MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 397af187b4af99bc3700f3b6e34bcd13120e10397840b25df3698fc3234c8aad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 397af187b4af99bc3700f3b6e34bcd13120e10397840b25df3698fc3234c8aad
SHA3-384 hash: 2644265f9be2a77a6c52c080e122d36b1f41f8c86ff11cca25b63a9b20fb449131602106c84f242b1ee42b09a7fd11d1
SHA1 hash: 3711e843d26512dc344de7cefcad6e5bd69e5b4c
MD5 hash: 512314679bd384c0c443b1b3469126c7
humanhash: asparagus-alpha-twelve-north
File name:SecuriteInfo.com.Win32.DropperX-gen.13634.14488
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:10'752 bytes
First seen:2022-11-30 11:31:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 192:inpcVVHqWob/38I0GCRUcmbxy8stYcFmVc03KY:wcXqNbp0G7rxyptYcFmVc03K
Threatray 3'470 similar samples on MalwareBazaar
TLSH T18A22D60197C44132CA7582B62DBB878A8731A7AB5987CFAE789C450F7F7354683532E1
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter SecuriteInfoCom
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
185
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.DropperX-gen.13634.14488
Verdict:
Malicious activity
Analysis date:
2022-11-30 11:36:11 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/d0ef40e8-0149-4ae0-b578-1e68aa602c2a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/340095/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.13634.14488.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a process
Creating a window
Sending a custom TCP request
Sending an HTTP GET request
Сreating synchronization primitives
DNS request
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63873f375be128ac718fef8c/reports/996f99ed-e7f9-49ce-863f-490df6f4f7a6/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6cfcd5f3-aff6-4993-993d-8a1374399ad0
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1123908
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 756630 Sample: SecuriteInfo.com.Win32.Drop... Startdate: 30/11/2022 Architecture: WINDOWS Score: 100 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus detection for URL or domain 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 5 other signatures 2->45 7 SecuriteInfo.com.Win32.DropperX-gen.13634.14488.exe 16 7 2->7         started        12 Jpthirbk.exe 2 2->12         started        process3 dnsIp4 35 185.246.220.210, 49720, 49734, 49735 LVLT-10753US Germany 7->35 29 C:\Users\user\AppData\...\Jpthirbk.exe, PE32 7->29 dropped 31 C:\Users\...\Jpthirbk.exe:Zone.Identifier, ASCII 7->31 dropped 33 SecuriteInfo.com.W...13634.14488.exe.log, ASCII 7->33 dropped 47 Encrypted powershell cmdline option found 7->47 49 Injects a PE file into a foreign processes 7->49 14 SecuriteInfo.com.Win32.DropperX-gen.13634.14488.exe 2 7->14         started        17 powershell.exe 16 7->17         started        19 powershell.exe 11 7->19         started        51 Multi AV Scanner detection for dropped file 12->51 53 Machine Learning detection for dropped file 12->53 21 powershell.exe 1 12->21         started        file5 signatures6 process7 dnsIp8 37 85.31.44.145, 41900, 49724, 49725 CLOUDCOMPUTINGDE Germany 14->37 23 conhost.exe 17->23         started        25 conhost.exe 19->25         started        27 conhost.exe 21->27         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/397af187b4af99bc3700f3b6e34bcd13120e10397840b25df3698fc3234c8aad/
Threat name:
ByteCode-MSIL.Trojan.Scarsi
Create hunting rule
Status:
Malicious
First seen:
2022-11-30 09:06:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hf5pdb5uv6m3ynya6o3ogs6ncmja4ebzpbalexptngh4gi2mrkwq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0cb9ffbc77206540a648b96e790d884f5662c114e831533e1eb31b63157e3953
RemcosRAT
139d0b13776f8fea46db2d77f0391b480cf290abcca453aacd2e003e7a618787
RemcosRAT
7a5870c5e7f9253deca223afcbf295a99ad0cc014543b26e162e56ad2f22a36e
RemcosRAT
88729c3c2f0d440cb964a0b14af9f726a961700288ea860cc8db492685ca4546
RemcosRAT
9063dd7d69236cca3007587ccc04334b4289ec456f6983673f3d9f749092a29c
RemcosRAT
a04d627bf01f18ee5ca0d47dac132c9ae2f12973aa9c54c331170d67967deb7d
RemcosRAT
c8f7124c43eb317024e9e329f6a05b8e278b3c6ac99a2f202406b719dbb815ca
RemcosRAT
f2643b4686b59c10dd7e51a8482f5515f15ab47eb81b6d8674b135c7ea266d24
RemcosRAT
+ 3'460 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehostblanca persistence rat
Link:
https://tria.ge/reports/221130-nnad4afe38/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
85.31.44.145:41900
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9580dc0b-1e32-472d-853a-20be638a5982
Unpacked files
SH256 hash:
397af187b4af99bc3700f3b6e34bcd13120e10397840b25df3698fc3234c8aad
MD5 hash:
512314679bd384c0c443b1b3469126c7
SHA1 hash:
3711e843d26512dc344de7cefcad6e5bd69e5b4c
Link:
https://www.unpac.me/results/766079d4-0734-4e4c-a8d6-72ae20661a37/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/397af187b4af/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/397af187b4af99bc3700f3b6e34bcd13120e10397840b25df3698fc3234c8aad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/340095/

Comments