MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 369fb7c024c9009a015b69b40e87501395aa4a3c6cf4da5531c33c6840ebe5dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 12

Intelligence 12 IOCs YARA 6 File information Comments

SHA256 hash:	369fb7c024c9009a015b69b40e87501395aa4a3c6cf4da5531c33c6840ebe5dd
SHA3-384 hash:	942ef3e7dfb7f5dcb521274185947b2838f4016624197fb723397375f8f5a0c25f679b954a58563abf409b1c40182277
SHA1 hash:	04d995b6f85007b84e6ce2ceb0de2444e2950019
MD5 hash:	2d154f50ebd6a7d9c2bcd83aed2d7945
humanhash:	oven-fourteen-hot-double
File name:	Document.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'089'536 bytes
First seen:	2022-05-04 16:31:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:O6ZHBHx2CLA7jyfZ6i4VdYMhODAia8je7vywf8mHQL8JZHBnZHBvZHBjZHBC:O6dX5eSHda+iPf8DL8Jd5dxd1d
Threatray	4'258 similar samples on MalwareBazaar
TLSH	T1B035D01DFCA3D553CA385BB34526D23803B22E446A11E1262E8977CF953EF73C9A5683
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	James_inthe_box
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

261

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

Document.exe

Verdict:

Malicious activity

Analysis date:

2022-05-04 16:33:31 UTC

Tags:

loader rat remcos keylogger

Link:

https://app.any.run/tasks/7694aa79-714d-47e2-81c8-91c489df6223

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/268685/

Detection(s):

SecuriteInfo.com.W32.AIDetectNet.01.26248.21069.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Launching a process

Creating a file

DNS request

Sending a custom TCP request

Creating a file in the %AppData% subdirectories

Sending an HTTP GET request to an infection source

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

cmd.exe control.exe eventvwr.exe greyware keylogger obfuscated packed shell32.dll update.exe

Link:

https://www.filescan.io/uploads/6272aa5d2b32b1c37c93773e/reports/cc1001f6-632f-4bac-8ef9-898eb300e5f1/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c96f3a93-7e97-4341-9364-462695e26b9b

Result

Threat name:

Remcos

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/987934

Signature

.NET source code contains potential unpacker

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/369fb7c024c9009a015b69b40e87501395aa4a3c6cf4da5531c33c6840ebe5dd/

Threat name:

Win32.Backdoor.CobaltStrike

Status:

Malicious

First seen:

2022-05-04 16:29:43 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

13 of 26 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=g2p3pqbezeajuak3ng2a5b2qcok2usr4nt2nuvjrym6gqqhl4xoq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

1ccf09551ed031fa0755e2d2c22e05f8136cce389c5b6585d3f3395041637389

RemcosRAT

5add188d307788b3a20ca00b39425d0c5a622326422a357c931eed78acc893e8

RemcosRAT

6d21985a34efde10ae60b32f3d1f309da2707f6421bdb78f1da14ec1341b22ec

RemcosRAT

81a08b163648f4a09fbba230dc34b1b2c7e7e979fedc23c6bf89af0f39f32cff

RemcosRAT

b8df890fac057175f86dc5f301f1e1f6d45b2a1b36598934c3fc0144cf433137

RemcosRAT

e2957cb5fb3bc6646533495ea0e907b852d768839e39cd49f362b2cb1ab53df9

RemcosRAT

+ 4'248 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:test rat

Link:

https://tria.ge/reports/220504-t1x9ksecb7/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Downloads MZ/PE file

Remcos

Malware Config

C2 Extraction:

nuvez111.casacam.net:2404
nuvez110.camdvr.org:2404
harvey205.camdvr.org:2404
harvey206.casacam.net:2404
harvey207.accesscam.org:2404
leaflet308.casacam.net:2404

Unpacked files

SH256 hash:

5a3d3508065e1efe5ccccc4f1e1ad8993fe5fec175e95c1b82299f128ab304e2

MD5 hash:

8ee24d6fa24f1b6d52913b684b3923a2

SHA1 hash:

7cb37ec6d2f7bd1a4cc1c9628a7356e16b80ed8c

Link:

https://www.unpac.me/results/b56686df-6c28-4fed-b0b7-12a511766bb2/

SH256 hash:

369fb7c024c9009a015b69b40e87501395aa4a3c6cf4da5531c33c6840ebe5dd

MD5 hash:

2d154f50ebd6a7d9c2bcd83aed2d7945

SHA1 hash:

04d995b6f85007b84e6ce2ceb0de2444e2950019

Link:

https://www.unpac.me/results/b56686df-6c28-4fed-b0b7-12a511766bb2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/369fb7c024c9009a015b69b40e87501395aa4a3c6cf4da5531c33c6840ebe5dd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	pe_imphash Create hunting rule

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/268685/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample