MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 348a4cca3d114bf601910086493b389faf88ac8d00e7a7e04b4e8eb83f6bf9cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 348a4cca3d114bf601910086493b389faf88ac8d00e7a7e04b4e8eb83f6bf9cf
SHA3-384 hash: 4ad82bf3f277077aa36d9d5329c8a92797953088b51733863cc529f73c0ab6d7a8cf0fee95ce488a79fcdf25aaa3bea2
SHA1 hash: 50c5b2ed59dc3db6f12883e15aea0a3fd3bf962e
MD5 hash: 5d30226c0d37d52aa8b79c21c65da1bd
humanhash: oven-seventeen-oranges-fruit
File name:5d30226c0d37d52aa8b79c21c65da1bd.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:289'280 bytes
First seen:2021-11-19 08:41:21 UTC
Last seen:2021-11-19 10:35:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 3072:IAaUZGMP8yd010jOuiKpLynoLEDwUfg1ic6RldJZmaCDv7pHINQygHpuOlIb69OS:IFa3FdVLEDSirRryvofgJuOpO1cw7LR
Threatray 2'159 similar samples on MalwareBazaar
TLSH T12C54F1062BA54B16C57E5BBC85B8101107FEF8166733FB0D5EA530DE29F73508A60BA7
Reporter abuse_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5d30226c0d37d52aa8b79c21c65da1bd.exe
Verdict:
Suspicious activity
Analysis date:
2021-11-19 08:50:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5fce013a-9a19-4949-be42-d9defe194d63

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.45775.20175.5621.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Running batch commands
Creating a process with a hidden window
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6197635d2695a62af9f3aee3/reports/17163d01-a129-4a5e-84af-0101132bb552/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dc0ded6a-2a90-48ae-9a5c-b0f4371362aa
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/892528
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates an autostart registry key pointing to binary in C:\Windows
Detected Remcos RAT
Detected unpacking (creates a PE file in dynamic memory)
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 524999 Sample: 8mTwU7uNFV.exe Startdate: 19/11/2021 Architecture: WINDOWS Score: 100 86 Malicious sample detected (through community Yara rule) 2->86 88 Multi AV Scanner detection for dropped file 2->88 90 Multi AV Scanner detection for submitted file 2->90 92 10 other signatures 2->92 11 8mTwU7uNFV.exe 3 2->11         started        15 Windows NT sessions.exe 2 2->15         started        process3 file4 70 C:\Users\user\AppData\...\8mTwU7uNFV.exe.log, ASCII 11->70 dropped 106 Contains functionality to detect virtual machines (IN, VMware) 11->106 108 Contains functionality to steal Chrome passwords or cookies 11->108 110 Contains functionality to capture and log keystrokes 11->110 116 2 other signatures 11->116 17 8mTwU7uNFV.exe 1 5 11->17         started        112 Drops executables to the windows directory (C:\Windows) and starts them 15->112 114 Injects a PE file into a foreign processes 15->114 21 Windows NT sessions.exe 3 15->21         started        signatures5 process6 dnsIp7 66 C:\Windows\...\Windows NT sessions.exe, PE32 17->66 dropped 68 Windows NT sessions.exe:Zone.Identifier, ASCII 17->68 dropped 94 Creates an autostart registry key pointing to binary in C:\Windows 17->94 24 cmd.exe 1 17->24         started        28 cmd.exe 1 17->28         started        74 yjune2021.duckdns.org 194.5.97.131, 3030, 49767 DANILENKODE Netherlands 21->74 96 Installs a global keyboard hook 21->96 30 cmd.exe 1 21->30         started        file8 signatures9 process10 dnsIp11 76 192.168.2.1 unknown unknown 24->76 100 Uses ping.exe to sleep 24->100 32 Windows NT sessions.exe 3 24->32         started        35 PING.EXE 1 24->35         started        38 conhost.exe 24->38         started        102 Uses cmd line tools excessively to alter registry or file data 28->102 104 Uses ping.exe to check the status of other devices and networks 28->104 40 conhost.exe 28->40         started        42 reg.exe 1 28->42         started        44 conhost.exe 30->44         started        46 reg.exe 1 30->46         started        signatures12 process13 dnsIp14 64 C:\Users\user\...\Windows NT sessions.exe.log, ASCII 32->64 dropped 48 Windows NT sessions.exe 2 1 32->48         started        51 Windows NT sessions.exe 32->51         started        53 Windows NT sessions.exe 32->53         started        72 127.0.0.1 unknown unknown 35->72 file15 process16 signatures17 78 Detected Remcos RAT 48->78 80 Writes to foreign memory regions 48->80 82 Allocates memory in foreign processes 48->82 84 Injects a PE file into a foreign processes 48->84 55 cmd.exe 1 48->55         started        58 iexplore.exe 48->58         started        process18 signatures19 98 Uses cmd line tools excessively to alter registry or file data 55->98 60 conhost.exe 55->60         started        62 reg.exe 1 55->62         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/348a4cca3d114bf601910086493b389faf88ac8d00e7a7e04b4e8eb83f6bf9cf/
Threat name:
ByteCode-MSIL.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2021-11-19 08:42:05 UTC
AV detection:
11 of 44 (25.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
5cc9057b964360d4cde63aeaf0ce296d789525322254f32d1fa3ab7ca5564d59
RemcosRAT
5d407049f81d3b75bf2d9eb7dc14662f533b1ca37d283e5ef50e001a7ac1f758
RemcosRAT
64fcc7461de4b7d1b808e54f840ffeacf441f9fcd50028b8f8efeb12709e90e8
RemcosRAT
68fc45a82df9a4260e3de70a73eed09f47e9a3fb0ca74d8d3c85d6579a7fa0be
RemcosRAT
91053757c5ad52912d0665dcd7cb2b35abe6e8b795bb7e6f821d0f241cb6be91
RemcosRAT
96c1fb2e2f6c0a3a183caa1e28e687301957b892eeee41e8c8334c2ef903073d
RemcosRAT
b3099759c07892975c904fa5ac378624560420e669cdc371f68fd84e78e1c929
RemcosRAT
eec7134cc1487d8774af92e127422beaadfda308d32039afaec0c815ca70dc5c
RemcosRAT
f0dfda469563597932daf1a344d2cce6b0ff271d4c8d280fb49cc4691f481410
RemcosRAT
f6810cca07d560fbf0cea321a8bea3316c1caf0c8fb36b9ed2f3c0415573acc2
RemcosRAT
+ 2'149 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:nov new evasion persistence rat trojan
Link:
https://tria.ge/reports/211119-kl179acgh7/
Behaviour
Modifies Internet Explorer settings
Modifies registry key
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Remcos
UAC bypass
Malware Config
C2 Extraction:
yjune2021.duckdns.org:3030
Unpacked files
SH256 hash:
4c2d8595a9a326f0b5793bf642fe6d99eecf92f287ce87bccd84fc6b1fd4ba94
MD5 hash:
28d772c7e30f1015eee56196c3574455
SHA1 hash:
519e8d3b7b546d1ad53ee24f5152c7ea2fa86fb9
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/de6fb60d-68a3-4b7a-93cb-0360035c5645/
SH256 hash:
94ad77dcba2b5cbba6b51618d068cc0a4c4bb4ec1b130c3b86e1f72f5cffc563
MD5 hash:
15b273280d8056587f3fb2889ab26dca
SHA1 hash:
118e773d320fe349c90df20cdb727c070166bcd0
Link:
https://www.unpac.me/results/de6fb60d-68a3-4b7a-93cb-0360035c5645/
SH256 hash:
cc5c5860e83b708cd158454165cbeb714767119946049de5aa7677685be75c14
MD5 hash:
83cbea4dec6e5b64a85ee9b6f9ff7598
SHA1 hash:
5c1d12b792c32ba73b7bf2634da5e4d9fbcd7d4e
Link:
https://www.unpac.me/results/de6fb60d-68a3-4b7a-93cb-0360035c5645/
SH256 hash:
348a4cca3d114bf601910086493b389faf88ac8d00e7a7e04b4e8eb83f6bf9cf
MD5 hash:
5d30226c0d37d52aa8b79c21c65da1bd
SHA1 hash:
50c5b2ed59dc3db6f12883e15aea0a3fd3bf962e
Link:
https://www.unpac.me/results/de6fb60d-68a3-4b7a-93cb-0360035c5645/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/348a4cca3d11/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/348a4cca3d114bf601910086493b389faf88ac8d00e7a7e04b4e8eb83f6bf9cf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 348a4cca3d114bf601910086493b389faf88ac8d00e7a7e04b4e8eb83f6bf9cf

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1788030/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/207559/

Comments