MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2435aff7e691f28e5b1e98780fde77e2d690f088f0205f69a648c7eaa55ef076. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2435aff7e691f28e5b1e98780fde77e2d690f088f0205f69a648c7eaa55ef076
SHA3-384 hash: 8472df93f877cfbb2410978a55a45795b9c75d7fd5afb83f1f929273588029de7613729f6f06a64ea6cf7d20198ff0e0
SHA1 hash: f628403ea5379cc9d1846dcab1a87aacf80275c3
MD5 hash: 90eef380ebfe77f3a189446cdb907216
humanhash: fanta-triple-table-sad
File name:90eef380ebfe77f3a189446cdb907216.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:659'968 bytes
First seen:2022-10-01 07:40:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 6144:najJRvKt3Gm3wGlzEO4IN612xUo+Bz/RRzwqjlWU2yi5A9Pmn/8LUjOipOg+WBGH:QKFG4wGF663x0BjDDjIryZtQKi7dGH
TLSH T1E3E4CF331BEB8A07D1157678C0D1D2F6A3A9DE00E563C697ABCA5C1FF08B1A9DB61350
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter abuse_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
265
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/315429/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.389.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Launching a process
Running batch commands
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6337ef17d5955f6f49d56697/reports/ad04f1f6-9426-4e1a-84ad-738e5c29d643/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bcdf5297-7997-4067-920b-4d2bdb43612b
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1081410
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates an autostart registry key pointing to binary in C:\Windows
Detected Remcos RAT
Disables UAC (registry)
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 713968 Sample: insYAkTNSb.exe Startdate: 01/10/2022 Architecture: WINDOWS Score: 100 72 arttronova23.duckdns.org 2->72 82 Malicious sample detected (through community Yara rule) 2->82 84 Multi AV Scanner detection for dropped file 2->84 86 Multi AV Scanner detection for submitted file 2->86 88 9 other signatures 2->88 12 insYAkTNSb.exe 3 2->12         started        15 Microsoft Security Start.exe 2 2->15         started        17 Microsoft Security Start.exe 2 2->17         started        signatures3 process4 file5 70 C:\Users\user\AppData\...\insYAkTNSb.exe.log, ASCII 12->70 dropped 20 insYAkTNSb.exe 1 5 12->20         started        24 Microsoft Security Start.exe 3 15->24         started        27 Microsoft Security Start.exe 15->27         started        80 Drops executables to the windows directory (C:\Windows) and starts them 17->80 29 Microsoft Security Start.exe 17->29         started        signatures6 process7 dnsIp8 66 C:\Windows\...\Microsoft Security Start.exe, PE32 20->66 dropped 68 Microsoft Security...exe:Zone.Identifier, ASCII 20->68 dropped 90 Creates an autostart registry key pointing to binary in C:\Windows 20->90 31 cmd.exe 1 20->31         started        34 cmd.exe 1 20->34         started        74 arttronova23.duckdns.org 91.192.100.38, 4045, 49706, 49707 AS-SOFTPLUSCH Switzerland 24->74 76 192.168.2.1 unknown unknown 24->76 92 Installs a global keyboard hook 24->92 36 cmd.exe 24->36         started        file9 signatures10 process11 signatures12 106 Uses ping.exe to sleep 31->106 38 Microsoft Security Start.exe 3 31->38         started        40 PING.EXE 1 31->40         started        43 conhost.exe 31->43         started        108 Uses cmd line tools excessively to alter registry or file data 34->108 110 Uses ping.exe to check the status of other devices and networks 34->110 45 reg.exe 1 34->45         started        48 conhost.exe 34->48         started        50 conhost.exe 36->50         started        52 reg.exe 36->52         started        process13 dnsIp14 54 Microsoft Security Start.exe 2 1 38->54         started        78 127.0.0.1 unknown unknown 40->78 104 Disables UAC (registry) 45->104 signatures15 process16 signatures17 94 Detected Remcos RAT 54->94 96 Writes to foreign memory regions 54->96 98 Allocates memory in foreign processes 54->98 100 Injects a PE file into a foreign processes 54->100 57 cmd.exe 1 54->57         started        60 iexplore.exe 54->60         started        process18 signatures19 102 Uses cmd line tools excessively to alter registry or file data 57->102 62 conhost.exe 57->62         started        64 reg.exe 1 57->64         started        process20
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2435aff7e691f28e5b1e98780fde77e2d690f088f0205f69a648c7eaa55ef076/
Threat name:
ByteCode-MSIL.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2022-10-01 04:10:54 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
18 of 25 (72.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eq22757gshzi4wy6tb4a7xtx4lljb4ei6aqf62ngjdd6vjk66b3a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:27th sept evasion persistence rat trojan
Link:
https://tria.ge/reports/221001-jh493afff5/
Behaviour
Modifies Internet Explorer settings
Modifies registry key
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Remcos
UAC bypass
Malware Config
C2 Extraction:
arttronova23.duckdns.org:4045
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4a1d95f1-b73b-4f16-a980-2c6456daa14b
Unpacked files
SH256 hash:
b72bed7c12c7f945e6f07f90251fc4e113e31f556234775da2663c8c683230cf
MD5 hash:
59bf0214261e9d0aa7e30ab2c15c42f6
SHA1 hash:
43c486bb6a5a81d58c34dc14d9830b2dfda9342a
Detections:
win_remcos_auto
Create hunting rule
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/931056a6-b156-48a4-9ee7-e002f2490a9e/
SH256 hash:
6f3bc5b2b989fe7e831e775f3a24961e87b90169fe2c02459c7b2cecd211329b
MD5 hash:
7bf59101feb3005a494ccde66fe846b4
SHA1 hash:
ba8f0b14cb0733a72a7c377a6b1b2d6d36c4f28e
Link:
https://www.unpac.me/results/931056a6-b156-48a4-9ee7-e002f2490a9e/
SH256 hash:
2470b39032f6182252039c88199016566b0de30c6aa02163a143427afedd12af
MD5 hash:
c3a1924684ca30ed22234ce1d9111dfc
SHA1 hash:
7347706241422758c06440fd6044ae4e042b456b
Link:
https://www.unpac.me/results/931056a6-b156-48a4-9ee7-e002f2490a9e/
SH256 hash:
5734d49993bf25a5054b711cd7e800c11c71178c6d655c06c9b9d1237cbcca91
MD5 hash:
ebe4fa5500348e8efa8f3fa9a255d937
SHA1 hash:
4692e0199480a7a7347b6411ead5bae0f92312d3
Link:
https://www.unpac.me/results/931056a6-b156-48a4-9ee7-e002f2490a9e/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/931056a6-b156-48a4-9ee7-e002f2490a9e/
SH256 hash:
2435aff7e691f28e5b1e98780fde77e2d690f088f0205f69a648c7eaa55ef076
MD5 hash:
90eef380ebfe77f3a189446cdb907216
SHA1 hash:
f628403ea5379cc9d1846dcab1a87aacf80275c3
Link:
https://www.unpac.me/results/931056a6-b156-48a4-9ee7-e002f2490a9e/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2435aff7e691/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2435aff7e691f28e5b1e98780fde77e2d690f088f0205f69a648c7eaa55ef076

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 2435aff7e691f28e5b1e98780fde77e2d690f088f0205f69a648c7eaa55ef076

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2272201/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/315429/

Comments