MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2582008cc5626a748f4926d0973f1b4ea0717e5167e1f79aa44dc0f188f46881. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2582008cc5626a748f4926d0973f1b4ea0717e5167e1f79aa44dc0f188f46881
SHA3-384 hash: 05d09b744be600daf03e2f67bcdc4b81ee317336ee79885663359feb1adbbd245779f8fd24d3534e60242f1365143201
SHA1 hash: e03a9f658327fc96d774ae19d714add257a10d88
MD5 hash: 2f4a3782d2ab90126ff927026dac5077
humanhash: montana-sodium-beryllium-fourteen
File name:2f4a3782d2ab90126ff927026dac5077
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:834'560 bytes
First seen:2022-08-11 09:19:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:EoFor+A0cb27/9DAx35L4Zk9ykn72GU7VfsLjuGBBMoryNvzJ34rZC87cUCCI5Yy:P1W5LGknaGgsv1WgSTz57
Threatray 1'616 similar samples on MalwareBazaar
TLSH T18D052344079587BCC9AE167C048142641338EB02B2B6D75C2FE664FEEEB77B6422639D
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.3% (.SCR) Windows screen saver (13101/52/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
355
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
2f4a3782d2ab90126ff927026dac5077
Verdict:
Malicious activity
Analysis date:
2022-08-11 09:21:28 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/99b1d11b-a656-42e7-9319-cf1192d19184

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/297927/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.38260.13740.9068.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Running batch commands
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62f4ca3fe4e65a67c49e7407/reports/9c99c75b-9b13-417d-aa6f-48acc54ba28b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6fd545bd-bcc4-442f-93b8-e84b42344910
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1049821
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 682330 Sample: T0e8hPld1P Startdate: 11/08/2022 Architecture: WINDOWS Score: 100 61 Malicious sample detected (through community Yara rule) 2->61 63 Antivirus detection for dropped file 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 6 other signatures 2->67 10 T0e8hPld1P.exe 3 2->10         started        13 yos.exe 2 2->13         started        15 yos.exe 2 2->15         started        17 yos.exe 2 2->17         started        process3 file4 55 C:\Users\user\AppData\...\T0e8hPld1P.exe.log, ASCII 10->55 dropped 19 T0e8hPld1P.exe 5 4 10->19         started        22 T0e8hPld1P.exe 10->22         started        24 T0e8hPld1P.exe 10->24         started        26 yos.exe 13->26         started        28 yos.exe 13->28         started        30 yos.exe 15->30         started        32 yos.exe 15->32         started        34 yos.exe 17->34         started        process5 file6 49 C:\Users\user\AppData\Roaming\yos.exe, PE32 19->49 dropped 51 C:\Users\user\...\yos.exe:Zone.Identifier, ASCII 19->51 dropped 53 C:\Users\user\AppData\Local\...\install.vbs, data 19->53 dropped 36 wscript.exe 1 19->36         started        process7 process8 38 cmd.exe 1 36->38         started        process9 40 yos.exe 3 38->40         started        43 conhost.exe 38->43         started        signatures10 69 Multi AV Scanner detection for dropped file 40->69 71 Machine Learning detection for dropped file 40->71 45 yos.exe 2 14 40->45         started        process11 dnsIp12 57 skygroupt6.zapto.org 208.67.104.93, 2080, 49765 GRAYSON-COLLIN-COMMUNICATIONSUS United States 45->57 59 geoplugin.net 178.237.33.50, 49766, 80 ATOM86-ASATOM86NL Netherlands 45->59 73 Installs a global keyboard hook 45->73 signatures13
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2582008cc5626a748f4926d0973f1b4ea0717e5167e1f79aa44dc0f188f46881/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-08-10 21:37:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ewbabdgfmjvhjd2je3ijopy3j2qhc7srm7q7pgvejxapdchuncaq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
4cd864cf3d39baff963a023423237dd164ce0e5de001d1397031b74c3b26691e
RemcosRAT
703b4d505cd05c228e0cf681a542262dc98211cf2e4eb26102283b5b7efa29ee
RemcosRAT
9433ec5758b48a6193b6b80ac03df0acf553d2ebeba04d84b6dbec9558a6e035
RemcosRAT
dfdfddf99781b2553c12dc0eaa764c585279eaa29b70654a11bdc238b6af945e
RemcosRAT
dff9dfa64f1a603197abded9f5942b83efab0c71520a4fe028ba8fb79cfe7b11
RemcosRAT
e0a8b8380ed35be0a267e659c87dc6f909981f9100f679515de3d8e550f5da61
RemcosRAT
f10c2bbc2319e72bc4dee452a2de176573d88eafecc30e97748b5dd087f4ea1f
RemcosRAT
f8480782b1b2b869552f1858e2e8b56a1244997a1ee66be040e99f426982d403
RemcosRAT
+ 1'606 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:vk host persistence rat
Link:
https://tria.ge/reports/220811-larp4sddeq/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
skygroupt6.zapto.org:2080
Unpacked files
SH256 hash:
c58aee2c4e8a61e9ffd43e86107d23962ade285007282487241eb4b7d4130861
MD5 hash:
e3e5d646e2bb68b45537657456e149fb
SHA1 hash:
f960c490f6fdd3fa9e4e72fe96b198f6a06207ca
Link:
https://www.unpac.me/results/c909f1e0-f080-41d4-bd97-8f195b985781/
SH256 hash:
05951e3894a0d817a17bd7324ceecc02bd9185edf10b4b660042e193152acc29
MD5 hash:
ef6f8dc21e1a9268ac2bf76a55e19a4d
SHA1 hash:
7c568fb3e04564ee4dbbfc7ab2a5f66fb859dcd4
Link:
https://www.unpac.me/results/c909f1e0-f080-41d4-bd97-8f195b985781/
SH256 hash:
a751eee92c9877c69db072a1e8080c9bcbe1bf2d4eb37a941485fe83a24b9b6b
MD5 hash:
b5f1707c33fedd30d2f237d84f4ec087
SHA1 hash:
6f7d289ec3015be9fc528f636db0d486404b75cc
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/c909f1e0-f080-41d4-bd97-8f195b985781/
SH256 hash:
44743dda09e3d58941f2330a4e3d11641a9cd1cb41306f30dd2575a17ccaec19
MD5 hash:
4e48d643ecc61d79cbff0d725c81ad88
SHA1 hash:
9c53f29dcfb790898ec9d90b8a77547064786e4e
Link:
https://www.unpac.me/results/c909f1e0-f080-41d4-bd97-8f195b985781/
SH256 hash:
2582008cc5626a748f4926d0973f1b4ea0717e5167e1f79aa44dc0f188f46881
MD5 hash:
2f4a3782d2ab90126ff927026dac5077
SHA1 hash:
e03a9f658327fc96d774ae19d714add257a10d88
Link:
https://www.unpac.me/results/c909f1e0-f080-41d4-bd97-8f195b985781/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2582008cc562/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2582008cc5626a748f4926d0973f1b4ea0717e5167e1f79aa44dc0f188f46881

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 2582008cc5626a748f4926d0973f1b4ea0717e5167e1f79aa44dc0f188f46881

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/297927/
  
URLhaus
https://urlhaus.abuse.ch/url/2271642/

Comments


Avatar
zbet commented on 2022-08-11 09:19:50 UTC

url : hxxp://208.67.104.129/50/vbc.exe