MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b5a4b0fe5b8f4fd9bf24f32712e69da23b412a5653e0042d23a1d2429c42379. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b5a4b0fe5b8f4fd9bf24f32712e69da23b412a5653e0042d23a1d2429c42379
SHA3-384 hash: e246fe43d1d68160b2bba442c088dfdf252549dcb58c2a66f7e23b25ad8a5afa148429c2aad017480ca12fa4e7ecc7de
SHA1 hash: cc686677e1e22b71ef2b18559adb4c16aef11756
MD5 hash: 7274d6c1a7dc0a091e1a801165f879cd
humanhash: kilo-wisconsin-echo-iowa
File name:7274d6c1a7dc0a091e1a801165f879cd
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'017'856 bytes
First seen:2021-09-22 18:11:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 91a12f22e7f2305a107edddf42c40880 (4 x RemcosRAT, 2 x Formbook, 1 x NetWire)
ssdeep 12288:FYfGUHuv5bSkBsFkT5m3GpOAz1yeoAdrL7i:FYOUUtBs2YqO8PrPi
Threatray 61 similar samples on MalwareBazaar
TLSH T17A255C97A395D8F8ED38393EC94573566600BFF13C135C4CAD642A8B6AB8684FDC9087
File icon (PE):PE icon
dhash icon 88a2b6b2aaaad4d4 (11 x RemcosRAT, 3 x Formbook, 2 x AveMariaRAT)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7274d6c1a7dc0a091e1a801165f879cd
Verdict:
Malicious activity
Analysis date:
2021-09-22 18:24:20 UTC
Tags:
installer rat remcos
Link:
https://app.any.run/tasks/f09ca2c0-ab28-4bb0-94d0-cbecdb979345

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/190381/
Detection(s):
Win.Trojan.Zusy-9895656-0
Create hunting rule

Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b0232f84-4b20-4c34-80ac-fad56137828a
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/855908
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 488339 Sample: g4E1F7Lc2O Startdate: 22/09/2021 Architecture: WINDOWS Score: 100 54 trapboijiggy.dvrlists.com 2->54 72 Found malware configuration 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 Multi AV Scanner detection for submitted file 2->76 78 6 other signatures 2->78 9 g4E1F7Lc2O.exe 1 22 2->9         started        14 Bkmhwql.exe 17 2->14         started        16 Bkmhwql.exe 13 2->16         started        signatures3 process4 dnsIp5 58 sn-files.ha.1drv.com 40.79.207.82, 443, 49752, 49754 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 9->58 60 sn-files.fe.1drv.com 9->60 66 2 other IPs or domains 9->66 52 C:\Users\Public\Libraries\...\Bkmhwql.exe, PE32 9->52 dropped 88 Writes to foreign memory regions 9->88 90 Creates a thread in another existing process (thread injection) 9->90 92 Injects a PE file into a foreign processes 9->92 18 logagent.exe 5 2 9->18         started        23 cmd.exe 1 9->23         started        25 cmd.exe 1 9->25         started        68 3 other IPs or domains 14->68 94 Multi AV Scanner detection for dropped file 14->94 96 Machine Learning detection for dropped file 14->96 27 DpiScaling.exe 14->27         started        62 40.79.207.80, 443, 49822 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 16->62 64 192.168.2.1 unknown unknown 16->64 70 3 other IPs or domains 16->70 file6 signatures7 process8 dnsIp9 56 trapboijiggy.dvrlists.com 31.3.152.100, 49757, 49758, 49759 ALTUSNL Sweden 18->56 50 C:\...\riymadmtmnoxaiwxiygfdnepqidzjygpt.vbs, data 18->50 dropped 80 Tries to steal Mail credentials (via file registry) 18->80 82 Contains functionality to inject code into remote processes 18->82 84 Contains functionality to steal Firefox passwords or cookies 18->84 86 2 other signatures 18->86 29 logagent.exe 1 18->29         started        32 logagent.exe 1 18->32         started        34 wscript.exe 18->34         started        36 logagent.exe 18->36         started        38 reg.exe 1 23->38         started        40 conhost.exe 23->40         started        42 cmd.exe 1 25->42         started        44 conhost.exe 25->44         started        file10 signatures11 process12 signatures13 98 Tries to steal Instant Messenger accounts or passwords 29->98 100 Tries to steal Mail credentials (via file access) 29->100 46 conhost.exe 38->46         started        48 conhost.exe 42->48         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3b5a4b0fe5b8f4fd9bf24f32712e69da23b412a5653e0042d23a1d2429c42379/
Threat name:
Win32.Infostealer.BestaFera
Create hunting rule
Status:
Malicious
First seen:
2021-09-22 18:12:16 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hnnewd7fxd2p3g7sj4zhcltj3ir3ievfmu7aaqwshiosikoeen4q._file
Verdict:
malicious
Similar samples:
0d182038f62a038b380a4d3c3769d5eb389b08b194b7dce13606252e7e1aff1c
RemcosRAT
3b103382dedb2748d8164a7ecccde2dee2e81a10b9672d88ce1a8160d4b92e7e
RemcosRAT
4768bc4db58542167ce61a3e0a78bfaa79a3b7dee0b54a587886545ed83a13f7
RemcosRAT
7df259f7873239aee108522c3efd6fca233db83a268a3c9fad4766994c5a029d
RemcosRAT
9d109cc4f855ab857f7bc081a7bd0e2be2a46d59282970f1a189a019b4467173
RemcosRAT
9d71b356bc7e51729a4726433111be12297dd9403a82cff2e20902944c0af748
RemcosRAT
d21cbbc50e85c872732a119f1c0d567a54cd6a75c512c3bf84baba8a8fbfc97d
RemcosRAT
d2754cfc2913bbb43c9ced52b6844c8da595bd68f9265696f90c7620e1ac2de7
RemcosRAT
fb55f300cbcea6d62e33eb76a196849d1a67ce91c46255d2180fcd6a2cdc43f9
RemcosRAT
+ 51 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:remcos family:xmrig botnet:octopus miner persistence rat
Link:
https://tria.ge/reports/210922-ws828agaal/
Behaviour
Modifies registry class
Modifies registry key
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Adds Run key to start application
Remcos
xmrig
Malware Config
C2 Extraction:
trapboijiggy.dvrlists.com:54614
Unpacked files
SH256 hash:
9df5839fe41103d241af27c07ec4fce4adfb9129cb57fe6d3fd9a396a750fb49
MD5 hash:
36e70e671e5390c2363ea8803df1c84a
SHA1 hash:
8905d18a2eb8299c800331aee4bbd05afa8f5bcc
Link:
https://www.unpac.me/results/1eb7c762-05f7-4faa-8c56-2a7f261ba07b/
SH256 hash:
3b5a4b0fe5b8f4fd9bf24f32712e69da23b412a5653e0042d23a1d2429c42379
MD5 hash:
7274d6c1a7dc0a091e1a801165f879cd
SHA1 hash:
cc686677e1e22b71ef2b18559adb4c16aef11756
Link:
https://www.unpac.me/results/1eb7c762-05f7-4faa-8c56-2a7f261ba07b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.50
Link:
https://yomi.yoroi.company/submissions/3b5a4b0fe5b8f4fd9bf24f32712e69da23b412a5653e0042d23a1d2429c42379

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 3b5a4b0fe5b8f4fd9bf24f32712e69da23b412a5653e0042d23a1d2429c42379

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1639830/
Cape
Cape
https://www.capesandbox.com/analysis/190381/

Comments


Avatar
zbet commented on 2021-09-22 18:11:36 UTC

url : hxxp://192.210.214.221/font.exe