MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 19


Intelligence 19 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01
SHA3-384 hash: edca12a6944960353f68c6deba073644ebcd985b25ee35cfa98cb5a7122eaccfb447a85d2114acd9e7eeebe830283636
SHA1 hash: b7644f39188e8e8bcb41723833321a43f9474629
MD5 hash: 067027b5b20d0d80be90f41dc126fda3
humanhash: one-golf-stairway-yellow
File name:CameraCaptureUI.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:3'035'216 bytes
First seen:2024-09-03 02:04:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 49152:hh+ZkldoPK8Yad7cwj644Mh+ZkldoPK8YaLDNc9:C2cPK8YwjE2cPK8U
TLSH T1BEE5D042B399C0F6FF5663B39B1AB646677C7D3141B3411F23982E68BD711B2022E663
TrID 63.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
11.6% (.EXE) Win64 Executable (generic) (10523/12/4)
7.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.9% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon f8de98d898a8f8f8 (1 x RemcosRAT)
Reporter adm1n_usa32
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
404
Origin country :
RO RO
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
CameraCaptureUI.exe
Verdict:
Malicious activity
Analysis date:
2024-09-03 02:03:18 UTC
Tags:
remcos
Link:
https://app.any.run/tasks/c681c8c4-893c-455a-bd25-06228109b2d2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.Autoit-6985962-0
Create hunting rule

Win.Packed.Autoit-7362116-0
Create hunting rule

Win.Downloader.LokiBot-6962970-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66d66ed28e12b8124ac90927
Tags:
Encryption Execution Infostealer Network Stealth Trojan Remcos Remcos
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
DNS request
Searching for synchronization primitives
Enabling the 'hidden' option for recently created files
Running batch commands
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Moving of the original file
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Backdoor.Remcos
Link:
https://www.hybrid-analysis.com/sample/3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ab66dd5f-82eb-4d1b-b069-36d50efff4bc
Result
Threat name:
Remcos, WebMonitor RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1503175
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Detected Remcos RAT
Found API chain indicative of debugger detection
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens the same file many times (likely Sandbox evasion)
Sigma detected: Remcos
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected Remcos RAT
Yara detected WebMonitor RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1503175 Sample: CameraCaptureUI.exe Startdate: 03/09/2024 Architecture: WINDOWS Score: 100 96 daya4659.ddns.net 2->96 98 snpandey4659.wm01.to 2->98 100 4 other IPs or domains 2->100 116 Multi AV Scanner detection for domain / URL 2->116 118 Suricata IDS alerts for network traffic 2->118 120 Found malware configuration 2->120 124 15 other signatures 2->124 13 CameraCaptureUI.exe 3 5 2->13         started        17 sfc.exe 2->17         started        19 remcos.exe 2->19         started        21 4 other processes 2->21 signatures3 122 Uses dynamic DNS services 96->122 process4 file5 92 C:\Users\user\...\remcos_agent_Protected.exe, PE32 13->92 dropped 94 C:\Users\user\AppData\...\driverquery.exe, PE32 13->94 dropped 158 Binary is likely a compiled AutoIt script file 13->158 160 Found API chain indicative of debugger detection 13->160 162 Contains functionality to inject code into remote processes 13->162 164 Uses schtasks.exe or at.exe to add and modify task schedules 13->164 23 remcos_agent_Protected.exe 3 13->23         started        27 CameraCaptureUI.exe 1 13 13->27         started        40 3 other processes 13->40 166 Antivirus detection for dropped file 17->166 168 Detected Remcos RAT 17->168 170 Machine Learning detection for dropped file 17->170 30 sfc.exe 17->30         started        32 schtasks.exe 17->32         started        172 Injects a PE file into a foreign processes 19->172 34 remcos.exe 19->34         started        36 schtasks.exe 19->36         started        38 remcos.exe 21->38         started        42 9 other processes 21->42 signatures6 process7 dnsIp8 86 C:\Users\user\AppData\Roaming\...\sfc.exe, PE32 23->86 dropped 126 Antivirus detection for dropped file 23->126 128 Multi AV Scanner detection for dropped file 23->128 130 Detected Remcos RAT 23->130 140 2 other signatures 23->140 44 remcos_agent_Protected.exe 23->44         started        48 schtasks.exe 23->48         started        106 google.se 27->106 108 378fad9658154c287c09623c4b8570ba.se 27->108 132 Binary is likely a compiled AutoIt script file 27->132 134 Creates autostart registry keys with suspicious names 27->134 136 Creates multiple autostart registry keys 27->136 50 conhost.exe 32->50         started        52 conhost.exe 36->52         started        54 AcroCEF.exe 107 40->54         started        56 conhost.exe 40->56         started        58 conhost.exe 40->58         started        110 google.se 42->110 112 google.se 42->112 138 Injects a PE file into a foreign processes 42->138 60 conhost.exe 42->60         started        62 2 other processes 42->62 file9 signatures10 process11 file12 88 C:\Users\user\AppData\Roaming\...\remcos.exe, PE32 44->88 dropped 90 C:\Users\user\AppData\Local\...\install.vbs, data 44->90 dropped 150 Detected Remcos RAT 44->150 152 Binary is likely a compiled AutoIt script file 44->152 154 Creates multiple autostart registry keys 44->154 156 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 44->156 64 wscript.exe 44->64         started        67 conhost.exe 48->67         started        69 AcroCEF.exe 54->69         started        signatures13 process14 dnsIp15 114 Windows Scripting host queries suspicious COM object (likely to drop second stage) 64->114 72 cmd.exe 64->72         started        102 54.144.73.197, 443, 49712, 49715 AMAZON-AESUS United States 69->102 104 23.56.162.185, 443, 49717 AKAMAI-ASUS United States 69->104 signatures16 process17 process18 74 remcos.exe 72->74         started        77 conhost.exe 72->77         started        signatures19 142 Antivirus detection for dropped file 74->142 144 Multi AV Scanner detection for dropped file 74->144 146 Detected Remcos RAT 74->146 148 3 other signatures 74->148 79 remcos.exe 74->79         started        82 schtasks.exe 74->82         started        process20 signatures21 174 Detected Remcos RAT 79->174 176 Binary is likely a compiled AutoIt script file 79->176 178 Tries to harvest and steal browser information (history, passwords, etc) 79->178 180 Opens the same file many times (likely Sandbox evasion) 79->180 84 svchost.exe 79->84         started        process22
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01/
Threat name:
Win32.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2024-08-30 04:44:25 UTC
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hna7ir2qtj35bqyvl4rzfbcxxyhxc4a4jefpm5hqhwuvt2mevqaq._file
Verdict:
malicious
Result
Malware family:
webmonitor
Create hunting rule
Score:
  10/10
Tags:
family:remcos family:webmonitor botnet:remotehost backdoor discovery infostealer link pdf persistence rat upx
Link:
https://tria.ge/reports/240903-chvbjavhmc/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: RenamesItself
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
HTTP links in PDF interactive object
AutoIT Executable
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
UPX packed file
Unexpected DNS network traffic destination
Remcos
RevcodeRat, WebMonitorRat
WebMonitor payload
Malware Config
C2 Extraction:
daya4659.ddns.net:8282
snpandey4659.wm01.to:443
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a2e625b0-4485-4679-809f-a58c78914200
Unpacked files
SH256 hash:
e05c3642bb7e56de73b5bc1dadc3ca91f698434c8c055650b4fbdd8e2842485b
MD5 hash:
f1260cb5d0d66420dcdfd431dbd1ed29
SHA1 hash:
5272804135182a98a2efdd3b51d15b3fbc802a62
Detections:
win_webmonitor_w0
Create hunting rule
MALWARE_Win_RevCodeRAT
Create hunting rule
Link:
https://www.unpac.me/results/e78a21f2-f01a-44e6-8e98-f55b49b7fed9/
Parent samples :
62a25b31027da7210b6ccbbc02868f7c915bbd1ab408b33883b2b9c6e7973363
880bac27fbf9e47802a289cd4182b0594d18c0330a7db948bfe9008368295aba
aea42dd44008f2fe434150f59e0cef40b83578cf1ee27a4fd1f6404d44b37bd2
3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01
SH256 hash:
0954fe3152ff66dd9dd26dfcb13edf21915e51dec6993600aff97b7a768dc088
MD5 hash:
c9d17b356e7c463f2b4f57e0f98edb1e
SHA1 hash:
16f75139e11c1d673251c8367fea15f44932f881
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
win_remcos_g0
Create hunting rule
Remcos
Create hunting rule
Parallax
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
Link:
https://www.unpac.me/results/e78a21f2-f01a-44e6-8e98-f55b49b7fed9/
Parent samples :
3e8f952eabfa0b74dd92b86d52604ef90236014444dc444ce27f147f6bacfded
62a25b31027da7210b6ccbbc02868f7c915bbd1ab408b33883b2b9c6e7973363
880bac27fbf9e47802a289cd4182b0594d18c0330a7db948bfe9008368295aba
884d3a9c4c7c7093a9e038bdc67506cadeae84e727612acb315f06d6461e4674
c79c3294f361c3b6b6aa32553b3a633a2aa2d7bbcfd2279844b886ce860ebaa5
beb8a641647293426bbfadb75527bc6a6a17ce7342b817d31386581b2990f1e2
de18167340fae52957390afe994c66c3d7b8af87ca2eacfbfeca99024b5ac5d5
3ae5425033502bba7f7b8c7498573f7ca17e7e98e14288f734adb1a5af19318d
9a99af19ab7c720acba9538557dae1e880be386419405fd55c31636dc8c5f867
3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01
SH256 hash:
3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01
MD5 hash:
067027b5b20d0d80be90f41dc126fda3
SHA1 hash:
b7644f39188e8e8bcb41723833321a43f9474629
Detections:
AutoIT_Compiled
Create hunting rule
SUSP_Imphash_Mar23_3
Create hunting rule
Link:
https://www.unpac.me/results/e78a21f2-f01a-44e6-8e98-f55b49b7fed9/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3b41f447509a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/c681c8c4-893c-455a-bd25-06228109b2d2

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::CopySid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::GetLengthSid
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::GetAce
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
ole32.dll::CoCreateInstanceEx
ole32.dll::CoInitializeSecurity
ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_APICan Play MultimediaWINMM.dll::mciSendStringW
WINMM.dll::timeGetTime
WINMM.dll::waveOutSetVolume
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AddAce
ADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetAclInformation
ADVAPI32.dll::GetSecurityDescriptorDacl
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::CreateProcessAsUserW
KERNEL32.dll::CreateProcessW
ADVAPI32.dll::CreateProcessWithLogonW
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
ADVAPI32.dll::OpenThreadToken
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::SetSystemPowerState
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileExW
KERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
IPHLPAPI.DLL::IcmpCreateFile
KERNEL32.dll::CreateFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
ADVAPI32.dll::GetUserNameW
ADVAPI32.dll::LogonUserW
ADVAPI32.dll::LookupPrivilegeValueW
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetAddConnection2W
MPR.dll::WNetUseConnectionW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegConnectRegistryW
ADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::BlockInput
USER32.dll::CloseDesktop
USER32.dll::CreateMenu
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::FindWindowW

Comments