MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47e8b33d8129bf9c75a67dd71e8db6b59b55b890a751c5c3c23d692124b0dc7b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 47e8b33d8129bf9c75a67dd71e8db6b59b55b890a751c5c3c23d692124b0dc7b
SHA3-384 hash: 75aa6fb43764e307a48fa376ee5ccbb6e20fe31461dc6f8de1cd2e6e2c79524dfa3ceb1a7bd9e5f2151e8c89f3233454
SHA1 hash: 33a4f8d3a150fa38d86c8492341cd75d77337be0
MD5 hash: bc04f2442683e522d363ae5b9517465e
humanhash: oxygen-utah-black-mars
File name:SecuriteInfo.com.W32.AIDetectNet.01.4078.4068
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'132'544 bytes
First seen:2022-07-18 13:37:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:VhNl0jd9nA1S24SBn9s4y1ruhiLYjrMk9dTaQS:Rl0jd9AwVSB9uLcjtx
Threatray 1'478 similar samples on MalwareBazaar
TLSH T1D435011276F7DD23C2781B77C1E6484013756A83A1A3E70F3ED522DA2B223DB8A85757
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter SecuriteInfoCom
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
260
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/291582/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.4078.4068.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Running batch commands
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62d562b8ef2b0e63a8228c63/reports/ae55f4a8-a4f9-4fce-9fa6-6aab642cccd6/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/15f9c9de-21b7-4d58-a6ec-ea72614535f1
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1035776
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 668270 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 18/07/2022 Architecture: WINDOWS Score: 100 73 Malicious sample detected (through community Yara rule) 2->73 75 Antivirus detection for dropped file 2->75 77 Multi AV Scanner detection for dropped file 2->77 79 7 other signatures 2->79 11 SecuriteInfo.com.W32.AIDetectNet.01.4078.exe 7 2->11         started        15 remcos.exe 2->15         started        17 remcos.exe 2->17         started        19 remcos.exe 2->19         started        process3 file4 63 C:\Users\user\AppData\...\KtSOYdbmyudzJq.exe, PE32 11->63 dropped 65 C:\...\KtSOYdbmyudzJq.exe:Zone.Identifier, ASCII 11->65 dropped 67 C:\Users\user\AppData\Local\...\tmp936F.tmp, XML 11->67 dropped 69 SecuriteInfo.com.W...Net.01.4078.exe.log, ASCII 11->69 dropped 87 Uses schtasks.exe or at.exe to add and modify task schedules 11->87 89 Adds a directory exclusion to Windows Defender 11->89 91 Injects a PE file into a foreign processes 11->91 21 SecuriteInfo.com.W32.AIDetectNet.01.4078.exe 5 5 11->21         started        24 powershell.exe 23 11->24         started        26 schtasks.exe 1 11->26         started        28 4 other processes 11->28 signatures5 process6 file7 57 C:\ProgramData\Remcos\remcos.exe, PE32 21->57 dropped 59 C:\Users\user\AppData\Local\...\install.vbs, data 21->59 dropped 61 C:\ProgramData\...\remcos.exe:Zone.Identifier, ASCII 21->61 dropped 30 wscript.exe 1 21->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        process8 process9 36 cmd.exe 30->36         started        process10 38 remcos.exe 36->38         started        41 conhost.exe 36->41         started        signatures11 81 Multi AV Scanner detection for dropped file 38->81 83 Machine Learning detection for dropped file 38->83 85 Adds a directory exclusion to Windows Defender 38->85 43 remcos.exe 38->43         started        47 powershell.exe 38->47         started        49 schtasks.exe 38->49         started        51 2 other processes 38->51 process12 dnsIp13 71 194.5.98.211, 3383, 49761, 49762 DANILENKODE Netherlands 43->71 93 Installs a global keyboard hook 43->93 53 conhost.exe 47->53         started        55 conhost.exe 49->55         started        signatures14 process15
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/47e8b33d8129bf9c75a67dd71e8db6b59b55b890a751c5c3c23d692124b0dc7b/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-07-18 13:38:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
53
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=i7ulgpmbfg7zy5ngpxlr5dnwwwnvloequ5i4lq6chvuscjfq3r5q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
082525150d7aace7e21b3bfb469f86c2e7239593c50cebc143d7f8a66b898b83
RemcosRAT
0a7baae0933a14082beb95b1c5484dd958e333f7fc499f645c1d550d8ad124a1
RemcosRAT
21323faa5f74ccc103e64f30bc31b36e0cfc971a601b59502713151ad4f465db
RemcosRAT
41dbd50dec8697c71e8feea9912873500ae7061955e1331ac9e657041b7b57f8
RemcosRAT
5482c9775362ce202cf44b082ce747f7e69f522a903ccc031c975cc714c82a8c
RemcosRAT
91dfebe2d0d1f9ac3e495529066a6cd987ad302d33be7fb7fc744f5905daf832
RemcosRAT
b6d46263696ceeab50c8a9088bf3cedecad1bf4f8d8f452c1b1773f877d8e4a0
RemcosRAT
db8a8a4bf1e1e63ef1bd27f8131dfeb14bca74e9d68605cf71e9eac5126baa48
RemcosRAT
dfa6c38c1b3b33a94e1e884e47e0864808c8af196c260b6b8045cb4ed37d300e
RemcosRAT
+ 1'468 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat
Link:
https://tria.ge/reports/220718-qxc8fsdbb4/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Remcos
Unpacked files
SH256 hash:
39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807
MD5 hash:
db51fe170a9e5d6ec5429a2fbd9d0353
SHA1 hash:
e30a58125fc41322db6cf2ccb6a6d414ed379016
Link:
https://www.unpac.me/results/29347fab-5376-4e5e-afdc-cdb7480a4783/
SH256 hash:
dd50b7536e5e316088d0ca18dea9c553852a0f283d81b600ac577880124a3d8d
MD5 hash:
9dcf6bf5b0cd1b3f4c695fc5d0a5bc61
SHA1 hash:
ce5905d4f124d3895035983753901cbaa2dfb04a
Link:
https://www.unpac.me/results/29347fab-5376-4e5e-afdc-cdb7480a4783/
SH256 hash:
714d60e88132ac98757f1a7ca3cbe2e8942dcc6a72cdb5677d5adefecf2849c4
MD5 hash:
a1cf35fad007cd5a967f873aa29e40a5
SHA1 hash:
4d5d00d5e60c808af6d20c0dccbc6ced1d37b86c
Link:
https://www.unpac.me/results/29347fab-5376-4e5e-afdc-cdb7480a4783/
SH256 hash:
781c78f48dc35cb66432bd1826965cc59fb100d4d12c04432a2c92361f8364c3
MD5 hash:
4bfe50310c7b0dd87da13cc6109f0190
SHA1 hash:
2e3cfcf114927e004ea7788b29e5dc45c5f9e246
Link:
https://www.unpac.me/results/29347fab-5376-4e5e-afdc-cdb7480a4783/
SH256 hash:
1c048a93fc173bacc2388da1042140aeb4d4b34c927e524d3b60946efdab1a16
MD5 hash:
d329ca03ea62e3371e4d63f5271124a3
SHA1 hash:
14c329ff4882ef1aedb93e21e18b691a93dc2f5d
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/29347fab-5376-4e5e-afdc-cdb7480a4783/
Parent samples :
47e8b33d8129bf9c75a67dd71e8db6b59b55b890a751c5c3c23d692124b0dc7b
188d6e4d1543650210777ea153258085124a14cc564fc7c264a01eac69b797b8
6d16f6ecb3a446d0c6bfa0fc7a47dabac2e63cebfa426f4502a5bcecf378c645
1c048a93fc173bacc2388da1042140aeb4d4b34c927e524d3b60946efdab1a16
SH256 hash:
47e8b33d8129bf9c75a67dd71e8db6b59b55b890a751c5c3c23d692124b0dc7b
MD5 hash:
bc04f2442683e522d363ae5b9517465e
SHA1 hash:
33a4f8d3a150fa38d86c8492341cd75d77337be0
Link:
https://www.unpac.me/results/29347fab-5376-4e5e-afdc-cdb7480a4783/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/47e8b33d8129bf9c75a67dd71e8db6b59b55b890a751c5c3c23d692124b0dc7b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/291582/

Comments