MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44218ac9cedc1b94a4f7ca1483be08ee58ccfe2f380aeef668e1ba887bd2520b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 44218ac9cedc1b94a4f7ca1483be08ee58ccfe2f380aeef668e1ba887bd2520b
SHA3-384 hash: 6ec621cd5421353cd29b5525d9014cd0ed0ec303e302813de9567760480f287e1c4b6f3f0757df60fc016fbd46d8e117
SHA1 hash: da89c02ba7e27bca48d1d8b38ec7e759c09818a1
MD5 hash: d39d493b27584c9c4dc9e0d3f03d0a0a
humanhash: robin-green-kansas-football
File name:d39d493b27584c9c4dc9e0d3f03d0a0a.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:808'448 bytes
First seen:2022-06-28 10:23:10 UTC
Last seen:2022-06-28 10:49:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'477 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:05PBgXmof7B+fpR0IWxC3LUAcNTIg1sCpuTw3BlgkDhkaWfOzWoxKnr5byks6u8:0hSWaS3Wm/cNsKvgkrDhkDOzWLU6u8
Threatray 2'515 similar samples on MalwareBazaar
TLSH T1320523BEB87EEB2BD561A730C452F2FC8FFC5A148120E9268C9A590C2DD075985EF51C
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 7e646c6464c6c6e4 (3 x Formbook, 1 x RemcosRAT, 1 x CoinMiner)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
http://104.168.32.43/324/vbc.exe
Verdict:
Malicious activity
Analysis date:
2022-06-27 23:26:12 UTC
Tags:
rat remcos keylogger stealer
Link:
https://app.any.run/tasks/5796f59c-7af3-4a70-b216-6d25544c59f5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/283879/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Creating a file
DNS request
Sending an HTTP GET request
Reading critical registry keys
Creating a file in the %temp% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62bad706a17f249ae3e34aee/reports/b3b35aee-f4aa-4cf1-834a-781c9ce5bf4a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c63f9a17-b998-4a81-af2d-4fa452a4d737
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1021090
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 653583 Sample: Yn9v7bIjaL.exe Startdate: 28/06/2022 Architecture: WINDOWS Score: 100 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for URL or domain 2->52 54 Antivirus / Scanner detection for submitted sample 2->54 56 8 other signatures 2->56 7 Yn9v7bIjaL.exe 1 5 2->7         started        11 Fhzjx.exe 2->11         started        13 Fhzjx.exe 2->13         started        process3 file4 30 C:\Users\user\AppData\Roaming\...\Fhzjx.exe, PE32 7->30 dropped 32 C:\Users\user\...\Fhzjx.exe:Zone.Identifier, ASCII 7->32 dropped 34 C:\Users\user\AppData\...\Yn9v7bIjaL.exe.log, ASCII 7->34 dropped 60 Encrypted powershell cmdline option found 7->60 62 Writes to foreign memory regions 7->62 64 Injects a PE file into a foreign processes 7->64 15 InstallUtil.exe 2 17 7->15         started        19 powershell.exe 15 7->19         started        66 Antivirus detection for dropped file 11->66 68 Multi AV Scanner detection for dropped file 11->68 70 Machine Learning detection for dropped file 11->70 signatures5 process6 dnsIp7 36 imranmhemoodcheema.ddns.net 179.43.154.168, 49798, 49799, 8903 PLI-ASCH Panama 15->36 38 geoplugin.net 178.237.33.50, 49801, 80 ATOM86-ASATOM86NL Netherlands 15->38 40 192.168.2.1 unknown unknown 15->40 42 Contains functionality to steal Chrome passwords or cookies 15->42 44 Contains functionality to inject code into remote processes 15->44 46 Contains functionality to steal Firefox passwords or cookies 15->46 48 3 other signatures 15->48 21 InstallUtil.exe 2 15->21         started        24 InstallUtil.exe 15->24         started        26 InstallUtil.exe 15->26         started        28 conhost.exe 19->28         started        signatures8 process9 signatures10 58 Tries to harvest and steal browser information (history, passwords, etc) 21->58
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/44218ac9cedc1b94a4f7ca1483be08ee58ccfe2f380aeef668e1ba887bd2520b/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2022-06-28 02:27:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
19 of 40 (47.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=iqqyvsoo3qnzjjhxzikihpqi5zmmz7rphafo55ti4g5iq66skifq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1015aaf219bd6c756e9e5224d219ed551795585e383fb4a6d2a566e7c8dabad5
RemcosRAT
49bc50c3b1ff689c3cbcfcf1f7d42f29547f15f4ab990dafc27f5eb4b562d446
RemcosRAT
5f37b5f63e3badceb3ea40bb2a6cef92e466410bebbf6864d6d4b5100b6114eb
RemcosRAT
b07f08cbf908eb0d5c93679c8dca8438e4f185a70d675ad79184533dc6b4b262
RemcosRAT
c208cb83639f1b0a5bac59a310c377fb31f7d7dae0084f557461b8d4312c81a6
RemcosRAT
e04e4c474ded78364c1f802de5a653e2d495bc1a0ddb78325962778a221970e6
RemcosRAT
+ 2'505 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:ip collection persistence rat
Link:
https://tria.ge/reports/220628-mfdacaggcn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Checks computer location settings
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
imranmhemoodcheema.ddns.net:8903
Unpacked files
SH256 hash:
0626d464f8f0ece4063efdc43dd3050cdea75401425da6f1b3f08c5f97a94851
MD5 hash:
939204bf6191b54d86698c9a783a98ba
SHA1 hash:
97890a554a8a42f73723a8b83b36758abdc789d1
Link:
https://www.unpac.me/results/c3afa978-3605-4744-9cc9-f35dbaf2ef3e/
SH256 hash:
18128024864552d7e429b55df5ae731fce7e50f3e0f4da1609b7010d7a26cbba
MD5 hash:
8b76234d30a0589574a017f5442393c8
SHA1 hash:
4c1c5752429b8a9f18bc739c84e65c32f1ba3c2d
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/c3afa978-3605-4744-9cc9-f35dbaf2ef3e/
Parent samples :
f4085209b3190363b6f4cb1ac45ae0f2bfd2e062a065feedb2a82f055a0f1c27
44218ac9cedc1b94a4f7ca1483be08ee58ccfe2f380aeef668e1ba887bd2520b
SH256 hash:
2475569adb3047dccc7d7e4a756121c3ce9a6e39eae9fde76d832d6c4e1188f8
MD5 hash:
3f1ecfd3ac37001cd2d0a6d6078e7366
SHA1 hash:
316ba87a8119143b0302e768f3868b74dc44a021
Link:
https://www.unpac.me/results/c3afa978-3605-4744-9cc9-f35dbaf2ef3e/
SH256 hash:
44218ac9cedc1b94a4f7ca1483be08ee58ccfe2f380aeef668e1ba887bd2520b
MD5 hash:
d39d493b27584c9c4dc9e0d3f03d0a0a
SHA1 hash:
da89c02ba7e27bca48d1d8b38ec7e759c09818a1
Link:
https://www.unpac.me/results/c3afa978-3605-4744-9cc9-f35dbaf2ef3e/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/44218ac9cedc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/44218ac9cedc1b94a4f7ca1483be08ee58ccfe2f380aeef668e1ba887bd2520b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 44218ac9cedc1b94a4f7ca1483be08ee58ccfe2f380aeef668e1ba887bd2520b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2251303/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/283879/

Comments