MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4418451ac62d0ded7768617f213598565700604cc9856cb6b2709f1e5304c2a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 9 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4418451ac62d0ded7768617f213598565700604cc9856cb6b2709f1e5304c2a1
SHA3-384 hash: 87a528ee76dd77bb1c56a6bdfd27bdb2ddfd2ce80739452a93a7aefd08c524ca70d56f6d920ac33ab7106b9e1040f09f
SHA1 hash: 90465b3cf20e2a0f5f39a49313cc1a92671b34e5
MD5 hash: 2d5b3a4197f716b1600e32a3cbfa7b1e
humanhash: arizona-tennessee-victor-lemon
File name:2d5b3a4197f716b1600e32a3cbfa7b1e
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:665'600 bytes
First seen:2021-07-08 17:57:30 UTC
Last seen:2021-07-08 18:47:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:aHPn4HHOqpc/XJeeOsHLVF0Td3W3Ylv8c+tp5QspJkVnfzd15xa7H6O:CPn6pc/ZLOsHnG38RtfP+f3gf
Threatray 27 similar samples on MalwareBazaar
TLSH T181E42365F660F254FECA15BA845E3CDC43F8F60B9CF4895D196C161339A2BBD4C03AA2
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2d5b3a4197f716b1600e32a3cbfa7b1e
Verdict:
Malicious activity
Analysis date:
2021-07-08 17:59:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/71d4cfc9-a404-48a3-9754-828001c94bc2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170532/
Detection(s):
SecuriteInfo.com.Artemis2D5B3A4197F7.16008.30957.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d1586154-e4dc-4d01-ae12-34b97a5d372f
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813671
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates an undocumented autostart registry key
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4418451ac62d0ded7768617f213598565700604cc9856cb6b2709f1e5304c2a1/
Threat name:
ByteCode-MSIL.Trojan.Bulz
Create hunting rule
Status:
Malicious
First seen:
2021-07-08 17:01:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
26
AV detection:
11 of 29 (37.93%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iqmekgwgfug6253imf7scnmykzlqaycmzgcwznvsocpr4uyeykqq._file
Verdict:
unknown
Similar samples:
36d66cc784c6f77b43ed1293123ffdd00c3121fef540f1cfa9c17f1da6e6aa4c
RemcosRAT
78ea6e9ce4dc8bc4fc5dea97cab8ccd9128da9d8121824300e85e916cda5b190
RemcosRAT
a89bc5bfb93026e56434c1354508dfa0a66821d35f522429582067fc7f9200cc
RemcosRAT
ac09b75d9728cea73319605aee734b0b776e2d1677914f975674ce6674f3a5f3
RemcosRAT
af9106047d3438d552b682513293bba89c20d49ecce9d535b9e136b91f640a7b
RemcosRAT
b87b28a8f83442cb616dd3da7e520617a8b57280ca0098fb3721d6142978cc5f
RemcosRAT
bdc053240c0b051e88e2a38119cde7e92473f04fd9b6c08960a8a59cf91e1ec5
RemcosRAT
ce9820f87744f7cd5f16e60470ec525cf1852762d5914278815b01737d4adacd
RemcosRAT
d5bf73c697fe079c68e107fa41cc97a328c6190507a8514a26376ef554659d9d
RemcosRAT
e93cf93e8ff851cd540fa165166665bbb0f5bfd1103166686230e9cb810caa05
RemcosRAT
+ 17 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:ach link pdf persistence rat
Link:
https://tria.ge/reports/210708-yr3v91mh8e/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Modifies WinLogon for persistence
Remcos
Malware Config
C2 Extraction:
freightmgmt.duckdns.org:691
Unpacked files
SH256 hash:
6e645448f93242a013a0993df05e9f5110e522dd28d43671f386c9af7e9149f8
MD5 hash:
08997256dae426d985e82d6e2e8c72cb
SHA1 hash:
fbf352ee9e04fc08106d233818f460a7760b404b
Link:
https://www.unpac.me/results/b0960f53-1ecd-41e3-a453-087e93fb18da/
SH256 hash:
058a2d4a7252978718c65477f5e08dd2134be6b79f6bc873ca610980126ac97c
MD5 hash:
dd247e41c1a8bb5b108c043da95024b1
SHA1 hash:
91264a788a76f8b1ee7c30ca36b1782fabf2b97e
Link:
https://www.unpac.me/results/b0960f53-1ecd-41e3-a453-087e93fb18da/
SH256 hash:
c07f2ba2c8a6a69283dcbde7d009fe78663a88e9f12000f9571af86c98475f5e
MD5 hash:
6e27333d44a472783cdb488cd8dfb721
SHA1 hash:
226fa3d19c6316f47b1379d06bbb190c7fff4151
Detections:
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/b0960f53-1ecd-41e3-a453-087e93fb18da/
Parent samples :
2dd7a0f3a8c01338b500b88c023560f468c8d3c61e13fb5a6e55eab69087e7bc
129b7cf64e3afecabb3a0c27fedc69cbade9c81ce3c0a5da367717bdef49f7c9
5c85d31e96aa84a80c123af889f960bbf39a7c13a2ed9e2d9644ad2e3fa366de
8c9ba9842e3e17a820085d913d34d20414ab7acee8106142ce04b5b2bf2581b7
4418451ac62d0ded7768617f213598565700604cc9856cb6b2709f1e5304c2a1
7f03d6f5a38d18082c3dd60b773921aecd203a839446a4aca4908309a004b4a4
ac0afc6e6de1b0682478fe38c23f21578acc6e6f1f43f8bf56d2bd400b69237a
SH256 hash:
c61a5e6c93e85661e5596850fa90371f31446a31f6064822088db3e723f7ed71
MD5 hash:
a2cae4bde5ac3e68fc59f6410b5b64c2
SHA1 hash:
0be083aead2860a4b3f45c7b4c4ad69025f610df
Link:
https://www.unpac.me/results/b0960f53-1ecd-41e3-a453-087e93fb18da/
SH256 hash:
4418451ac62d0ded7768617f213598565700604cc9856cb6b2709f1e5304c2a1
MD5 hash:
2d5b3a4197f716b1600e32a3cbfa7b1e
SHA1 hash:
90465b3cf20e2a0f5f39a49313cc1a92671b34e5
Link:
https://www.unpac.me/results/b0960f53-1ecd-41e3-a453-087e93fb18da/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4418451ac62d0ded7768617f213598565700604cc9856cb6b2709f1e5304c2a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 4418451ac62d0ded7768617f213598565700604cc9856cb6b2709f1e5304c2a1

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1436729/
Cape
Cape
https://www.capesandbox.com/analysis/170532/

Comments


Avatar
zbet commented on 2021-07-08 17:57:31 UTC

url : hxxp://greenpayindia.com/ConsoleApp131.exe