MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4774065c2fb27747ef38643fdf9e301b9801250e8edc6518c06c589baffc52c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4774065c2fb27747ef38643fdf9e301b9801250e8edc6518c06c589baffc52c9
SHA3-384 hash: b86b37528e7c31542042fba193c2d1d2eea576d2ae4dabbdb4073ca884e1f318d0d0ff417422ee1389a5aeac11545d6d
SHA1 hash: 1f23348ea9e57d3221b13e8ffaab6102812e8d18
MD5 hash: 28aac7aa4482df370c1bdf08b4b2da82
humanhash: shade-undress-nitrogen-oregon
File name:SecuriteInfo.com.Win32.PWSX-gen.2377
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'105'920 bytes
First seen:2022-09-22 05:07:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:qumI6nl5b+kBAR0Yp17DuqmkQ2+Jh28tq:arQhHP8kQfJAmq
Threatray 1'941 similar samples on MalwareBazaar
TLSH T15D35E0261AE95F0BD025A7F884D0C6B6A3FADD11A036C2979FCA1CDFF096B508760753
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0ccb2f0e8f0ccf0 (12 x Formbook, 8 x AgentTesla, 8 x SnakeKeylogger)
Reporter SecuriteInfoCom
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
302
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.2377
Verdict:
Malicious activity
Analysis date:
2022-09-22 05:08:15 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/221da14e-cef5-407d-8bec-a706be6a1a00

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/312205/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.2377.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/632bee2de64c53f047fc944d/reports/6330cae2-e143-414c-802a-584421b71146/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/efbd5453-3076-4107-9257-a9559ce34ceb
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1075031
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 707573 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 22/09/2022 Architecture: WINDOWS Score: 100 78 Multi AV Scanner detection for domain / URL 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 Antivirus detection for URL or domain 2->82 84 7 other signatures 2->84 13 SecuriteInfo.com.Win32.PWSX-gen.2377.exe 3 2->13         started        16 sdfge.exe 2 2->16         started        18 sdfge.exe 3 2->18         started        process3 file4 64 SecuriteInfo.com.W...SX-gen.2377.exe.log, ASCII 13->64 dropped 20 SecuriteInfo.com.Win32.PWSX-gen.2377.exe 4 4 13->20         started        23 SecuriteInfo.com.Win32.PWSX-gen.2377.exe 13->23         started        25 sdfge.exe 16->25         started        27 sdfge.exe 16->27         started        process5 file6 58 C:\Users\user\AppData\Roaming\sdfge.exe, PE32 20->58 dropped 60 C:\Users\user\...\sdfge.exe:Zone.Identifier, ASCII 20->60 dropped 62 C:\Users\user\AppData\Local\...\install.vbs, data 20->62 dropped 29 wscript.exe 1 20->29         started        process7 process8 31 cmd.exe 1 29->31         started        33 chrome.exe 29->33         started        dnsIp9 36 sdfge.exe 2 31->36         started        39 conhost.exe 31->39         started        66 mdec.nelreports.net 33->66 68 part-0032.t-0009.t-msedge.net 13.107.246.60, 443, 49725, 49726 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 33->68 70 8 other IPs or domains 33->70 process10 signatures11 86 Machine Learning detection for dropped file 36->86 41 sdfge.exe 4 1 36->41         started        45 sdfge.exe 36->45         started        47 sdfge.exe 36->47         started        process12 dnsIp13 76 76.8.53.133, 1198, 49709, 49710 QUONIXNETUS United States 41->76 88 Writes to foreign memory regions 41->88 90 Maps a DLL or memory area into another process 41->90 92 Installs a global keyboard hook 41->92 49 svchost.exe 41->49         started        signatures14 process15 process16 51 chrome.exe 49->51         started        54 chrome.exe 49->54         started        dnsIp17 72 192.168.2.1 unknown unknown 51->72 74 239.255.255.250 unknown Reserved 51->74 56 chrome.exe 54->56         started        process18
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4774065c2fb27747ef38643fdf9e301b9801250e8edc6518c06c589baffc52c9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-09-22 03:57:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
17 of 19 (89.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i52amxbpwj3up3zymq757hrqdomacjior3ogkgganrmjxl74kleq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
2d066636d5043a308a989edc747304d9087a60e7a0df3f021ce8b1642466cc52
RemcosRAT
2f53875cb56cc1a1f69655fcfca71ac0f952b8d582bda33e101d8b262e38d0f9
RemcosRAT
3ab2ca682019279e28525a8ff1a72e08badba1c0f3012f926bad1528b2b0944a
RemcosRAT
808b1f23a0d9457d31d5abd083b2b81cc68b0a0d3a87e59e9e6d56d773dbde39
RemcosRAT
be0c5e38edc7aba393016c5cdf21d7a93b2daf78395ced609104f7055fd5f162
RemcosRAT
c1a4991ae17887dc70504cf13daafef24a394e39dc5e19177ea8d8139432e8b6
RemcosRAT
+ 1'931 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:peterobi2023 brand:microsoft persistence phishing rat
Link:
https://tria.ge/reports/220922-fsjvbsaaf6/
Behaviour
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Detected potential entity reuse from brand microsoft.
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
76.8.53.133:1198
Gathering data
Unpacked files
SH256 hash:
fbf0d947bf22491229799e2ddaca2484d24b1cd7e4be6945758a9a153cc98791
MD5 hash:
82602aed5a4328fd0f432ac95f05a500
SHA1 hash:
83c7d33c0d034ec89953986d191fe82e5f5ba297
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/7b9c50cb-e6e4-4143-b91d-58bcb9114c78/
Parent samples :
91bbc8c0f7a6be5a881fab20f4cbdaf94bed915c0e28fd3f24dfa519ec801cec
3ab2ca682019279e28525a8ff1a72e08badba1c0f3012f926bad1528b2b0944a
4774065c2fb27747ef38643fdf9e301b9801250e8edc6518c06c589baffc52c9
b3dbe53fe29989df593f3777fe297e4840c2f004c1f069e77a8c0c79ba10698d
SH256 hash:
2470b39032f6182252039c88199016566b0de30c6aa02163a143427afedd12af
MD5 hash:
c3a1924684ca30ed22234ce1d9111dfc
SHA1 hash:
7347706241422758c06440fd6044ae4e042b456b
Link:
https://www.unpac.me/results/7b9c50cb-e6e4-4143-b91d-58bcb9114c78/
SH256 hash:
eac969b285f64398df0593b0e201e706676121981d3f40cb05eca44ddf7fa020
MD5 hash:
267bf1828dd7f576f5a2a5f3c1b2f6bb
SHA1 hash:
6788210ebd7b8baa0f8d952bd137c1650723a29d
Link:
https://www.unpac.me/results/7b9c50cb-e6e4-4143-b91d-58bcb9114c78/
SH256 hash:
b7f0be3bffcbf5a52477fe20801bd931e25fa9d56cfadfade01275923bb309ce
MD5 hash:
f35cb7a645522a82e8dfd6c72ceab5f0
SHA1 hash:
3f8c742122438c630ee3a30acf403d659b8b6724
Link:
https://www.unpac.me/results/7b9c50cb-e6e4-4143-b91d-58bcb9114c78/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/7b9c50cb-e6e4-4143-b91d-58bcb9114c78/
SH256 hash:
4774065c2fb27747ef38643fdf9e301b9801250e8edc6518c06c589baffc52c9
MD5 hash:
28aac7aa4482df370c1bdf08b4b2da82
SHA1 hash:
1f23348ea9e57d3221b13e8ffaab6102812e8d18
Link:
https://www.unpac.me/results/7b9c50cb-e6e4-4143-b91d-58bcb9114c78/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4774065c2fb2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4774065c2fb27747ef38643fdf9e301b9801250e8edc6518c06c589baffc52c9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/312205/

Comments