MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47884208f8a644ae2107eecef208a905e03839cb331ccf0dc6c50a72e969b17a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 47884208f8a644ae2107eecef208a905e03839cb331ccf0dc6c50a72e969b17a
SHA3-384 hash: feaf4d0b0b598c3b765081c200fdb630d39d473061ca142234b2f9d611263c56bc42b348e2e5bc2be12c384e9359405f
SHA1 hash: 33d8b7ab8acb041f8c2134b5f411df2c2610ee29
MD5 hash: 7b4509311aeadf5770e2c3a01e362090
humanhash: delaware-friend-sink-december
File name:file
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'193'984 bytes
First seen:2022-12-01 15:08:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 24576:NcY36yZ9vBXhDCgJDKmKIHKQoNezvpe7w7En1gSp4Tr9j:936yZ9HnJGmq3Wvpe7w7EnOSCf
Threatray 4'174 similar samples on MalwareBazaar
TLSH T1364502AD361072EEC457C27659645C78A6203C6B2B17C257C62372DEAA3DB87DB108F3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon d0d8d0c4c4c4dcd4 (12 x RemcosRAT, 3 x NanoCore, 3 x AveMariaRAT)
Reporter jstrosch
Tags:.NET exe MSIL RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
2023_ORDER_098765432.xls
Verdict:
Malicious activity
Analysis date:
2022-11-30 18:50:21 UTC
Tags:
macros opendir exploit cve-2017-11882 loader rat remcos keylogger
Link:
https://app.any.run/tasks/1f21169f-e37f-411e-9f68-93a5a60b50f1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/341170/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.47502.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed remcos
Link:
https://www.filescan.io/uploads/6388c38eec3dbefe49123eef/reports/ae9ee54b-99c5-4ba5-9092-9f18c38cb0bb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/685ee2cc-5d1b-4ce9-85ad-2acbcbdc900c
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1125491
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 758223 Sample: file.exe Startdate: 01/12/2022 Architecture: WINDOWS Score: 100 50 Malicious sample detected (through community Yara rule) 2->50 52 Sigma detected: Scheduled temp file as task from temp location 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 6 other signatures 2->56 7 file.exe 7 2->7         started        11 XSOksJehuj.exe 5 2->11         started        process3 file4 34 C:\Users\user\AppData\...\XSOksJehuj.exe, PE32 7->34 dropped 36 C:\Users\...\XSOksJehuj.exe:Zone.Identifier, ASCII 7->36 dropped 38 C:\Users\user\AppData\Local\...\tmp32AA.tmp, XML 7->38 dropped 40 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 7->40 dropped 58 Uses schtasks.exe or at.exe to add and modify task schedules 7->58 60 Adds a directory exclusion to Windows Defender 7->60 13 file.exe 2 17 7->13         started        18 powershell.exe 21 7->18         started        20 schtasks.exe 1 7->20         started        62 Machine Learning detection for dropped file 11->62 22 schtasks.exe 1 11->22         started        24 XSOksJehuj.exe 11->24         started        26 XSOksJehuj.exe 11->26         started        signatures5 process6 dnsIp7 44 onyem.myftp.org 193.169.253.184, 49710, 6583 SPRINT-SDCPL Poland 13->44 46 geoplugin.net 178.237.33.50, 49711, 80 ATOM86-ASATOM86NL Netherlands 13->46 48 192.168.2.1 unknown unknown 13->48 42 C:\ProgramData\remcos\logs.dat, data 13->42 dropped 64 Tries to harvest and steal browser information (history, passwords, etc) 13->64 66 Installs a global keyboard hook 13->66 28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        32 conhost.exe 22->32         started        file8 signatures9 process10
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/47884208f8a644ae2107eecef208a905e03839cb331ccf0dc6c50a72e969b17a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-11-30 08:07:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
23 of 41 (56.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i6eeechyuzck4iih53hpecfjaxqdqoolgmom6dogyufhf2ljwf5a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0cb9ffbc77206540a648b96e790d884f5662c114e831533e1eb31b63157e3953
RemcosRAT
139d0b13776f8fea46db2d77f0391b480cf290abcca453aacd2e003e7a618787
RemcosRAT
7a5870c5e7f9253deca223afcbf295a99ad0cc014543b26e162e56ad2f22a36e
RemcosRAT
88729c3c2f0d440cb964a0b14af9f726a961700288ea860cc8db492685ca4546
RemcosRAT
9063dd7d69236cca3007587ccc04334b4289ec456f6983673f3d9f749092a29c
RemcosRAT
a04d627bf01f18ee5ca0d47dac132c9ae2f12973aa9c54c331170d67967deb7d
RemcosRAT
c8f7124c43eb317024e9e329f6a05b8e278b3c6ac99a2f202406b719dbb815ca
RemcosRAT
f2643b4686b59c10dd7e51a8482f5515f15ab47eb81b6d8674b135c7ea266d24
RemcosRAT
+ 4'164 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:pk rat spyware stealer
Link:
https://tria.ge/reports/221201-sjgd3aed3y/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Reads user/profile data of web browsers
Remcos
Malware Config
C2 Extraction:
onyem.myftp.org:6583
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bf959e0a-a061-444c-82d0-4037619df58b
Unpacked files
SH256 hash:
3624268b1bf67fd3f560f345e5171f3a2f8968a776c23816ea76fc0ef41b0f03
MD5 hash:
1619753b625e58c25b73fbf1f0bff482
SHA1 hash:
c0d7922bdbc10ef0ee1606a40c2dedd22cb180d4
Link:
https://www.unpac.me/results/3853d0b6-8d67-48c5-8b27-b3cf06080a3a/
SH256 hash:
2464bff731c831e20c9a759dbca91f15f9fb0ae5a7052aa6561c30a783d231e4
MD5 hash:
3692bb1886580bb729d2b632bf00bc42
SHA1 hash:
8e172191e527d405f352778d7a44e763c5faf17d
Link:
https://www.unpac.me/results/3853d0b6-8d67-48c5-8b27-b3cf06080a3a/
SH256 hash:
ddb4b9708827cb344d5c08c6b07571d0d6a38fd4b594bcbdb73fa4e0104b274d
MD5 hash:
4709d80b2fe48a1401137beae6f231c7
SHA1 hash:
53856da064431f669e254da51bf4a3e7db634120
Link:
https://www.unpac.me/results/3853d0b6-8d67-48c5-8b27-b3cf06080a3a/
SH256 hash:
7b07e7f5539537d3416c77ece37f09f2832d6e5d735016601844350d115a1afd
MD5 hash:
45bb0b160b7126de00b44c2a73d70d10
SHA1 hash:
122e0a6448d8091097a83d69948c422e55560159
Link:
https://www.unpac.me/results/3853d0b6-8d67-48c5-8b27-b3cf06080a3a/
SH256 hash:
617f3188661dbad42a088d16a72f44d352ebc02f6eb5d03695571fe3e24f1a2a
MD5 hash:
47f81dd3c3f8a25ea26b95ec2c62cb9b
SHA1 hash:
0dcbaf15c8869e8f43209cd9faa1d5109126d40c
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/3853d0b6-8d67-48c5-8b27-b3cf06080a3a/
SH256 hash:
3d1106ae1d11016f844b5d6cf37b3cc527eedab2d3cf9d37bba68735affd0936
MD5 hash:
9a6161dede7e323dbb1b72086a3b3901
SHA1 hash:
264ed67ba897b702edda983a05985ba1bd30d341
Link:
https://www.unpac.me/results/3853d0b6-8d67-48c5-8b27-b3cf06080a3a/
SH256 hash:
47884208f8a644ae2107eecef208a905e03839cb331ccf0dc6c50a72e969b17a
MD5 hash:
7b4509311aeadf5770e2c3a01e362090
SHA1 hash:
33d8b7ab8acb041f8c2134b5f411df2c2610ee29
Link:
https://www.unpac.me/results/3853d0b6-8d67-48c5-8b27-b3cf06080a3a/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/47884208f8a6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/47884208f8a644ae2107eecef208a905e03839cb331ccf0dc6c50a72e969b17a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 47884208f8a644ae2107eecef208a905e03839cb331ccf0dc6c50a72e969b17a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2440895/
Cape
Cape
https://www.capesandbox.com/analysis/341170/

Comments