MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42638e51cd3eff415ce751e700d233596988fd51ffba584b18dd2e78ec07bc2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments

SHA256 hash: 42638e51cd3eff415ce751e700d233596988fd51ffba584b18dd2e78ec07bc2b
SHA3-384 hash: 44ef6c633d0ac3db1fef849dfd617bb085be98f0cd30c7ab81e3c4e65f92f429fe9c034af52f9a16dc542527fe02890c
SHA1 hash: aae29f7ef62d5329c27c2040ed573d0ddc9a522e
MD5 hash: f8b7ccfaa25ad7547501496c248c178e
humanhash: princess-quebec-bulldog-violet
File name:42638e51cd3eff415ce751e700d233596988fd51ffba584b18dd2e78ec07bc2b
Download: download sample
Signature RemcosRAT
File size:703'488 bytes
First seen:2022-08-05 09:29:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (31'208 x AgentTesla, 10'508 x Formbook, 5'466 x SnakeKeylogger)
ssdeep 12288:2u82iNDXR0NSqCGCHw1jZIvNds4mcGrONHhbP7r9r/+ppppppppppppppppppppZ:E1rvqCGCQJZIvoYGoHhb1qH
Threatray 3'766 similar samples on MalwareBazaar
TLSH T133E48E80E586B664DE19D7745BFACC754533BD6AE838952C28DD3F37BBB7AA20011023
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon d4c4c4d8ccd4f0cc (77 x AgentTesla, 46 x Loki, 21 x QuasarRAT)
Reporter @adrian__luca
Tags:exe RemcosRAT

Intelligence


File Origin
# of uploads :
1
# of downloads :
279
Origin country :
HU HU
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
ID:
1
File name:
42638e51cd3eff415ce751e700d233596988fd51ffba584b18dd2e78ec07bc2b
Verdict:
Malicious activity
Analysis date:
2022-08-05 09:28:58 UTC
Tags:
rat remcos trojan

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
–°reating synchronization primitives
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected Remcos RAT
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Spyware.SnakeLogger
Status:
Malicious
First seen:
2022-07-26 01:14:54 UTC
File Type:
PE (.Net Exe)
Extracted files:
44
AV detection:
21 of 26 (80.77%)
Threat level:
  2/5
Result
Malware family:
Score:
  10/10
Tags:
family:remcos botnet:jd rat
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
37.120.210.219:3398
Unpacked files
SH256 hash:
2e75b8e188e87be8eaf547a077164e2b4f4cb2b24c8ab9647f47328c798db9fa
MD5 hash:
53104a32379a8e590fd889d58808bc5f
SHA1 hash:
ff49c16a60218f2aff0bf5df02627e895982ec0e
SH256 hash:
5e97ccd8dafcb36b3cb772f6a2fd425abcf221ab9ea1930e8c2618c95332f2c6
MD5 hash:
01800f6b045def8d90c649842f56d752
SHA1 hash:
f8434a4636d0772d01aac44bb3f9753a41f01d34
SH256 hash:
4ade3e7ad7c6a9f440132d0d871df54824f8d1f9933743723016989e6089d17c
MD5 hash:
8e98fec1fecac4755a126fca2e35f965
SHA1 hash:
f2696c1c9d893de1f12c1438f24bea37e7684b5e
Detections:
win_remcos_g0 win_remcos_auto
SH256 hash:
42638e51cd3eff415ce751e700d233596988fd51ffba584b18dd2e78ec07bc2b
MD5 hash:
f8b7ccfaa25ad7547501496c248c178e
SHA1 hash:
aae29f7ef62d5329c27c2040ed573d0ddc9a522e
Detections:
win_cannon_auto

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash
Rule name:win_cannon_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments