MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 46c3cda4b6dbdae4d3347998364fa2981157c31d2cc8dfb765a5ecf1098484ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 46c3cda4b6dbdae4d3347998364fa2981157c31d2cc8dfb765a5ecf1098484ea
SHA3-384 hash: 922eec9adb873e70aab862d9888076bf7280f97e799ae98934411a3c2918d315797fd45e9ba4d626667a57d76ffdcdd8
SHA1 hash: d5cb5f56aa571dc561508736e8838f0de8167815
MD5 hash: 08d4b0143bc20bd5f2e49bdf37d91205
humanhash: salami-finch-berlin-emma
File name:FERP 830_cln.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:806'912 bytes
First seen:2023-01-11 19:17:11 UTC
Last seen:2023-01-11 20:29:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:BAf472UHjw/UUp0X3y2pN5r2ZvauqfnrLuYR6C78sY3H4iDACu:eGoUUp0nJ7iZSBfnOYQCghH4iDAC
Threatray 2'458 similar samples on MalwareBazaar
TLSH T19A057DDE23F0000BE51846B1E855AED01A51DCF97B53C716BD89FCCEAEB23E550262E6
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c4bada9ae8cca4c8 (13 x Formbook, 6 x AgentTesla, 5 x AveMariaRAT)
Reporter 0xToxin
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
186
Origin country :
IL IL
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
FERP 830_cln.exe
Verdict:
Malicious activity
Analysis date:
2023-01-11 19:19:05 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/712b50e6-6b9b-48ab-b01f-f81038a5526e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/352045/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1032.8584.6074.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Running batch commands
Creating a file
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Searching for the window
Creating a process from a recently created file
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
anti-debug anti-vm hacktool obfuscated packed
Link:
https://www.filescan.io/uploads/63bf0b6bdde391056ac222e8/reports/e7815300-29e0-428e-934c-63fe80d6b923/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1100a877-7638-4be6-8d5f-d07b5e69b114
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1149856
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 782595 Sample: FERP 830_cln.exe Startdate: 11/01/2023 Architecture: WINDOWS Score: 100 78 Malicious sample detected (through community Yara rule) 2->78 80 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->80 82 Multi AV Scanner detection for submitted file 2->82 84 4 other signatures 2->84 7 FERP 830_cln.exe 4 2->7         started        11 stle.exe 3 2->11         started        13 stle.exe 2 2->13         started        process3 file4 60 C:\Users\user\...\FERP 830_cln.exe.log, ASCII 7->60 dropped 86 Writes to foreign memory regions 7->86 88 Allocates memory in foreign processes 7->88 90 Injects a PE file into a foreign processes 7->90 15 csc.exe 2 16 7->15         started        20 cmd.exe 3 7->20         started        22 cmd.exe 2 7->22         started        30 2 other processes 7->30 92 Multi AV Scanner detection for dropped file 11->92 94 Machine Learning detection for dropped file 11->94 24 cmd.exe 11->24         started        26 cmd.exe 1 11->26         started        32 2 other processes 11->32 28 cmd.exe 1 13->28         started        34 3 other processes 13->34 signatures5 process6 dnsIp7 62 nuevocarro.con-ip.com 181.131.217.190, 49718, 7770 EPMTelecomunicacionesSAESPCO Colombia 15->62 64 geoplugin.net 178.237.33.50, 49719, 80 ATOM86-ASATOM86NL Netherlands 15->64 66 192.168.2.1 unknown unknown 15->66 54 C:\ProgramData\remcos\logs.dat, data 15->54 dropped 68 Contains functionality to steal Chrome passwords or cookies 15->68 70 Contains functionality to steal Firefox passwords or cookies 15->70 72 Installs a global keyboard hook 15->72 74 Delayed program exit found 15->74 56 C:\Users\user\AppData\Roaming\stle\stle.exe, PE32 20->56 dropped 58 C:\Users\user\...\stle.exe:Zone.Identifier, ASCII 20->58 dropped 36 conhost.exe 20->36         started        76 Uses schtasks.exe or at.exe to add and modify task schedules 22->76 38 conhost.exe 22->38         started        46 2 other processes 24->46 40 conhost.exe 26->40         started        48 2 other processes 28->48 50 2 other processes 30->50 42 WerFault.exe 3 10 32->42         started        44 conhost.exe 32->44         started        52 2 other processes 34->52 file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/46c3cda4b6dbdae4d3347998364fa2981157c31d2cc8dfb765a5ecf1098484ea/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-01-11 19:18:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
29
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i3b43jfw3pnojuzupgmdmt5ctaivpqy5ften7n3fuxwpccmeqtva._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0cb9ffbc77206540a648b96e790d884f5662c114e831533e1eb31b63157e3953
RemcosRAT
105ffb0a1b83441a798498a4b1a535fce7f496304b39bd555f18df3678f19c13
RemcosRAT
5e4bb39ac038489323ac580de023cc34f016f29e7f75f79872dcfc4123737cad
RemcosRAT
5f61b50531659487b56d97323a53c7c58445a62fb9f47489cd07b38feb3d4527
RemcosRAT
661c658fee6ad38a71803820b9eeb55f8cc9fb905117d55002d4da85696a26d2
RemcosRAT
7a5870c5e7f9253deca223afcbf295a99ad0cc014543b26e162e56ad2f22a36e
RemcosRAT
ae6134942672653a0652d8b74100de3c7bccd094ee66bbc0314e75b276cfb1c8
RemcosRAT
be0c5e38edc7aba393016c5cdf21d7a93b2daf78395ced609104f7055fd5f162
RemcosRAT
d42f6ad0179bb066b735f67d8141a091fd468cb7c71118645cebe381622ac8fa
RemcosRAT
f7f8d1ebfed3afd13eb47392a7f502603ecb970a817c221682cd8f2a17ff2bb3
RemcosRAT
+ 2'448 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:carro rat
Link:
https://tria.ge/reports/230111-xzzb2aea79/
Behaviour
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
nuevocarro.con-ip.com:7770
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/af0bed5c-981d-4abe-996c-d51b8a456746
Unpacked files
SH256 hash:
f8e07143399b8a1d55cefa7c9c3fc8b52305b37112fd8747069371411532ea3a
MD5 hash:
03de2e2ec7c75b2b7667923e2ed1d64e
SHA1 hash:
452d2c92679148123cb2459e21c6e7305261a142
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/38683afa-b949-44f6-a0d8-bfcab6484dec/
SH256 hash:
46c3cda4b6dbdae4d3347998364fa2981157c31d2cc8dfb765a5ecf1098484ea
MD5 hash:
08d4b0143bc20bd5f2e49bdf37d91205
SHA1 hash:
d5cb5f56aa571dc561508736e8838f0de8167815
Link:
https://www.unpac.me/results/38683afa-b949-44f6-a0d8-bfcab6484dec/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/46c3cda4b6db/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/46c3cda4b6dbdae4d3347998364fa2981157c31d2cc8dfb765a5ecf1098484ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:pe_imphash
Create hunting rule
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/352045/

Comments