MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 369fce162239045403c87f8c83445d9d300fe2d8656899cb079ce4acca77a99a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 369fce162239045403c87f8c83445d9d300fe2d8656899cb079ce4acca77a99a
SHA3-384 hash: 612f952767992412a979b5916655e8c8b2d238b981ff3e9eadc53edd70366612baea0e416c96151dfd2c56c09e2416ca
SHA1 hash: 9102fc05e6cb399f547752e53a66075243052a4d
MD5 hash: d61c17656e28348150c5d17dcc0106cd
humanhash: edward-enemy-harry-high
File name:echo-D3FG-2.DE.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:7'831'460 bytes
First seen:2023-07-09 09:57:44 UTC
Last seen:2023-07-09 10:26:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ba5546933531fafa869b1f86a4e2a959 (10 x DCRat, 3 x RedLineStealer, 2 x RemcosRAT)
ssdeep 196608:leY3avuuDfyGR21X5Sp6GemDMPwuW23vYPGshGRx:MY3aJDfDspfaMP5z
Threatray 280 similar samples on MalwareBazaar
TLSH T1EB863351B260C9E5D8B65139CC80C6F49662BC73C764D68B72A07F9F3F337A6583AA01
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 80218000d000d25e (2 x RemcosRAT)
Reporter ULTRAFRAUD
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
320
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
echo-D3FG-2.DE.exe
Verdict:
Suspicious activity
Analysis date:
2023-07-09 09:59:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4a923b83-16db-4b35-a0c2-12b892b00711

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/412759/
Detection(s):
SecuriteInfo.com.FileRepMalware.29467.15994.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
DNS request
Sending an HTTP GET request
Creating a file
Running batch commands
Launching a process
Using the Windows Management Instrumentation requests
Searching for the window
Сreating synchronization primitives
Creating a process from a recently created file
Launching cmd.exe command interpreter
Enabling the 'hidden' option for recently created files
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Setting a keyboard event handler
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking the User Account Control
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/96675/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control expand greyware lolbin masquerade overlay packed
Link:
https://www.filescan.io/uploads/64aa84b0dbb9e835463f3ef8/reports/f718b3e6-5c77-4bd1-bad8-d2b4b72ac5b2/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/369fce162239045403c87f8c83445d9d300fe2d8656899cb079ce4acca77a99a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/457bbb60-3a6a-4694-ad74-0731be2e131f
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1271058
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to inject code into remote processes
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Delayed program exit found
Disables UAC (registry)
Found malware configuration
Found stalling execution ending in API Sleep call
Installs a global keyboard hook
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens the same file many times (likely Sandbox evasion)
PE file contains section with special chars
Powershell drops PE file
Sigma detected: Remcos
Suspicious powershell command line found
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1271058 Sample: echo-D3FG-2.DE.exe Startdate: 11/07/2023 Architecture: WINDOWS Score: 100 105 Found malware configuration 2->105 107 Malicious sample detected (through community Yara rule) 2->107 109 Antivirus detection for URL or domain 2->109 111 13 other signatures 2->111 14 echo-D3FG-2.DE.exe 24 2->14         started        17 Terminal.exe 2->17         started        19 Terminal.exe 2->19         started        21 Terminal.exe 2->21         started        process3 file4 87 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 14->87 dropped 89 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 14->89 dropped 91 C:\Users\user\AppData\Local\...\python311.dll, PE32+ 14->91 dropped 93 14 other malicious files 14->93 dropped 23 echo-D3FG-2.DE.exe 3 14->23         started        27 conhost.exe 14->27         started        process5 dnsIp6 95 lunarclient.de 141.95.16.111, 49699, 49700, 8080 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 23->95 83 C:\Users\user\AppData\...\echo-4662-2DF5.exe, PE32+ 23->83 dropped 85 C:\Users\user\AppData\Local\...\recover.bat, DOS 23->85 dropped 29 cmd.exe 1 23->29         started        32 cmd.exe 23->32         started        file7 process8 signatures9 137 Suspicious powershell command line found 29->137 139 Opens the same file many times (likely Sandbox evasion) 29->139 34 powershell.exe 14 19 29->34         started        38 conhost.exe 29->38         started        40 powershell.exe 32->40         started        42 conhost.exe 32->42         started        process10 file11 81 C:\Users\user\AppData\Local\...\RiotGames.exe, PE32 34->81 dropped 113 Powershell drops PE file 34->113 44 cmd.exe 1 34->44         started        46 cmd.exe 1 40->46         started        signatures12 process13 process14 48 RiotGames.exe 2 3 44->48         started        52 RiotGames.exe 46->52         started        file15 79 C:\ProgramData\Terminal\Terminal.exe, PE32 48->79 dropped 97 Antivirus detection for dropped file 48->97 99 Multi AV Scanner detection for dropped file 48->99 101 Contains functionality to bypass UAC (CMSTPLUA) 48->101 103 7 other signatures 48->103 54 Terminal.exe 2 1 48->54         started        57 cmd.exe 1 48->57         started        signatures16 process17 signatures18 117 Antivirus detection for dropped file 54->117 119 Multi AV Scanner detection for dropped file 54->119 121 Machine Learning detection for dropped file 54->121 125 2 other signatures 54->125 59 iexplore.exe 3 2 54->59         started        62 cmd.exe 54->62         started        123 Uses cmd line tools excessively to alter registry or file data 57->123 64 reg.exe 1 57->64         started        66 conhost.exe 57->66         started        process19 signatures20 127 Writes to foreign memory regions 59->127 129 Maps a DLL or memory area into another process 59->129 131 Installs a global keyboard hook 59->131 68 cmd.exe 1 59->68         started        71 svchost.exe 59->71         started        133 Uses cmd line tools excessively to alter registry or file data 62->133 73 conhost.exe 62->73         started        75 reg.exe 1 62->75         started        135 Disables UAC (registry) 64->135 process21 signatures22 115 Uses cmd line tools excessively to alter registry or file data 68->115 77 conhost.exe 68->77         started        process23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/369fce162239045403c87f8c83445d9d300fe2d8656899cb079ce4acca77a99a/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-06-01 11:52:00 UTC
File Type:
PE+ (Exe)
Extracted files:
660
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g2p44frchecfia6ip6gigrc5tuya7ywymvujtsyhttskzstxvgna._file
Verdict:
malicious
Similar samples:
2e980d28c6be548d0a56d93996707332786fa014ea2cae481dd38375a7e6d4ae
RemcosRAT
2f0bb4d74005cf2460f4e5f0ef95390ef017fd154b00ada7492b266ca589ba3e
RemcosRAT
405c9f6e9b379914b66eedba3ba0fca6437ebbd4874c066c5cf6b32ea10c079d
RemcosRAT
507c9dd126962f223c146046117a0b79c8a6e113fd9becf8ee86e16cc9f102f6
RemcosRAT
5ce9df04ac0b2241af1e7d9f95406dbfb628fdb0b1998667894c6e5812bcbffe
RemcosRAT
85a316697e10cef3ddc400e2ba0173c3b2a3180355762acebeabf920f2acb5e8
RemcosRAT
882d95bdbca75ab9d13486e477ab76b3978e14d6fca30c11ec368f7e5fa1d0cb
RemcosRAT
969122102cbe1e6717dd3ea8dda1a75309ac1b874cbe4e0da1d8916e5cc37bc2
RemcosRAT
c416d6ca4ee95a6647cc4357ba51a5e04a956b5a4ceaa74ad768fe544d706f48
RemcosRAT
d4f545691c8441b5bcb86535b1d0fd16dc06786eb4080087588cd4d0f388d5ca
RemcosRAT
+ 270 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:newrem evasion persistence pyinstaller rat trojan
Link:
https://tria.ge/reports/230709-lzg7zacb54/
Behaviour
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Remcos
UAC bypass
Malware Config
C2 Extraction:
141.95.16.111:2404
Unpacked files
SH256 hash:
369fce162239045403c87f8c83445d9d300fe2d8656899cb079ce4acca77a99a
MD5 hash:
d61c17656e28348150c5d17dcc0106cd
SHA1 hash:
9102fc05e6cb399f547752e53a66075243052a4d
Link:
https://www.unpac.me/results/2081d8b8-1f3a-4d95-9194-95e739f93e26/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/369fce162239/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/369fce162239045403c87f8c83445d9d300fe2d8656899cb079ce4acca77a99a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/412759/

Comments