MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c09acc9b330846c99b3bdafa1697137c48b9a002919b6c1d671e9224bae9576. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c09acc9b330846c99b3bdafa1697137c48b9a002919b6c1d671e9224bae9576
SHA3-384 hash: 6b876cc4de7a69c322b223b0fc584ed744de56ea2d944ff110f1720e1ecb88d1eb16199dff76637aab35e9d346e84a88
SHA1 hash: 51d3a58654f8ca5285844623076b3ff47955ac6e
MD5 hash: 5cb627824d6279f4312dd1d31b1f20a3
humanhash: eight-queen-montana-jig
File name:5cb627824d6279f4312dd1d31b1f20a3
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'374'208 bytes
First seen:2022-03-04 19:57:41 UTC
Last seen:2022-03-04 21:38:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'753 x AgentTesla, 19'658 x Formbook, 12'249 x SnakeKeylogger)
ssdeep 24576:QLp3PBK/s6J4CHFGRIW+BMWyKLtBbni/c+zqZFUobOJ/:EpaBJLHFGmkWyoB78c+zoF9bg/
Threatray 1'911 similar samples on MalwareBazaar
TLSH T1385522293688E515D7C91470EDDC90A40462AE0E2382F247ADF8FF6C37F6653C96869F
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
334
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/247462/
Detection(s):
SecuriteInfo.com.Variant.Lazy.146409.26779.13778.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b4e11625-281f-47f8-baa0-0530c5bb992f
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/951001
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected Remcos RAT
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Sigma detected: Suspicius Schtasks From Env Var Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 583478 Sample: qK4XqiKypD Startdate: 04/03/2022 Architecture: WINDOWS Score: 100 37 store-images.s-microsoft.com 2->37 39 Multi AV Scanner detection for domain / URL 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 16 other signatures 2->45 8 qK4XqiKypD.exe 7 2->8         started        signatures3 process4 file5 29 C:\Users\user\AppData\Roaming\rsRhVr.exe, PE32 8->29 dropped 31 C:\Users\user\...\rsRhVr.exe:Zone.Identifier, ASCII 8->31 dropped 33 C:\Users\user\AppData\Local\...\tmpAE3B.tmp, XML 8->33 dropped 35 C:\Users\user\AppData\...\qK4XqiKypD.exe.log, ASCII 8->35 dropped 47 Detected unpacking (creates a PE file in dynamic memory) 8->47 49 Contains functionality to steal Chrome passwords or cookies 8->49 51 Contains functionality to inject code into remote processes 8->51 53 4 other signatures 8->53 12 qK4XqiKypD.exe 8->12         started        15 powershell.exe 25 8->15         started        17 powershell.exe 24 8->17         started        19 schtasks.exe 8->19         started        signatures6 process7 signatures8 55 Detected Remcos RAT 12->55 57 Writes to foreign memory regions 12->57 59 Allocates memory in foreign processes 12->59 61 Injects a PE file into a foreign processes 12->61 21 iexplore.exe 12->21         started        23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3c09acc9b330846c99b3bdafa1697137c48b9a002919b6c1d671e9224bae9576/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-04 19:58:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0e0881351587adaa5a1b7361fdc03167ef38d9e7db2e55110e97c5a2644de94b
RemcosRAT
388099a4f3b1d9a56fd023c78c3130aa212632f04d6ba6399daa5ee9a5d398a1
RemcosRAT
4c58367c2bef44bbe841f7099f6974c79e9c5c7af23f68c41955b32e880d1c70
RemcosRAT
8ad7228497277a166f2e78ab973006d6a72eeefe6b651a2b25fec61e2b1aa73f
RemcosRAT
aec37c0354418c5918aa4e92b227affbac9f880be79f165ffb7c77adf75fef96
RemcosRAT
bcb97b3cbfe72dac8416a224ddb03a17ccba79da52872c6f5fcb13b93b43a247
RemcosRAT
+ 1'901 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220304-ypt51ahdfr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Unpacked files
SH256 hash:
5f0dd409eed1e6039a6f545cfd43c759ecf41d0aeaac57450660421629c3d103
MD5 hash:
e5e9be5286a25a9ac4d526d1820baea3
SHA1 hash:
29e6d56428bdd1ee39e40256507f80df281f1a67
Link:
https://www.unpac.me/results/92b47e92-45db-4fe1-ae73-073ba7e6cb01/
SH256 hash:
e3bdaf9e98eb65a070cf4424bc123e57ade151c41e4a0d375e769749155c1715
MD5 hash:
78a25e75b94923e889ecd100349facbe
SHA1 hash:
6b3f8db525d3c98f92ed480e664ab8ee9458340b
Link:
https://www.unpac.me/results/92b47e92-45db-4fe1-ae73-073ba7e6cb01/
SH256 hash:
1a8196155c6986528e1ad7ef621c174e95c7018900e45cd63595be91fe7e06e4
MD5 hash:
32fc89a02117b2e5a0c0979b99ce5adc
SHA1 hash:
e8f5b6bc72f7f5b789b0956b9fb5a995f9bb474b
Detections:
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/92b47e92-45db-4fe1-ae73-073ba7e6cb01/
SH256 hash:
c2ffc1ea0c78ebb0c16ec2cd72df56adb8e4a92b9da7b648ddc31adc2d4004b5
MD5 hash:
99dd1c4f31cf591b771ca2df584a15f9
SHA1 hash:
ec1ae38c469e8c5b013042916c41acc8caf265d7
Link:
https://www.unpac.me/results/92b47e92-45db-4fe1-ae73-073ba7e6cb01/
SH256 hash:
3c09acc9b330846c99b3bdafa1697137c48b9a002919b6c1d671e9224bae9576
MD5 hash:
5cb627824d6279f4312dd1d31b1f20a3
SHA1 hash:
51d3a58654f8ca5285844623076b3ff47955ac6e
Link:
https://www.unpac.me/results/92b47e92-45db-4fe1-ae73-073ba7e6cb01/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3c09acc9b330846c99b3bdafa1697137c48b9a002919b6c1d671e9224bae9576

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 3c09acc9b330846c99b3bdafa1697137c48b9a002919b6c1d671e9224bae9576

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2076488/
Cape
Cape
https://www.capesandbox.com/analysis/247462/

Comments


Avatar
zbet commented on 2022-03-04 19:57:43 UTC

url : hxxp://homi-egypt.com/system/85rms.jpg