MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 334c23c94f9c6587e2afd0689796daa8791fda9b823b23836893b86f5cce849f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 19


Intelligence 19 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 334c23c94f9c6587e2afd0689796daa8791fda9b823b23836893b86f5cce849f
SHA3-384 hash: 2edf06d9e4ff7f20f8f8fe92113f4a187dfc6830ac5c59cd4591833ba5780d887b2b2c37a035d9963485f0592d5c9105
SHA1 hash: 6f77809c678265c7beaa9bfd7f8eabffc78513e8
MD5 hash: 99e19c4a4a8a972005902bf6129867e9
humanhash: one-massachusetts-emma-orange
File name:1.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:94'208 bytes
First seen:2023-02-20 05:59:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d3a62971944197f0701c7049a9c739d1 (60 x RemcosRAT)
ssdeep 1536:FhhW0YTGZWdVseJxaM9kraLdV2QkQ1TbPX8IHOCkIsI4ESHNTh9E+JP19qkP6:7hzYTGWVvJ8f2v1TbPzuMsIFSHNThy+A
Threatray 396 similar samples on MalwareBazaar
TLSH T1CE93C713FA4AD0B2E42591F146426F32CEBCBC3636492173D38FCA419D79892D456EBE
TrID 33.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
17.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
14.0% (.SCR) Windows screen saver (13097/50/3)
11.2% (.EXE) Win64 Executable (generic) (10523/12/4)
7.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Reporter r3dbU7z
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
239
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
1.exe
Verdict:
Malicious activity
Analysis date:
2023-02-20 06:02:01 UTC
Tags:
remcos
Link:
https://app.any.run/tasks/8e4e065d-03cb-4bee-b3f7-12ba459006de

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/368280/
Detection(s):
Win.Malware.Rescoms-6598304-0
Create hunting rule

Win.Malware.Zusy-6832224-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
Setting a keyboard event handler
DNS request
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/71760/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm cmd.exe eventvwr.exe explorer.exe fingerprint greyware keylogger neshta remcos shell32.dll virus
Link:
https://www.filescan.io/uploads/63f30c65b53d126ad263419e/reports/327c0af7-8ea9-43d0-948a-90a11a63ccbd/overview
Verdict:
Malicious
Labled as:
BKDR_SOCMER.SM
Link:
https://www.hybrid-analysis.com/sample/334c23c94f9c6587e2afd0689796daa8791fda9b823b23836893b86f5cce849f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2eaaf349-2a3c-4ad7-82d9-373ea0d5b8ae
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1178950
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Detected Remcos RAT
Drops executables to the windows directory (C:\Windows) and starts them
Found stalling execution ending in API Sleep call
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 811776 Sample: 1.exe Startdate: 20/02/2023 Architecture: WINDOWS Score: 100 37 Multi AV Scanner detection for domain / URL 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus detection for URL or domain 2->41 43 8 other signatures 2->43 7 1.exe 4 5 2->7         started        11 svshost.exe 1 3 2->11         started        14 svshost.exe 2->14         started        16 6 other processes 2->16 process3 dnsIp4 29 C:\Windows\1877\svshost.exe, PE32 7->29 dropped 31 C:\Windows\1877\svshost.exe:Zone.Identifier, ASCII 7->31 dropped 59 Creates an undocumented autostart registry key 7->59 61 Contains functionality to detect virtual machines (IN, VMware) 7->61 63 Contains functionality to steal Chrome passwords or cookies 7->63 69 4 other signatures 7->69 18 cmd.exe 1 7->18         started        35 hawler.duckdns.org 5.206.227.115, 2404, 49698 DOTSIPT Portugal 11->35 65 Installs a global keyboard hook 11->65 67 Tries to detect sandboxes / dynamic malware analysis system (registry check) 11->67 file5 signatures6 process7 signatures8 45 Uses ping.exe to sleep 18->45 47 Drops executables to the windows directory (C:\Windows) and starts them 18->47 49 Uses ping.exe to check the status of other devices and networks 18->49 21 svshost.exe 18->21         started        24 PING.EXE 1 18->24         started        27 conhost.exe 18->27         started        process9 dnsIp10 51 Antivirus detection for dropped file 21->51 53 Multi AV Scanner detection for dropped file 21->53 55 Tries to detect sandboxes and other dynamic analysis tools (window names) 21->55 57 6 other signatures 21->57 33 127.0.0.1 unknown unknown 24->33 signatures11
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/334c23c94f9c6587e2afd0689796daa8791fda9b823b23836893b86f5cce849f/
Threat name:
Win32.Backdoor.Rescoms
Create hunting rule
Status:
Malicious
First seen:
2023-02-20 06:00:08 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
36 of 39 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gngchskptrsypyvp2bujpfw2vb4r7wu3qi5sha3iso4g6xgoqspq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
10aaa49fc2023480ff5a6a25e478df0c62bb3688ab615ca22839bdbf6a6ce745
RemcosRAT
1cbde001232b05773813dca161a55e63f8e082b7b53f900a4e235d2753bd1957
RemcosRAT
34540a51780e487ff9426db2ea9e2ed985e6c46130439de2e434b4a804446566
RemcosRAT
57fbc090b3644bb9760b859c6bbdc8486892d10736adcc1dd6dca642e218acf7
RemcosRAT
6654c75acd136f37aad63d828eea396361326bb422a91563998ff0302de2bd20
RemcosRAT
9b4e0cad23b2c41bd726eb2f42720dce6e81e122370b52d07bd57d8a834b3f78
RemcosRAT
b81b2885828a95d83e21c5e30ada433fc502c76e469229136a588dc21f047ec8
RemcosRAT
e3d805e701266e0b8b17d850419bdfa89045096e8e1dc7ea0295ff843be281db
RemcosRAT
f79d3098bfb090b6aaa390943e247178f3acff7c8214467df000cd3f102a2382
RemcosRAT
+ 386 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:1877 evasion persistence rat
Link:
https://tria.ge/reports/230220-gqbllshc8v/
Behaviour
Runs ping.exe
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Adds Run key to start application
Modifies WinLogon
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Adds policy Run key to start application
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies WinLogon for persistence
Remcos
Malware Config
C2 Extraction:
hawler.duckdns.org:2404
5.206.227.115:2404
Unpacked files
SH256 hash:
334c23c94f9c6587e2afd0689796daa8791fda9b823b23836893b86f5cce849f
MD5 hash:
99e19c4a4a8a972005902bf6129867e9
SHA1 hash:
6f77809c678265c7beaa9bfd7f8eabffc78513e8
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/9623a6d0-5c42-43cb-adc2-2f1f3ab89356/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/334c23c94f9c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/334c23c94f9c6587e2afd0689796daa8791fda9b823b23836893b86f5cce849f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:malware_Remcos_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 334c23c94f9c6587e2afd0689796daa8791fda9b823b23836893b86f5cce849f

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/368280/

Comments