MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c7c946ab9bd9f728928c817d648b9808eb7783b4ca73710050093f0c46d5f61. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c7c946ab9bd9f728928c817d648b9808eb7783b4ca73710050093f0c46d5f61
SHA3-384 hash: 1c8f2ccb208c36b0beb7e16f40d75244bcb8293a6a564ce8b6f94b5c9a50f52986ba031a51475c2d364588ba24a45e2d
SHA1 hash: a3288dafe2d5b2758846cbb685684583411494a2
MD5 hash: d09dec170b549ce4a803423a73f1ca12
humanhash: grey-tango-queen-washington
File name:oder.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'497'333 bytes
First seen:2022-11-01 11:37:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:7AOcZX4c9rYLMbYjqTfJ7UOO1mIgRBltn9zKnyjdrZYLphOaC/EZQ/J+43DsIYnV:djMEjqTBHQWXbFeyjJ6LPO3nh+y+V
TLSH T1BD651202B2D68872E4322A315936F711AD7D7E301E74DB6FA3D4696C8F325C19128FB6
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 9ee2e8e8d8c8e28e (5 x Formbook, 1 x RemcosRAT)
Reporter pr0xylife
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
395
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
oder.exe
Verdict:
Malicious activity
Analysis date:
2022-11-01 11:39:34 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/e1c493a0-24a7-4194-b0c6-46f72c2e2ad1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/326800/
Detection(s):
Win.Dropper.Nanocore-9976449-0
Create hunting rule

SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Sending a custom TCP request
Creating a file
Adding an access-denied ACE
Setting a keyboard event handler
DNS request
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/47236/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll strictor
Link:
https://www.filescan.io/uploads/6361051b58409ff7bc0c731c/reports/be1e12b2-b06f-4b28-b812-d0de25aea839/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a60ee48a-fad0-4de1-8c96-b39c1c2df2d6
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1102474
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found API chain indicative of sandbox detection
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 735134 Sample: oder.exe Startdate: 01/11/2022 Architecture: WINDOWS Score: 100 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected Remcos RAT 2->48 50 2 other signatures 2->50 8 oder.exe 3 86 2->8         started        11 beqgxodpl.exe 1 2->11         started        13 beqgxodpl.exe 2->13         started        15 beqgxodpl.exe 2->15         started        process3 file4 34 C:\Users\user\AppData\Local\...\beqgxodpl.exe, PE32 8->34 dropped 17 wscript.exe 1 8->17         started        19 RegSvcs.exe 11->19         started        21 RegSvcs.exe 13->21         started        23 RegSvcs.exe 15->23         started        process5 process6 25 beqgxodpl.exe 1 3 17->25         started        file7 36 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 25->36 dropped 52 Antivirus detection for dropped file 25->52 54 Multi AV Scanner detection for dropped file 25->54 56 Found API chain indicative of sandbox detection 25->56 58 3 other signatures 25->58 29 RegSvcs.exe 2 16 25->29         started        signatures8 process9 dnsIp10 40 83.229.39.38, 2404, 49696 SKYVISIONGB United Kingdom 29->40 42 geoplugin.net 178.237.33.50, 49697, 80 ATOM86-ASATOM86NL Netherlands 29->42 38 C:\ProgramData\remcos\logs.dat, data 29->38 dropped 60 Installs a global keyboard hook 29->60 file11 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3c7c946ab9bd9f728928c817d648b9808eb7783b4ca73710050093f0c46d5f61/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-10-31 16:39:56 UTC
File Type:
PE (Exe)
Extracted files:
107
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hr6ji2vzxwpxfcjizal5msfzqchlo6b3jsttoeafacj7brdnl5qq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:svnhost persistence rat
Link:
https://tria.ge/reports/221101-nrp9qacdgq/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
83.229.39.38:2404
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3ea0ab40-0d47-485b-a6ef-678beef0ceb3
Unpacked files
SH256 hash:
c02aeb182e20e650afa5b9a00cc04e56099210dcada4abac24d609be748f185c
MD5 hash:
8f7628e6f707fe28e51cb8a359814bf6
SHA1 hash:
8d351dfc862b72d6bb27a5f39d57c7e670752cbd
Detections:
Remcos
Create hunting rule
Link:
https://www.unpac.me/results/4fa57a48-0609-45f6-aeae-3a8bc29bf8d8/
SH256 hash:
9d8b492e7a222af082b24d87145505f8c79d70bdb2810bd8fcf73cb7c8c9e203
MD5 hash:
5a785c4e4c48a21bec8780edd1bcb7fd
SHA1 hash:
177a19992818c726955e2571eb3ff01947a1ecb3
Link:
https://www.unpac.me/results/4fa57a48-0609-45f6-aeae-3a8bc29bf8d8/
SH256 hash:
3c7c946ab9bd9f728928c817d648b9808eb7783b4ca73710050093f0c46d5f61
MD5 hash:
d09dec170b549ce4a803423a73f1ca12
SHA1 hash:
a3288dafe2d5b2758846cbb685684583411494a2
Link:
https://www.unpac.me/results/4fa57a48-0609-45f6-aeae-3a8bc29bf8d8/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3c7c946ab9bd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3c7c946ab9bd9f728928c817d648b9808eb7783b4ca73710050093f0c46d5f61

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:sfx_pdb_winrar_restrict
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 3c7c946ab9bd9f728928c817d648b9808eb7783b4ca73710050093f0c46d5f61

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/326800/
  
URLhaus
https://urlhaus.abuse.ch/url/2395112/
  
Delivery method
Distributed via web download

Comments