MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ac0ff1d6a7bcbcd3feb5fd5f978b98845ac587b4b7e7be2233849295491e777. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ac0ff1d6a7bcbcd3feb5fd5f978b98845ac587b4b7e7be2233849295491e777
SHA3-384 hash: 44754ea896cd70a00aa64c147ef07703c714b9d1b11147a29d661b379551f147b704a94964d7dbbb22a5ba7f9618590c
SHA1 hash: 88c300131b4a57e3770a1fab1266ba8afc081b4e
MD5 hash: c24d81a8e09473a7e775bbaa28743178
humanhash: avocado-video-iowa-cup
File name:SecuriteInfo.com.Win32.PWSX-gen.4912.28703
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'218'560 bytes
First seen:2023-01-09 11:28:27 UTC
Last seen:2023-01-10 11:25:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:aFKm124a3lixxP0SF5mhgx19L0/UAqqhCsJLFscvNVlu7x:uw4a30Xlx19SuuLScl
Threatray 3'856 similar samples on MalwareBazaar
TLSH T1F645DF9237F0D473F4CE133D452827D82DAA6662B2B4F23B5F232D9162958FF7285249
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter SecuriteInfoCom
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
196
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.4912.28703
Verdict:
Malicious activity
Analysis date:
2023-01-09 11:29:45 UTC
Tags:
rat remcos stealer keylogger
Link:
https://app.any.run/tasks/d0e40170-9dbb-4257-8200-575419dd8409

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/351076/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.4912.28703.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Running batch commands
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm packed
Link:
https://www.filescan.io/uploads/63bbfa7f0e926711fd77fae6/reports/8531edbb-c256-4ce5-b2f4-633c2281c004/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0f3edba2-c870-482f-a20f-449c551a5690
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1147925
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses dynamic DNS services
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 780654 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 09/01/2023 Architecture: WINDOWS Score: 100 64 Multi AV Scanner detection for domain / URL 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 Antivirus detection for dropped file 2->68 70 10 other signatures 2->70 11 SecuriteInfo.com.Win32.PWSX-gen.4912.28703.exe 3 2->11         started        14 remcos.exe 2 2->14         started        17 remcos.exe 2 2->17         started        19 remcos.exe 2->19         started        process3 file4 58 SecuriteInfo.com.W....4912.28703.exe.log, ASCII 11->58 dropped 21 SecuriteInfo.com.Win32.PWSX-gen.4912.28703.exe 5 5 11->21         started        86 Injects a PE file into a foreign processes 14->86 24 remcos.exe 14->24         started        26 remcos.exe 17->26         started        28 remcos.exe 19->28         started        signatures5 process6 file7 52 C:\Users\user\AppData\Roaming\...\remcos.exe, PE32 21->52 dropped 54 C:\Users\user\...\remcos.exe:Zone.Identifier, ASCII 21->54 dropped 56 C:\...\oaqrucbsbxamykvecigdwraorfhptfi.vbs, data 21->56 dropped 30 wscript.exe 1 21->30         started        process8 process9 32 cmd.exe 1 30->32         started        process10 34 remcos.exe 3 32->34         started        37 conhost.exe 32->37         started        signatures11 72 Multi AV Scanner detection for dropped file 34->72 74 Machine Learning detection for dropped file 34->74 39 remcos.exe 2 31 34->39         started        process12 dnsIp13 60 xpremcuz300622.ddns.net 51.38.94.188, 3542, 49705, 49706 OVHFR France 39->60 62 geoplugin.net 178.237.33.50, 49708, 80 ATOM86-ASATOM86NL Netherlands 39->62 76 Maps a DLL or memory area into another process 39->76 78 Installs a global keyboard hook 39->78 43 remcos.exe 39->43         started        46 remcos.exe 39->46         started        48 remcos.exe 39->48         started        50 8 other processes 39->50 signatures14 process15 signatures16 80 Tries to steal Instant Messenger accounts or passwords 43->80 82 Tries to steal Mail credentials (via file / registry access) 43->82 84 Tries to harvest and steal browser information (history, passwords, etc) 50->84
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ac0ff1d6a7bcbcd3feb5fd5f978b98845ac587b4b7e7be2233849295491e777/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-01-09 09:42:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hlap6hlkppf42p7ll7k7s6fzrbc2ywd3jn7hxyrdhbessver453q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0e1b5e7257b490e22a966862602dee637a6a192f55527137d6c3a94bc9dc34ca
RemcosRAT
18a39f6193c69dae7ea38aa9dd25fddabdb651c4276e242d0b585bd13c49c3a9
RemcosRAT
2bff54b9373397bb78dc3dd57f37b85affb564edec73fbb265e9a14d313a2a1d
RemcosRAT
36f48dac4f1cc73c684288dd7113e222e1a4026722ce3c55b378402aabe6361c
RemcosRAT
5f61b50531659487b56d97323a53c7c58445a62fb9f47489cd07b38feb3d4527
RemcosRAT
6e52e90b821296bad26f5e889ab6b40bee7912017890cd8f380c0f6d1a89567a
RemcosRAT
a2cbf70ab3ebedd2c768816596fade8e94d1dd0d6025001ac59a71860e45b808
RemcosRAT
ae6134942672653a0652d8b74100de3c7bccd094ee66bbc0314e75b276cfb1c8
RemcosRAT
c98bf80d5e23903e4934015e75f6c036130296519548b6014575207d2d296201
RemcosRAT
+ 3'846 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:xp012 collection persistence rat spyware stealer
Link:
https://tria.ge/reports/230109-nlkgaahe4s/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
xpremcuz300622.ddns.net:3542
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3a24ecdb-db17-4327-9f6c-27a4581503da
Unpacked files
SH256 hash:
1c0072bd0c8fbf0e27d145a0ee7e34428936c2ddeba929d3f60e352891e7e0c6
MD5 hash:
b2d0625c46714e40a6a38238659ea9ed
SHA1 hash:
dc43d5d539eab67b7e3109d0e4894e099a1a18f8
Link:
https://www.unpac.me/results/aa88723a-e563-43ed-932a-bcd6168bf2f8/
SH256 hash:
b6c5c5368ffa63a60d376b5fbd6ac3ca26c5d53aa1c27b442c2c63a7547ccace
MD5 hash:
dabfbfcb0f35b92c707e72e51a73512f
SHA1 hash:
81e241cef0118bb6315c546d3e0f6f3356f518de
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/aa88723a-e563-43ed-932a-bcd6168bf2f8/
SH256 hash:
e84b4619fbfc10594003f51534626dfbf607397a649d2e1bf0fe547d917e8870
MD5 hash:
fe555d45fea0f41374376d15d95a9fde
SHA1 hash:
651dcd66a8ca6936afba92caf8be770870f85956
Link:
https://www.unpac.me/results/aa88723a-e563-43ed-932a-bcd6168bf2f8/
SH256 hash:
ab2f8dbc2b147528cecac6ea1a8886951c424be0b2026743b39d97f0cbabb04c
MD5 hash:
77ab42f4bbbf4565846eb8953192d71f
SHA1 hash:
3c662c756cc31867c0473716a74e777a65ced550
Link:
https://www.unpac.me/results/aa88723a-e563-43ed-932a-bcd6168bf2f8/
SH256 hash:
cda53d84d133088d44c73d7e63aca81ed13c4b41ea01b8d5d48bde0ce3d2a417
MD5 hash:
74d5a06340bab542e0dfee5358cd8566
SHA1 hash:
2eb1d829dccea440785a749c7044131e55a46b9c
Link:
https://www.unpac.me/results/aa88723a-e563-43ed-932a-bcd6168bf2f8/
SH256 hash:
3ac0ff1d6a7bcbcd3feb5fd5f978b98845ac587b4b7e7be2233849295491e777
MD5 hash:
c24d81a8e09473a7e775bbaa28743178
SHA1 hash:
88c300131b4a57e3770a1fab1266ba8afc081b4e
Link:
https://www.unpac.me/results/aa88723a-e563-43ed-932a-bcd6168bf2f8/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3ac0ff1d6a7b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3ac0ff1d6a7bcbcd3feb5fd5f978b98845ac587b4b7e7be2233849295491e777

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/351076/

Comments