MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44ce30b3b4431308b5f14e2a6647841aa2a5e862793081836e2f7c7c2da3029c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 44ce30b3b4431308b5f14e2a6647841aa2a5e862793081836e2f7c7c2da3029c
SHA3-384 hash: 626ecc0cbd71630427cb647aaba58ba1430f07b2c33c057d1bac83ff17cc37de18bc4bb210321c26958da76d7c1c154f
SHA1 hash: 985958bcec04eda5c36644321bd41c9e8df5aa8b
MD5 hash: 264577eca80b38669cfb5004945e4311
humanhash: uncle-november-single-fruit
File name:264577eca80b38669cfb5004945e4311.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:562'176 bytes
First seen:2022-08-29 08:09:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:l7dxYL5Eg61sI3BlinR1BMPx7Fj+RcsqJbwH7pQRdz0aIXWX6N:l7ML5EgxI3BlA1Y7Fj0cBMH7pmogY
TLSH T121C4120573A09B96C7BE0BF064E194D18776B3562153DB7D288A26EC0E7A393C24736F
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 62e4dcfe7efefce8 (12 x AgentTesla, 8 x Loki, 6 x Formbook)
Reporter abuse_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
267
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
264577eca80b38669cfb5004945e4311.exe
Verdict:
Malicious activity
Analysis date:
2022-08-29 08:15:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/77ff1b78-efe1-43b6-af8b-b6c7b5742856

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/302110/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1427.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Creating a window
Unauthorized injection to a recently created process
Launching cmd.exe command interpreter
Launching a process
Running batch commands
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/630c746f2fdf5a082590764e/reports/33f0addd-db67-44ed-bc1d-e3ca53901331/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/182003f2-7d54-4108-b8a7-3dc5d8de9ded
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1059650
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates an autostart registry key pointing to binary in C:\Windows
Detected Remcos RAT
Disables UAC (registry)
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
UAC bypass detected (mscfile / eventvwr.exe)
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 692167 Sample: rOy6e7mQIJ.exe Startdate: 29/08/2022 Architecture: WINDOWS Score: 100 94 Malicious sample detected (through community Yara rule) 2->94 96 Multi AV Scanner detection for dropped file 2->96 98 Multi AV Scanner detection for submitted file 2->98 100 9 other signatures 2->100 12 rOy6e7mQIJ.exe 3 2->12         started        16 Microsoft Security Health.exe 2 2->16         started        18 Microsoft Security Health.exe 2 2->18         started        process3 file4 80 C:\Users\user\AppData\...\rOy6e7mQIJ.exe.log, ASCII 12->80 dropped 116 Injects a PE file into a foreign processes 12->116 20 rOy6e7mQIJ.exe 1 5 12->20         started        24 conhost.exe 12->24         started        118 Drops executables to the windows directory (C:\Windows) and starts them 16->118 26 Microsoft Security Health.exe 16->26         started        29 Microsoft Security Health.exe 18->29         started        signatures5 process6 dnsIp7 76 C:\Windows\...\Microsoft Security Health.exe, PE32 20->76 dropped 78 Microsoft Security...exe:Zone.Identifier, ASCII 20->78 dropped 102 Creates an autostart registry key pointing to binary in C:\Windows 20->102 31 cmd.exe 1 20->31         started        34 cmd.exe 1 20->34         started        90 192.168.2.1 unknown unknown 26->90 104 UAC bypass detected (mscfile / eventvwr.exe) 26->104 36 eventvwr.exe 26->36         started        38 eventvwr.exe 26->38         started        file8 signatures9 process10 signatures11 122 Uses ping.exe to sleep 31->122 40 Microsoft Security Health.exe 3 31->40         started        42 PING.EXE 1 31->42         started        45 conhost.exe 31->45         started        124 Uses cmd line tools excessively to alter registry or file data 34->124 126 Uses ping.exe to check the status of other devices and networks 34->126 47 reg.exe 1 34->47         started        50 conhost.exe 34->50         started        52 mmc.exe 36->52         started        process12 dnsIp13 54 Microsoft Security Health.exe 2 1 40->54         started        57 Microsoft Security Health.exe 40->57         started        92 127.0.0.1 unknown unknown 42->92 128 Disables UAC (registry) 47->128 59 mmc.exe 52->59         started        signatures14 process15 signatures16 106 Detected Remcos RAT 54->106 108 Writes to foreign memory regions 54->108 110 Allocates memory in foreign processes 54->110 112 Injects a PE file into a foreign processes 54->112 61 cmd.exe 1 54->61         started        64 iexplore.exe 12 54->64         started        114 Tries to delay execution (extensive OutputDebugStringW loop) 59->114 process17 signatures18 120 Uses cmd line tools excessively to alter registry or file data 61->120 66 conhost.exe 61->66         started        68 reg.exe 61->68         started        70 chrome.exe 64->70         started        process19 dnsIp20 82 239.255.255.250 unknown Reserved 70->82 73 chrome.exe 70->73         started        process21 dnsIp22 84 part-0032.t-0009.fbs1-t-msedge.net 13.107.219.60, 443, 49759 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 73->84 86 part-0032.t-0009.t-msedge.net 13.107.246.60, 443, 49758 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 73->86 88 9 other IPs or domains 73->88
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/44ce30b3b4431308b5f14e2a6647841aa2a5e862793081836e2f7c7c2da3029c/
Threat name:
ByteCode-MSIL.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-08-29 07:45:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
20 of 41 (48.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ithdbm5uimjqrnprjyvgmr4edkrkl2dcpeyida3of56hylndakoa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:26th aug evasion persistence rat trojan
Link:
https://tria.ge/reports/220829-j2qk1seban/
Behaviour
Modifies Internet Explorer settings
Modifies registry key
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Remcos
UAC bypass
Malware Config
C2 Extraction:
referantsa14.duckdns.org:4045
Unpacked files
SH256 hash:
1ca2fb431dfe9cd49b065097c444ab6d15cc4f510cb37fe307e65682f6de4ee3
MD5 hash:
af4c34db7a5df2d41d8f69af6ac3e615
SHA1 hash:
f4b4148c32e2d105e516d9d7b1b3342a913f5123
Link:
https://www.unpac.me/results/ae541349-3cc6-49c4-b074-244a8fcabc31/
SH256 hash:
9d01774e06a78ac2c090e3bbe7f72b9b6ceebafa6b6f7a0bc6f7a4daba5c8980
MD5 hash:
f6f33b1d4e1d113a0a4d577d3c091760
SHA1 hash:
bb54c49caf094163fa27fb5c2bb1b31755168332
Link:
https://www.unpac.me/results/ae541349-3cc6-49c4-b074-244a8fcabc31/
SH256 hash:
b3677cd697e04efd6a8f19a5ba8e771029eee947e75be2056ce273ebcf65b141
MD5 hash:
d1e0aa638c69523264cdaa5ecb74843d
SHA1 hash:
4651d76207c9c6f735691336837f46e1cad448b1
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/ae541349-3cc6-49c4-b074-244a8fcabc31/
SH256 hash:
9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034
MD5 hash:
93c6391d23c1aa1ed66fb13f82f2ee31
SHA1 hash:
220098c3047c32b51ae13a5cc1e9beeef3da6e18
Link:
https://www.unpac.me/results/ae541349-3cc6-49c4-b074-244a8fcabc31/
SH256 hash:
c45a3dae97e5e635a567df02635fe941af384f35cc993d4e52a57fa4f4026b3e
MD5 hash:
966c65a2893f62df72494272d810448f
SHA1 hash:
de82f765123b6ed954996603b663e9bac36acfb6
Link:
https://www.unpac.me/results/ae541349-3cc6-49c4-b074-244a8fcabc31/
SH256 hash:
44ce30b3b4431308b5f14e2a6647841aa2a5e862793081836e2f7c7c2da3029c
MD5 hash:
264577eca80b38669cfb5004945e4311
SHA1 hash:
985958bcec04eda5c36644321bd41c9e8df5aa8b
Link:
https://www.unpac.me/results/ae541349-3cc6-49c4-b074-244a8fcabc31/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/44ce30b3b443/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/44ce30b3b4431308b5f14e2a6647841aa2a5e862793081836e2f7c7c2da3029c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 44ce30b3b4431308b5f14e2a6647841aa2a5e862793081836e2f7c7c2da3029c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2272201/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/302110/

Comments