MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3070ba52a9be47b5dfa4088095f0f35827a3cc12590cf3a30082e2021b2cf956. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 2 File information Comments

SHA256 hash:	3070ba52a9be47b5dfa4088095f0f35827a3cc12590cf3a30082e2021b2cf956
SHA3-384 hash:	045f2826b5a53f7803fd01cc502daf3b60744521be96e6b08dc1bbc5b00402dc9ac724183b4f8237c1055b654b2e6724
SHA1 hash:	09b6fa4f68d814c9af1f859de84b265fed2034cf
MD5 hash:	41e52f95b20af2d8d27ec87d69e6c593
humanhash:	fourteen-eleven-hotel-wyoming
File name:	3070ba52a9be47b5dfa4088095f0f35827a3cc12590cf.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	949'248 bytes
First seen:	2021-06-21 16:36:33 UTC
Last seen:	2021-06-21 17:43:10 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	24576:5vu2X2X2X2n2X2X2zBebayL35eqAfwwWF:Lmmm2mmzBsL3MXI
Threatray	2'297 similar samples on MalwareBazaar
TLSH	A415AE2436E96B18F0BB9B7B89E42581D7FEFD13A712C45D2CD522CE4662F80DA50336
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

abuse_ch

RemcosRAT C2:
191.91.56.184:2047

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
191.91.56.184:2047	https://threatfox.abuse.ch/ioc/138358/

Intelligence

File Origin

# of uploads :

# of downloads :

148

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

3070ba52a9be47b5dfa4088095f0f35827a3cc12590cf.exe

Verdict:

No threats detected

Analysis date:

2021-06-21 16:39:19 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/532c5c19-389a-4328-ad8b-7d7bba972d5e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/167346/

Detection(s):

SecuriteInfo.com.Variant.MSILHeracles.18792.12051.11502.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/50a6fa5f-fce1-4990-b6af-b6cb64ca22ea

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/805466

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Detected Remcos RAT

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Performs DNS queries to domains with low reputation

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/3070ba52a9be47b5dfa4088095f0f35827a3cc12590cf3a30082e2021b2cf956/

Threat name:

ByteCode-MSIL.Trojan.Heracles

Status:

Malicious

First seen:

2021-06-21 16:37:10 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 46 (36.96%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=gbyluuvjxzd3lx5ebcajl4htlat2htaslegphiyaqlraegzm7fla._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

0b7eaab988ec406ce0b6df31d9abdc68e535c529c6ac5b5a5c9deb4e4fbe6611

RemcosRAT

4579780c18fb273fd0884237c7a4021dbbb38494194d8c1840449e8a62d29251

RemcosRAT

4fe8c8398a6cf30cfd7cbed590de821abdb40aa177781c43c19bdfec75308355

RemcosRAT

522a495b289cf22898f762f18571b8839194e6232cb80fbb28dc426cbeeee323

RemcosRAT

833b575dac3a049ede0d27e2ff801d2e8d647cf04006f0037e1a9c71d7c8ace4

RemcosRAT

ab9041fe7e0a4a439521d6eb01cc16d74c00a0427c86b067120ac453ba7329d9

RemcosRAT

c39bdd8f7c69c3140ef920e2b1d5965310058c5fa425b871f4d7751d8291d55e

RemcosRAT

cee5cdde8972799268ab97a77880793470dfc0d93c5e697bb66f83b6675f51ba

RemcosRAT

e0d4ce0316734fce0ea0d950f0ff1b4182f1364d581c549a199ac041cfe68ebb

RemcosRAT

+ 2'287 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:marzo evasion rat

Link:

https://tria.ge/reports/210621-4tpbgfbnp6/

Behaviour

Creates scheduled task(s)

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Windows directory

Suspicious use of SetThreadContext

Maps connected drives based on registry

Checks BIOS information in registry

Looks for VMWare Tools registry key

Looks for VirtualBox Guest Additions in registry

Remcos

Malware Config

C2 Extraction:

ruthy.qdp6fj1uji.xyz:2047

Unpacked files

SH256 hash:

947617c2d71213d2702e3460a91d55a574c12a988d2b9f258d7701b9a552b983

MD5 hash:

7d006bae09c78c2a6980eccff9c27cc0

SHA1 hash:

e2d45c223660f4d80fff29d5fa98d8b38e7e3663

Link:

https://www.unpac.me/results/3e0bc529-fd34-4476-8bcb-a17b4dd5304b/

SH256 hash:

3070ba52a9be47b5dfa4088095f0f35827a3cc12590cf3a30082e2021b2cf956

MD5 hash:

41e52f95b20af2d8d27ec87d69e6c593

SHA1 hash:

09b6fa4f68d814c9af1f859de84b265fed2034cf

Link:

https://www.unpac.me/results/3e0bc529-fd34-4476-8bcb-a17b4dd5304b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3070ba52a9be47b5dfa4088095f0f35827a3cc12590cf3a30082e2021b2cf956

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/167346/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample