MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c9a73e7828b5950185cc73ac516867e2fdd59a27decb3049136d8d6553b5640. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	3c9a73e7828b5950185cc73ac516867e2fdd59a27decb3049136d8d6553b5640
SHA3-384 hash:	e1d010e431555e95af10498e5cf8e5d7ea0450a871785f46bce0fe7fd86105081b8ec13a040aa377f19a1320c040e0ff
SHA1 hash:	5d1ca5ac491318e68f1e9541b957f963fe8c6ed9
MD5 hash:	0963fe91be9c4352eddf001cb385e294
humanhash:	delta-montana-dakota-speaker
File name:	FW Enquiry for URGENT Order.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'268'224 bytes
First seen:	2022-09-05 10:28:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'752 x AgentTesla, 19'658 x Formbook, 12'248 x SnakeKeylogger)
ssdeep	24576:12Z55A0rZTaLzMZU4UYg7tO8Ycc5X7m4QKzXXY+mzo3bv:255AMZTakW4UYg7I8i7m4QgHlmzM
TLSH	T19B45124AE2586BA3F40247F55824E220077BBF0B44BCC3496DFEF5EA20B5BD61192E57
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter	madjack_red
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

256

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

FW Enquiry for URGENT Order.exe

Verdict:

Malicious activity

Analysis date:

2022-09-05 10:28:44 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/30a344ec-945d-4644-85d3-599e1d7b1dfa

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/307805/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.1427-2.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

80%

Tags:

packed

Link:

https://www.filescan.io/uploads/6315cf7718c697f6f229b5cc/reports/f82111b5-4426-4dc9-a60b-cd29b8e6b17f/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fdd8ecd1-ff30-418f-b118-ed0d0299a062

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1065033

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Yara detected AntiVM3

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/3c9a73e7828b5950185cc73ac516867e2fdd59a27decb3049136d8d6553b5640/

Threat name:

ByteCode-MSIL.Trojan.Remcos

Status:

Malicious

First seen:

2022-09-02 02:23:20 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hsnhhz4crnmvagc4y45mkfugpyx52wncpxwlgberg3mnmvj3kzaa._file

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remcos stub rat

Link:

https://tria.ge/reports/220905-mhn5mahhd6/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Remcos

Malware Config

C2 Extraction:

kashbilly222.ddns.net:5050

Unpacked files

SH256 hash:

c59a37db15606e42926bfea3ec625c2653209606e8c26248a3d16b4788cc66b4

MD5 hash:

68ac8cfbfcb01ec74087d2843b06bb7c

SHA1 hash:

f5b7b9673301688eb5698cae43728633683c29c0

Link:

https://www.unpac.me/results/e12453bf-9a2a-4d4a-9a9e-d57d3f76fd0a/

SH256 hash:

c45a3dae97e5e635a567df02635fe941af384f35cc993d4e52a57fa4f4026b3e

MD5 hash:

966c65a2893f62df72494272d810448f

SHA1 hash:

de82f765123b6ed954996603b663e9bac36acfb6

Link:

https://www.unpac.me/results/e12453bf-9a2a-4d4a-9a9e-d57d3f76fd0a/

SH256 hash:

c6e228d6f1e1c4194431710697642ec2fb4972cde211dda0f52ebe4a8ea336ea

MD5 hash:

33e4a676b7a23b4d5a90ad849f9c5fc6

SHA1 hash:

b6ef0a0717f81df6c7b2c1ffa1d7fc88a028c7bc

Detections:

win_remcos_auto

Link:

https://www.unpac.me/results/e12453bf-9a2a-4d4a-9a9e-d57d3f76fd0a/

Parent samples :

2f42c0e9bc0822908c8efee840a2da430abfb5a3dfe3364d782f876fc150a748
ecf1b219adc24822bf9dc4593509ff7052a8e62a3715143235c0347cde7f354b
3c9a73e7828b5950185cc73ac516867e2fdd59a27decb3049136d8d6553b5640

SH256 hash:

6f6e0a5e26964b03816249398b468cecea7c5ac8b1b34331321798bff0fa90c1

MD5 hash:

baaf6f8368f1ea264e2b697f35063328

SHA1 hash:

8c06ba9201d8eb1e3ba80b01b66a9340a8bf286e

Link:

https://www.unpac.me/results/e12453bf-9a2a-4d4a-9a9e-d57d3f76fd0a/

SH256 hash:

9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034

MD5 hash:

93c6391d23c1aa1ed66fb13f82f2ee31

SHA1 hash:

220098c3047c32b51ae13a5cc1e9beeef3da6e18

Link:

https://www.unpac.me/results/e12453bf-9a2a-4d4a-9a9e-d57d3f76fd0a/

SH256 hash:

3c9a73e7828b5950185cc73ac516867e2fdd59a27decb3049136d8d6553b5640

MD5 hash:

0963fe91be9c4352eddf001cb385e294

SHA1 hash:

5d1ca5ac491318e68f1e9541b957f963fe8c6ed9

Link:

https://www.unpac.me/results/e12453bf-9a2a-4d4a-9a9e-d57d3f76fd0a/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3c9a73e7828b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3c9a73e7828b5950185cc73ac516867e2fdd59a27decb3049136d8d6553b5640

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/307805/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample