MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c1b4ecbaa54efe17279804124a02f02062cf9d6ad11ef5985ded147465fdc89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2c1b4ecbaa54efe17279804124a02f02062cf9d6ad11ef5985ded147465fdc89
SHA3-384 hash: 1362a11580d279fe1567955b8b1fe6fa87641138b13c975e86a524caee39241e63bd355a8f64d662bd881201fdee6a7e
SHA1 hash: 211a313097df0914d4eddb74c59d568f6ebc0c8f
MD5 hash: 1d170db40579e971d6a583cbecc17b68
humanhash: fanta-india-avocado-maine
File name:TByxAz9usNE2f3w.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'395'200 bytes
First seen:2022-12-29 19:32:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:x4q710G27FYUvIO9T1uI2qKeFXiBs0OSr4CuLUE8zdrLQlZN:LE7PwMCqdFyBtq4E8p4N
Threatray 4'593 similar samples on MalwareBazaar
TLSH T1E6558C86B130758DEC8780B7AD990D70F1D02C6A9A1386429233AF5BBF8D4978F785F5
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d4903292e2ccb4c0 (13 x Formbook, 8 x AgentTesla, 4 x NanoCore)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
185
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
TByxAz9usNE2f3w.exe
Verdict:
Malicious activity
Analysis date:
2022-12-29 19:34:10 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/7e57ff74-5b95-4838-8184-01465dcb9446

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63adeb7106f34cc0fa526018/reports/5594411e-d5f3-4a51-8c02-21cdea1a0361/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/50be75e3-ea64-422a-a7a6-55b8afbf84fa
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1142867
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 775599 Sample: TByxAz9usNE2f3w.exe Startdate: 29/12/2022 Architecture: WINDOWS Score: 100 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus / Scanner detection for submitted sample 2->51 53 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->53 55 6 other signatures 2->55 7 TByxAz9usNE2f3w.exe 7 2->7         started        11 vzyYuaUDmnAOBc.exe 5 2->11         started        process3 file4 37 C:\Users\user\AppData\...\vzyYuaUDmnAOBc.exe, PE32 7->37 dropped 39 C:\...\vzyYuaUDmnAOBc.exe:Zone.Identifier, ASCII 7->39 dropped 41 C:\Users\user\AppData\Local\...\tmp8177.tmp, XML 7->41 dropped 43 C:\Users\user\...\TByxAz9usNE2f3w.exe.log, ASCII 7->43 dropped 57 Detected unpacking (changes PE section rights) 7->57 59 Detected unpacking (overwrites its own PE header) 7->59 61 Uses schtasks.exe or at.exe to add and modify task schedules 7->61 69 2 other signatures 7->69 13 TByxAz9usNE2f3w.exe 2 15 7->13         started        17 powershell.exe 21 7->17         started        19 powershell.exe 21 7->19         started        21 schtasks.exe 1 7->21         started        63 Antivirus detection for dropped file 11->63 65 Multi AV Scanner detection for dropped file 11->65 67 Machine Learning detection for dropped file 11->67 23 schtasks.exe 11->23         started        25 vzyYuaUDmnAOBc.exe 11->25         started        27 vzyYuaUDmnAOBc.exe 11->27         started        signatures5 process6 dnsIp7 45 45.81.39.21, 2404, 49699 LVLT-10753US United States 13->45 47 geoplugin.net 178.237.33.50, 49700, 80 ATOM86-ASATOM86NL Netherlands 13->47 71 Installs a global keyboard hook 13->71 29 conhost.exe 17->29         started        31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        35 conhost.exe 23->35         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2c1b4ecbaa54efe17279804124a02f02062cf9d6ad11ef5985ded147465fdc89/
Threat name:
ByteCode-MSIL.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2022-12-29 19:33:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
31
AV detection:
18 of 38 (47.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fqnu5s5kktx6c4tzqbasjibpaidcz6owvui66wmf33iuors73seq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
5251517c9a5cc925e00988f3d9aa30706271cfd0bd6d33d3794e03a92b13b946
RemcosRAT
5cf08a64c8bddc68665dad7e028a4fe97ebb70d208fba0c83d83af83f38427a2
RemcosRAT
7001538a3316bf0f86e9730d0a38992357f4669d3a4a85e77f1ec42293499ff5
RemcosRAT
7d6e946592986be2a5f72c17860a55fcd18a8a42aa9b8ae32069627ad2539796
RemcosRAT
8758be9f226102217b3f28ffc1d6093dac1c9d5e8b3de32d85d150204169c10d
RemcosRAT
98479f2d5e3f5147ddd504bcc7bd1a2b0a3b06ff5525f313a55ce81efc67fc28
RemcosRAT
a6655fefe6b0b32d5c94627d3b83a0d446fa329b162ac7f8409a1b8827b63abc
RemcosRAT
c8ce7d7a1b3511466f838f2b09f1a644ac2ceaa09f508a81a601cc5c576e18d4
RemcosRAT
da6d125701d41e2b9d6d9931b4747bbf6b3b4a6c0ca26311c7983fad94e22ef5
RemcosRAT
df5e690e3853c11de2a42d9a958ed8ca923c704b3ccf320c3c6c154377b3bd38
RemcosRAT
+ 4'583 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:crypted rat
Link:
https://tria.ge/reports/221229-x9hr2adh98/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
45.81.39.21:2404
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8dfad21a-dce8-440b-927a-9f1b44f7c4d3
Unpacked files
SH256 hash:
fc6485350cf55dc14ecbfd9b91b7a9979f61023b4104101e9f351caa6c73abaa
MD5 hash:
6c3fdb2b5d93cf814ea1b6ca05a0efcf
SHA1 hash:
f8ae5f9fa1c9b6b0e47b2f0873d2ee3373e0ebf5
Link:
https://www.unpac.me/results/45cc3c0a-a3b3-4a29-a403-1d30fdae86d5/
SH256 hash:
ac59950c3237207c59df4397079dbfbc4c3ef7241181de3ceb7d2d0fc9c4119d
MD5 hash:
3dbebe2e1fe337f3543ed48b63929b33
SHA1 hash:
ec40f71563fc8abc3c5b4e68174a4b76ef7b224c
Link:
https://www.unpac.me/results/45cc3c0a-a3b3-4a29-a403-1d30fdae86d5/
SH256 hash:
9d243bfd18f17bf43d5ef869954a693e24f640348fff3cb3cab3351773a96472
MD5 hash:
317e76531e3e7f25e04c72327f9a8cdc
SHA1 hash:
e4c308321bb3a2ed00201c8c849c0f00994d00c2
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/45cc3c0a-a3b3-4a29-a403-1d30fdae86d5/
SH256 hash:
0c908c3d00165f5119520b1ca2a8dd534c65db721c4073cb69a0027f5c4c1946
MD5 hash:
68327008159698d3c9119cef5cb0518a
SHA1 hash:
d3be9917ce2ecc37589e9ccaa515e8edd9b03342
Link:
https://www.unpac.me/results/45cc3c0a-a3b3-4a29-a403-1d30fdae86d5/
SH256 hash:
ff1b42ea7d56a37eae801adbddb7116f52a4664c0b41302736f522852edc2747
MD5 hash:
89ac57478044c57c7195943116a521e0
SHA1 hash:
1ff2bafeed795423e3538d810bda8e1e3fcdcfa5
Link:
https://www.unpac.me/results/45cc3c0a-a3b3-4a29-a403-1d30fdae86d5/
SH256 hash:
2c1b4ecbaa54efe17279804124a02f02062cf9d6ad11ef5985ded147465fdc89
MD5 hash:
1d170db40579e971d6a583cbecc17b68
SHA1 hash:
211a313097df0914d4eddb74c59d568f6ebc0c8f
Link:
https://www.unpac.me/results/45cc3c0a-a3b3-4a29-a403-1d30fdae86d5/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2c1b4ecbaa54/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2c1b4ecbaa54efe17279804124a02f02062cf9d6ad11ef5985ded147465fdc89

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 2c1b4ecbaa54efe17279804124a02f02062cf9d6ad11ef5985ded147465fdc89

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments