MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2dd7a0f3a8c01338b500b88c023560f468c8d3c61e13fb5a6e55eab69087e7bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2dd7a0f3a8c01338b500b88c023560f468c8d3c61e13fb5a6e55eab69087e7bc
SHA3-384 hash: c205aaded374c62ce248debb3fb7d58a18fbee7148d9cae55a977bba253e9d88ffdacb9e05ec3b6f1908ba0f4d405c32
SHA1 hash: 5bf1ca48ae57ba2795669cac270bd9ac798440de
MD5 hash: d1ae1618e12b6902371719dbfe9805e8
humanhash: vegan-carpet-bluebird-comet
File name:ConsoleApp3.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:651'776 bytes
First seen:2021-06-30 21:21:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:TEFVzMFGBlfH4YoaJoTTS1Fu66M+ioVWnQhJqyx+r3LAao4p3MANVy3H4c4:AaGBVH4YozTTWiMToVWnQvq33L5o4Gc7
Threatray 287 similar samples on MalwareBazaar
TLSH F3D423617A14E4E1E5880675E1DB61904670EE4A51A2EADEECCF33FF04623FA454EF0B
Reporter James_inthe_box
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ConsoleApp3.exe
Verdict:
Malicious activity
Analysis date:
2021-06-30 21:22:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/24f028a6-d4b7-44f4-b094-b48fd7d2b49a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/169008/
Detection(s):
SecuriteInfo.com.Variant.Bulz.541197.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/73e1919d-c300-4a47-8f92-099143382234
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/810240
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 442648 Sample: ConsoleApp3.exe Startdate: 30/06/2021 Architecture: WINDOWS Score: 100 51 freightmgmt.duckdns.org 2->51 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 7 other signatures 2->71 9 ConsoleApp3.exe 4 9 2->9         started        13 notepads.exe 5 2->13         started        15 notepads.exe 2->15         started        signatures3 process4 file5 37 C:\Users\user\AppData\Roaming\notepads.exe, PE32 9->37 dropped 39 C:\Users\user\AppData\...\ConsoleApp3.exe, PE32 9->39 dropped 41 C:\Users\...\notepads.exe:Zone.Identifier, ASCII 9->41 dropped 47 3 other malicious files 9->47 dropped 73 Writes to foreign memory regions 9->73 75 Injects a PE file into a foreign processes 9->75 17 ConsoleApp3.exe 2 5 9->17         started        21 wscript.exe 1 9->21         started        43 C:\Users\user\AppData\Local\...\notepads.exe, PE32 13->43 dropped 45 C:\Users\...\notepads.exe:Zone.Identifier, ASCII 13->45 dropped 77 Multi AV Scanner detection for dropped file 13->77 79 Machine Learning detection for dropped file 13->79 23 notepads.exe 13->23         started        25 notepads.exe 13->25         started        27 notepads.exe 13->27         started        29 notepads.exe 15->29         started        signatures6 process7 dnsIp8 49 freightmgmt.duckdns.org 194.5.98.207, 49737, 49743, 49746 DANILENKODE Netherlands 17->49 53 Multi AV Scanner detection for dropped file 17->53 55 Machine Learning detection for dropped file 17->55 57 Contains functionality to steal Chrome passwords or cookies 17->57 63 3 other signatures 17->63 31 wscript.exe 17->31         started        59 Wscript starts Powershell (via cmd or directly) 21->59 33 powershell.exe 24 21->33         started        61 Installs a global keyboard hook 25->61 signatures9 process10 process11 35 conhost.exe 33->35         started       
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2dd7a0f3a8c01338b500b88c023560f468c8d3c61e13fb5a6e55eab69087e7bc/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-06-30 21:21:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
13 of 46 (28.26%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fxl2b45iyajtrniaxcgaenla6rumru6gdyj7wwtokxvlneeh466a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
4969dc5e2b7349e189cdc079c2e9e02014e559d1315564b6d6fd18eeb252c605
RemcosRAT
4e4463e40d78f3eb63012ed1f3aa7727d98ff68fc9c7b69cf6c0f482c9483476
RemcosRAT
54b91d6b1324d8b3dec856922b4566b362535d84538297b612c5323e9230daf0
RemcosRAT
57bbdab22d9197c60e2bb9aa35a36321276518c07716a71a0c7005944473a03d
RemcosRAT
8d0dfc2239405eebc7a9d5483492a0225963fae4c110ecbd12f1f39ce1ef937a
RemcosRAT
8fabd89f985aae235b63098a58da4c32773e2aa81aae19f1e27467fd8924fc33
RemcosRAT
9d723e0a80c89b6da6e4c9aa6028ee70cce510dc0fb2fac794b155a56c6f6339
RemcosRAT
a0fd8f81cda85af9221734e97a18c29c25a53020517d507ada3e3a1681036e54
RemcosRAT
ba410d1931172915171c7769f798d6aaa1eab9f923c98f178f615ad75a6544f2
RemcosRAT
f198970271e10830bafa86eccc5ce43e5075a15ed43f4e1924d0e8e0824f218b
RemcosRAT
+ 277 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:ach persistence rat
Link:
https://tria.ge/reports/210630-tkhnkmshba/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Remcos
Malware Config
C2 Extraction:
freightmgmt.duckdns.org:691
Unpacked files
SH256 hash:
6d5a5855103f27d9a5c69035ffaac4de5eb49e77c26996d47cfce1f99b5ba47c
MD5 hash:
886dde718e2fdbad9decd783d699c404
SHA1 hash:
eebdac858994827d99e1db92639fb0c1ffdf8e97
Link:
https://www.unpac.me/results/41ce9f41-442f-4aa2-bdd8-8355c04c6f6a/
SH256 hash:
d1ce81f10b667543c28f5d134b32f6c9229411aa7a326332a4ca59ef329ddd62
MD5 hash:
57346dfe9557d16b5b52d2c9a2f92c72
SHA1 hash:
ed7dde2246b696eca82f1254484720aea190f72a
Link:
https://www.unpac.me/results/41ce9f41-442f-4aa2-bdd8-8355c04c6f6a/
SH256 hash:
421ad176c2c7c73ee07ce79790764f10fab964f1f19339aa5c5c116cc5aa6313
MD5 hash:
addd773440a23c6e8132b621c084fc8b
SHA1 hash:
92da4876676489887a4fb5226ebde25b54ba3b54
Link:
https://www.unpac.me/results/41ce9f41-442f-4aa2-bdd8-8355c04c6f6a/
SH256 hash:
c07f2ba2c8a6a69283dcbde7d009fe78663a88e9f12000f9571af86c98475f5e
MD5 hash:
6e27333d44a472783cdb488cd8dfb721
SHA1 hash:
226fa3d19c6316f47b1379d06bbb190c7fff4151
Detections:
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/41ce9f41-442f-4aa2-bdd8-8355c04c6f6a/
Parent samples :
2dd7a0f3a8c01338b500b88c023560f468c8d3c61e13fb5a6e55eab69087e7bc
129b7cf64e3afecabb3a0c27fedc69cbade9c81ce3c0a5da367717bdef49f7c9
5c85d31e96aa84a80c123af889f960bbf39a7c13a2ed9e2d9644ad2e3fa366de
8c9ba9842e3e17a820085d913d34d20414ab7acee8106142ce04b5b2bf2581b7
4418451ac62d0ded7768617f213598565700604cc9856cb6b2709f1e5304c2a1
7f03d6f5a38d18082c3dd60b773921aecd203a839446a4aca4908309a004b4a4
ac0afc6e6de1b0682478fe38c23f21578acc6e6f1f43f8bf56d2bd400b69237a
SH256 hash:
2dd7a0f3a8c01338b500b88c023560f468c8d3c61e13fb5a6e55eab69087e7bc
MD5 hash:
d1ae1618e12b6902371719dbfe9805e8
SHA1 hash:
5bf1ca48ae57ba2795669cac270bd9ac798440de
Link:
https://www.unpac.me/results/41ce9f41-442f-4aa2-bdd8-8355c04c6f6a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2dd7a0f3a8c01338b500b88c023560f468c8d3c61e13fb5a6e55eab69087e7bc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:pe_imphash
Create hunting rule
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/169008/
  
URLhaus
https://urlhaus.abuse.ch/url/1415689/

Comments