unpacked files
SH256 hash:
4ffb59b76867dc3ee5df8b1476a82043c8bbfa9679aa90a2e4b937292b3722b8
MD5 hash:
fc6d91ff314356715f5c76ba61240c9f
SHA1 hash:
aac8291f9af1c2e18b8302550ee4d1c96120949a
Link:
https://www.unpac.me/results/18cd8d9b-463f-4dfa-b8ac-d60522a99c34/
SH256 hash:
f35d48097c476aa535ec20b882958c07ddf3636776afeb82363d10e823084349
MD5 hash:
344e71d8c3d8f10b52bc06de49f15bcf
SHA1 hash:
88ac6ad93a1e3179353e5d3886ce5c212139b570
Link:
https://www.unpac.me/results/18cd8d9b-463f-4dfa-b8ac-d60522a99c34/
SH256 hash:
a2547c6299cf5092d4c74f5a58945e7f06db7c061c7ac96e677cdfcd0d45a817
MD5 hash:
35855fa166d458819b962e6163394f0a
SHA1 hash:
6ef59f11638b170600565b071f13b0ed2f61fc87
Link:
https://www.unpac.me/results/18cd8d9b-463f-4dfa-b8ac-d60522a99c34/
SH256 hash:
556d066a404f96d1baa4cdc49cc4fbcaaa27538240f450d0988490806f70ec3b
MD5 hash:
1672c0d90bdb935a60a494676d426d0c
SHA1 hash:
4ed6d951f56a4b7994cdf42fdac06a99ce59c10c
Link:
https://www.unpac.me/results/18cd8d9b-463f-4dfa-b8ac-d60522a99c34/
SH256 hash:
243153293413189168a254c3f378f0907f95fcef856946deacd5b1d41589afc4
MD5 hash:
e80b5c8bef8945a87ec3243c973b562e
SHA1 hash:
fc2b7e12e4ff12a6c95d72e44cd5cb12ae2fae38
Link:
https://www.unpac.me/results/18cd8d9b-463f-4dfa-b8ac-d60522a99c34/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/243153293413/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/243153293413189168a254c3f378f0907f95fcef856946deacd5b1d41589afc4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 243153293413189168a254c3f378f0907f95fcef856946deacd5b1d41589afc4

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/250966/
  
URLhaus
https://urlhaus.abuse.ch/url/2098478/

Comments


Avatar
zbet commented on 2022-03-15 16:04:45 UTC

url : hxxp://107.174.138.202/777/vbc.exe