MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2cfa9eb315e50a447c89fae1ca2850a61cf7f34b2f0b77b6c9ea20bb9ca86712. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2cfa9eb315e50a447c89fae1ca2850a61cf7f34b2f0b77b6c9ea20bb9ca86712
SHA3-384 hash: a1245946d71f20d67f8adaf1cd578f003dba31282991974c56179d6089efcb875c585c7e05b7b60482b81c85cb39154e
SHA1 hash: 9fa7ec155e1d0f4e96b7628096598dcaee1dd336
MD5 hash: 21fbd3320b4c50696a76f24b65ff9dc9
humanhash: finch-wyoming-queen-wolfram
File name:K.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'421'312 bytes
First seen:2022-10-20 12:44:01 UTC
Last seen:2022-10-21 08:32:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:R4Vg9p36ZO1Z2PjHm9K0kOpnInWZQzjFeM6DJOjB9sTTHyObjUleyF:EHm00kOpnInYQb6VOMQF
Threatray 3'301 similar samples on MalwareBazaar
TLSH T13465B4B291A78193F6078D816268BED519B134A3BCC9087D532F6741CFBFDA4398C64E
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 2b53515161496d23 (10 x Formbook, 6 x RemcosRAT, 4 x AgentTesla)
Reporter lowmal3
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
K.exe
Verdict:
Malicious activity
Analysis date:
2022-10-20 12:44:46 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/9ae0d3a5-b607-4b43-952d-5b2354dd0732

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/321984/
Detection(s):
SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Launching a service
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
Creating a file in the system32 subdirectories
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63514294898b0652a4b91e82/reports/cc06950e-e48c-403d-8383-54933d05f6e7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d243a168-f798-4908-b2e2-de0025ced8aa
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1094132
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected Remcos RAT
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected Costura Assembly Loader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 726762 Sample: K.exe Startdate: 20/10/2022 Architecture: WINDOWS Score: 100 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus / Scanner detection for submitted sample 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 8 other signatures 2->58 7 K.exe 1 5 2->7         started        11 Ewxrpfqp.exe 2 2->11         started        13 Ewxrpfqp.exe 1 2->13         started        process3 file4 40 C:\Users\user\AppData\...wxrpfqp.exe, PE32 7->40 dropped 42 C:\Users\...wxrpfqp.exe:Zone.Identifier, ASCII 7->42 dropped 44 C:\Users\user\AppData\Local\...\K.exe.log, ASCII 7->44 dropped 60 Encrypted powershell cmdline option found 7->60 62 Injects a PE file into a foreign processes 7->62 15 K.exe 2 7->15         started        18 powershell.exe 16 7->18         started        64 Antivirus detection for dropped file 11->64 66 Multi AV Scanner detection for dropped file 11->66 68 Machine Learning detection for dropped file 11->68 20 powershell.exe 13 11->20         started        22 Ewxrpfqp.exe 11->22         started        24 Ewxrpfqp.exe 11->24         started        26 powershell.exe 13 13->26         started        28 Ewxrpfqp.exe 13->28         started        30 Ewxrpfqp.exe 13->30         started        32 Ewxrpfqp.exe 13->32         started        signatures5 process6 dnsIp7 46 10.4.249.49, 25298 unknown unknown 15->46 48 103.231.91.59, 25298, 49699, 49702 INTERGRID-AS-APIntergridGroupPtyLtdAU Australia 15->48 50 127.0.0.1 unknown unknown 15->50 34 conhost.exe 18->34         started        36 conhost.exe 20->36         started        38 conhost.exe 26->38         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2cfa9eb315e50a447c89fae1ca2850a61cf7f34b2f0b77b6c9ea20bb9ca86712/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2022-10-20 11:17:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
21 of 26 (80.77%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ft5j5myv4ufei7ej7lq4ukcquyopp42lf4fxpnwj5iqlxhfim4ja._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
15170d0dbe467efc4e38156ed4e03702ae19af44c100d7df7a75c6dbdb7ac587
RemcosRAT
34ff7d92c1c335d251ad12780ccc8fb3a10430fc20cfbb0ff55c40128ffe9a81
RemcosRAT
35b6bec4bfea1f07eb6503906211427d048f6ceb10c3eb9c984799501d1f3f73
RemcosRAT
4fe8c8398a6cf30cfd7cbed590de821abdb40aa177781c43c19bdfec75308355
RemcosRAT
522a495b289cf22898f762f18571b8839194e6232cb80fbb28dc426cbeeee323
RemcosRAT
56b9e1a9f0704305007504a26661905930387fc49d0fb0f9938d28fd1d46e60a
RemcosRAT
766ab97dc545207fe08d285356fa47298904585e8f2690c7d0532d0456d40fb6
RemcosRAT
ab9041fe7e0a4a439521d6eb01cc16d74c00a0427c86b067120ac453ba7329d9
RemcosRAT
c39bdd8f7c69c3140ef920e2b1d5965310058c5fa425b871f4d7751d8291d55e
RemcosRAT
f10f5bb8cc88bd512d50ee6daeb4f8f04abe7810ad9a29f097d10e24ac440163
RemcosRAT
+ 3'291 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:kelzy persistence rat
Link:
https://tria.ge/reports/221020-pygrladhgk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
10.4.249.49:25298
127.0.0.1:25298
103.231.91.59:25298
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/68d81bc6-113a-4fea-939b-c55797aca6ac
Unpacked files
SH256 hash:
0cf7c11d2338603d2a0b78d15ea7ec00e63e645bd446d1a614b80027c76b7a2c
MD5 hash:
0ca8f1966429933a3ca545668b5518e7
SHA1 hash:
629d39cac6c7582335a31a64ab41c4fd0379a409
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/16ecef3b-6c6a-4901-bdf1-10c81138bc31/
SH256 hash:
279f9cc97d3094a594f3ad10d0c62b066acced5653e0c1059c62e60254b3d061
MD5 hash:
9d8c266606832badcc23503bfd536cb1
SHA1 hash:
7cb75431d0f80f5b806aaedce3ee7a8f9a4abb80
Link:
https://www.unpac.me/results/16ecef3b-6c6a-4901-bdf1-10c81138bc31/
SH256 hash:
376ad8326e814d2ebcfb84d6213c1a0f7382b912d1484362eef7edda7159da49
MD5 hash:
575e629dcdf55f1a912c48dd6fe0f82c
SHA1 hash:
2b0db19d3407daec446f2b98fbb5cbb91ab6fef5
Link:
https://www.unpac.me/results/16ecef3b-6c6a-4901-bdf1-10c81138bc31/
SH256 hash:
2cfa9eb315e50a447c89fae1ca2850a61cf7f34b2f0b77b6c9ea20bb9ca86712
MD5 hash:
21fbd3320b4c50696a76f24b65ff9dc9
SHA1 hash:
9fa7ec155e1d0f4e96b7628096598dcaee1dd336
Link:
https://www.unpac.me/results/16ecef3b-6c6a-4901-bdf1-10c81138bc31/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2cfa9eb315e5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2cfa9eb315e50a447c89fae1ca2850a61cf7f34b2f0b77b6c9ea20bb9ca86712

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 2cfa9eb315e50a447c89fae1ca2850a61cf7f34b2f0b77b6c9ea20bb9ca86712

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/321984/

Comments