MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 328416227365099ac5736edbc9060985cd39d185560060a270dc1138cffae8b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 328416227365099ac5736edbc9060985cd39d185560060a270dc1138cffae8b1
SHA3-384 hash: d31bfd9a8b2a5f9074ec5c265086a5611b6160dcc43d97cdb5e4bb09a1d98b9fa0d7b9a61e27b40d57ce5ebef85fd0ca
SHA1 hash: 9de0f5fbac104789f2327b500ac529a03dcfc4ef
MD5 hash: 49911baa880817519e92ac7cc42320d9
humanhash: april-equal-don-utah
File name:49911baa880817519e92ac7cc42320d9.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:441'344 bytes
First seen:2021-09-28 11:35:10 UTC
Last seen:2021-09-28 13:07:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:dLLNi+hBr7IUAhyLtZ3yQZoCHOaPz3SS:JLNi+hBr8UAILTiinuHS
Threatray 2'115 similar samples on MalwareBazaar
TLSH T11E947CDE1C64A7DFFB1E05F8FA79279C01ABD028D8EBB5C3D606B0331066A695924CC5
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Teklif Cikti Formu 6100006322.doc
Verdict:
Malicious activity
Analysis date:
2021-09-28 10:10:48 UTC
Tags:
exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/ae9a7b7f-458a-4447-a88b-ce609478cd10

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1048.31296.5585.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d104db0f-b437-429a-8a66-57fa4aef913f
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/859811
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates an autostart registry key pointing to binary in C:\Windows
Detected Remcos RAT
Disables UAC (registry)
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 492243 Sample: LReoqg0ORb.exe Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 80 Found malware configuration 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 Multi AV Scanner detection for dropped file 2->84 86 12 other signatures 2->86 11 LReoqg0ORb.exe 3 2->11         started        15 Windows NT Audio Jack Device Pictures.exe 2 2->15         started        17 Windows NT Audio Jack Device Pictures.exe 2 2->17         started        process3 file4 70 C:\Users\user\AppData\...\LReoqg0ORb.exe.log, ASCII 11->70 dropped 94 Contains functionality to detect virtual machines (IN, VMware) 11->94 96 Contains functionality to steal Chrome passwords or cookies 11->96 98 Contains functionality to capture and log keystrokes 11->98 102 2 other signatures 11->102 19 LReoqg0ORb.exe 1 5 11->19         started        100 Drops executables to the windows directory (C:\Windows) and starts them 15->100 23 Windows NT Audio Jack Device Pictures.exe 15->23         started        25 Windows NT Audio Jack Device Pictures.exe 15->25         started        27 Windows NT Audio Jack Device Pictures.exe 17->27         started        signatures5 process6 file7 66 Windows NT Audio J...Device Pictures.exe, PE32 19->66 dropped 68 Windows NT Audio J...exe:Zone.Identifier, ASCII 19->68 dropped 90 Creates an autostart registry key pointing to binary in C:\Windows 19->90 29 cmd.exe 1 19->29         started        32 cmd.exe 1 19->32         started        signatures8 process9 signatures10 104 Uses ping.exe to sleep 29->104 34 Windows NT Audio Jack Device Pictures.exe 3 29->34         started        37 PING.EXE 1 29->37         started        40 conhost.exe 29->40         started        106 Uses cmd line tools excessively to alter registry or file data 32->106 108 Uses ping.exe to check the status of other devices and networks 32->108 42 reg.exe 1 32->42         started        45 conhost.exe 32->45         started        process11 dnsIp12 64 Windows NT Audio J...ce Pictures.exe.log, ASCII 34->64 dropped 47 Windows NT Audio Jack Device Pictures.exe 1 4 34->47         started        72 127.0.0.1 unknown unknown 37->72 92 Disables UAC (registry) 42->92 file13 signatures14 process15 dnsIp16 74 yjune2021.duckdns.org 194.5.97.131, 3030, 49749, 49821 DANILENKODE Netherlands 47->74 76 Detected Remcos RAT 47->76 78 Installs a global keyboard hook 47->78 51 cmd.exe 1 47->51         started        54 iexplore.exe 47->54         started        56 Windows NT Audio Jack Device Pictures.exe 47->56         started        58 2 other processes 47->58 signatures17 process18 signatures19 88 Uses cmd line tools excessively to alter registry or file data 51->88 60 conhost.exe 51->60         started        62 reg.exe 1 51->62         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/328416227365099ac5736edbc9060985cd39d185560060a270dc1138cffae8b1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-28 11:35:18 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
04468aecad4b1a4865d357bb60a6d86060f9390418e9065ede079c1310b3f8f2
RemcosRAT
5bd13d385d28d048cdbec98575a445b4dedbe6224ce72a0e7cefc1fcd6d7cb7c
RemcosRAT
78d92182044f68431c3ce33c37d860fea24db56fe4cab4e51763ede61eee0c9b
RemcosRAT
94bc5b095176ccf49917563287006f3efd903cac47d48e251f4f4554ee87c990
RemcosRAT
a015aa57b2e361f3b8e160f62783aa8dcc602a6798031bcb5112d77890d0b4fa
RemcosRAT
bf64d85bb26463c2ebb653a49ad44e0e9a456b5bf1c4070b046c5eef43502585
RemcosRAT
c10e72609ceae12c610e6c58a706c5bea0f962951e8366a8f6dee3cc42d0addd
RemcosRAT
d0ecbdd58eb20d1490dff0164d6a7ea8d16e75f4e6faeb1af3ded350386bba0c
RemcosRAT
f2c70a3f2300b0acf6d12d5f50cd4aff4520f73270b971010329b8177ef3bb9b
RemcosRAT
f5400b800544782acf9e16a80368cef1b36eed0e63fd0200523f3d38c54162e9
RemcosRAT
+ 2'105 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:post-vax brand:microsoft evasion persistence phishing rat trojan
Link:
https://tria.ge/reports/210928-np4pbsbhgr/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Modifies registry key
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Detected potential entity reuse from brand microsoft.
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Remcos
UAC bypass
Malware Config
C2 Extraction:
yjune2021.duckdns.org:3030
Unpacked files
SH256 hash:
840fe7f75f1572ab8e34f8cc43701e6f09c40c99b3d7c34da86a69ee10fcc3c4
MD5 hash:
04dcd94f1aae2038fe50d0728216e1ed
SHA1 hash:
83fbc099b1b184f67c513fd3d8b636f80e88c6c7
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/936e445e-569c-42cb-b8db-f1961c8567c4/
SH256 hash:
cf4fade1c50850834c877d672199d6714ad56282c553fa528e1dd4b34f381589
MD5 hash:
9920f97f8adec025dfed513ab2acfa0c
SHA1 hash:
623a42b71a1d047005e47b904e3f97a5620b1b61
Link:
https://www.unpac.me/results/936e445e-569c-42cb-b8db-f1961c8567c4/
SH256 hash:
0e86649030ac9b6fd5e1a63f6b4a137be9b9aedccacaeb1add6e23a8593c5a5c
MD5 hash:
337dd3cd657bf31a857eba57f20af5f9
SHA1 hash:
16782e1373decc981b37491f6a7de74e1f35907b
Link:
https://www.unpac.me/results/936e445e-569c-42cb-b8db-f1961c8567c4/
SH256 hash:
6a671abf66304301602b4afd0902840bc3915455cffc58d8916eaa693abe33ec
MD5 hash:
681eca96e4e7b513317178dc7065ef39
SHA1 hash:
24af82015bc57d125f1ccb759840118b2283d1dc
Link:
https://www.unpac.me/results/936e445e-569c-42cb-b8db-f1961c8567c4/
SH256 hash:
328416227365099ac5736edbc9060985cd39d185560060a270dc1138cffae8b1
MD5 hash:
49911baa880817519e92ac7cc42320d9
SHA1 hash:
9de0f5fbac104789f2327b500ac529a03dcfc4ef
Link:
https://www.unpac.me/results/936e445e-569c-42cb-b8db-f1961c8567c4/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/328416227365/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/328416227365099ac5736edbc9060985cd39d185560060a270dc1138cffae8b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 328416227365099ac5736edbc9060985cd39d185560060a270dc1138cffae8b1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1640786/
  
Delivery method
Distributed via web download

Comments