MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 389a599719038a9318dd1e5da8ee81c31e29270f82ebd19045b0036789bd01eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 389a599719038a9318dd1e5da8ee81c31e29270f82ebd19045b0036789bd01eb
SHA3-384 hash: 7d569c9dccc4d70f1a635ac22ca959a8323fc1e279eb56c0ce5cbcfbdf2edddcd450e92b0c9376d2e4eb228485b07268
SHA1 hash: 751b336600f3c787fbf86e3d39526628120ecd5b
MD5 hash: 8eece1be4e8a269dd2e858c5922c45df
humanhash: kansas-mango-earth-freddie
File name:8eece1be4e8a269dd2e858c5922c45df
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'003'008 bytes
First seen:2021-08-31 13:03:40 UTC
Last seen:2021-08-31 15:44:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:6xZmi4OaKb8By+IKP41SZ7+FzEayAm/ymkyNJXIspI0:8mKsiPwt/ayAm/7/FpI0
Threatray 524 similar samples on MalwareBazaar
TLSH T11E25817F19BDA1279175C6F58BD38423F0018BAF31216921B6D647264327A7AB4F332E
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INVOICE - Final.xlsx
Verdict:
Malicious activity
Analysis date:
2021-08-31 12:13:10 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/3f8c405c-1c75-4a6c-ac2d-47679361d901

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/184206/
Detection(s):
SecuriteInfo.com.Scr.Malcodegdn30.21354.4137.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Deleting a recently created file
Launching a process
Creating a process with a hidden window
Creating a file
Connection attempt
Sending a custom TCP request
Unauthorized injection to a system process
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0e8ebd55-37a6-4728-83a4-d1419e471b62
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/842704
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/389a599719038a9318dd1e5da8ee81c31e29270f82ebd19045b0036789bd01eb/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-31 13:04:08 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hcnftfyzaofjggg5dzo2r3ubympcsjypqlv5decfwabwpcn5ahvq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
43e203e8ba3259f1130a9c158dbc20ac44b2d0ec183004eab3305c73ba6afdef
RemcosRAT
548aefb935e11a84133bd8b3d367d988b9ad2e3bde7f4c0fffcf6a94b529be72
RemcosRAT
576c45faf084a4f7d282e460ee207cd9a6dc269444701ee211f9aeb7879efc35
RemcosRAT
70921226f4c6dd8d21672150cc0115b107c395f848aa89975ed3bb42c7eccd69
RemcosRAT
77ce24c903d75a340e3d5664091c7b72a2529640931e662b80b8dc3fb9226929
RemcosRAT
80815a7e6ad20eed27bf6b3112f7b735d102cfc375e40444cef9abca506ed80a
RemcosRAT
860e16c192167d5dd823b8e533858cdada7aa9b3173254f2f57031af68b84e0c
RemcosRAT
87284733f84447db5f12697e7ce2fb44671cbf404e040cf85085b223eab02b95
RemcosRAT
e291787eb38a6bd40ca70158d8873ee4f9d8efe22906edf703f0ea2b8af3c248
RemcosRAT
f5502d660f4b1f1110b7ba4fd0eab36ec5b44ff97c12b146a48ff8e38efa4745
RemcosRAT
+ 514 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/210831-cvxrr88l5n/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Remcos
Malware Config
C2 Extraction:
45.137.22.77:5888
Unpacked files
SH256 hash:
d1776bfe28a7b4ba1376cc873d9e5209a32a12ea9986ddc64e313a8862c3a6a9
MD5 hash:
49d6be64c2bcea3a1dbd278e70a3c710
SHA1 hash:
6e2811e0017703c2bc48a26d1a1ae055c010f873
Detections:
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/e1cec714-c1de-4fe6-b91b-e69b51ec277d/
Parent samples :
389a599719038a9318dd1e5da8ee81c31e29270f82ebd19045b0036789bd01eb
64052224da5434bd2397837e97cb8dc2bf7b4e4a39fa091ca069bd6219e9cf3f
SH256 hash:
45294fbcac12ab935f1c9490019d245cf2679ced955d0d5ac35a921fbf0ae739
MD5 hash:
7f7ca1b3ee12de790f7823ca55c9ea83
SHA1 hash:
59d3a27de58c39b346aa15ebef8789aa4c43f223
Link:
https://www.unpac.me/results/e1cec714-c1de-4fe6-b91b-e69b51ec277d/
SH256 hash:
81f9eac76804c02f5baaa34c91b5775f965a34ad7811218d9c24e50cb6d9a90c
MD5 hash:
bae511742374b721136acaa03b0c1fa0
SHA1 hash:
215c50455b01a78ea173bbb034ddbe4b452ea734
Link:
https://www.unpac.me/results/e1cec714-c1de-4fe6-b91b-e69b51ec277d/
SH256 hash:
389a599719038a9318dd1e5da8ee81c31e29270f82ebd19045b0036789bd01eb
MD5 hash:
8eece1be4e8a269dd2e858c5922c45df
SHA1 hash:
751b336600f3c787fbf86e3d39526628120ecd5b
Link:
https://www.unpac.me/results/e1cec714-c1de-4fe6-b91b-e69b51ec277d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/389a59971903/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/389a599719038a9318dd1e5da8ee81c31e29270f82ebd19045b0036789bd01eb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 389a599719038a9318dd1e5da8ee81c31e29270f82ebd19045b0036789bd01eb

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1580368/
Cape
Cape
https://www.capesandbox.com/analysis/184206/

Comments


Avatar
zbet commented on 2021-08-31 13:03:41 UTC

url : hxxp://198.23.251.109/hsbc/vbc.exe