MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4969dc5e2b7349e189cdc079c2e9e02014e559d1315564b6d6fd18eeb252c605. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4969dc5e2b7349e189cdc079c2e9e02014e559d1315564b6d6fd18eeb252c605
SHA3-384 hash: e44a1c839a08c923e267a4fb4c85f6ecb0cdb3df8ac2487cff14adecc1625ce266208908eb5548f93da584c0c1c88e7f
SHA1 hash: 378b0726c6d90a9ba4c3f58ca4bef518e6ef6410
MD5 hash: 621cb2fb281f8fc1a1e0bfdbd317570e
humanhash: gee-black-south-zebra
File name:RFQ-00205-0305.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:771'072 bytes
First seen:2021-05-03 06:01:20 UTC
Last seen:2021-05-03 07:02:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 831fc92f23cd73751a129066fe55905a (2 x NetWire, 2 x RemcosRAT, 1 x Formbook)
ssdeep 12288:qjG2QEEsadOoRzP6nIHNFfHH3tmDJP2+U/Oy/I/:qK2adO0zznPXIPhUD/+
Threatray 187 similar samples on MalwareBazaar
TLSH C0F47B20A1D104F6C19F1B399C6B727509A2BE713AF85C4597F8AD08BFBF6807D1C992
Reporter abuse_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/148215/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Launching a process
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/707191
Signature
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the user root directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 402517 Sample: RFQ-00205-0305.exe Startdate: 03/05/2021 Architecture: WINDOWS Score: 72 53 Multi AV Scanner detection for dropped file 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 Machine Learning detection for sample 2->57 10 RFQ-00205-0305.exe 1 25 2->10         started        15 Txxvuz.exe 2->15         started        17 Txxvuz.exe 2->17         started        process3 dnsIp4 47 192.168.2.1 unknown unknown 10->47 49 zy8mhq.sn.files.1drv.com 10->49 51 2 other IPs or domains 10->51 41 C:\Users\Public41etplwiz.exe, PE32+ 10->41 dropped 43 C:\Users\Public43ETUTILS.dll, PE32+ 10->43 dropped 45 C:\Users\Public\Libraries\Txxvuz\Txxvuz.exe, PE32 10->45 dropped 61 Drops PE files to the user root directory 10->61 19 cmd.exe 1 10->19         started        21 secinit.exe 10->21         started        63 Multi AV Scanner detection for dropped file 15->63 65 Machine Learning detection for dropped file 15->65 file5 signatures6 process7 process8 23 cmd.exe 5 19->23         started        27 conhost.exe 19->27         started        file9 37 C:\Windows \System3237etplwiz.exe, PE32+ 23->37 dropped 39 C:\Windows \System3239ETUTILS.dll, PE32+ 23->39 dropped 59 Drops executables to the windows directory (C:\Windows) and starts them 23->59 29 Netplwiz.exe 23->29         started        31 conhost.exe 23->31         started        signatures10 process11 process12 33 cmd.exe 1 29->33         started        process13 35 conhost.exe 33->35         started       
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4969dc5e2b7349e189cdc079c2e9e02014e559d1315564b6d6fd18eeb252c605/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-05-03 06:02:24 UTC
AV detection:
12 of 47 (25.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jfu5yxrlone6dconyb44f2paeakokworgfkwjnww7umo5mssyycq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
27a607812f2e113484b27f50f1337cad704713a356fb24a74103d8ef027da16d
RemcosRAT
30552657a06df54de322d5d689ca77d2cacbf8e85136ca915843c9a99e4f26c0
RemcosRAT
481d9a1417683843ff3bf8936227f69dbb80cad91b0c408bf30a99f889c09659
RemcosRAT
54b91d6b1324d8b3dec856922b4566b362535d84538297b612c5323e9230daf0
RemcosRAT
741ffe5460a43194d3a8cf76729abd8f6a5fb7d991e219037215920195a38c5e
RemcosRAT
8017cf230cb7f4e72b6128a7e696821749c4990dbd446f8206d948c3ed6530ec
RemcosRAT
8c3a6d5b05325958afeb7885e7d4bbe59f7f5a849b5acdf0a8f7cbb8febc4a81
RemcosRAT
af0249150bee4fec74c124f89019cd260c9aacd7b7a7715192b5097f1948eb82
RemcosRAT
c85d33153d768a2f98066c8ba07e58890cbac4c185e4ef45739fb03750e1088b
RemcosRAT
f0896ba259cc40a67474db857cbca2cd43099f5b49be45c3e3a3a34a06765b7f
RemcosRAT
+ 177 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:remcos family:xmrig miner persistence rat
Link:
https://tria.ge/reports/210503-za3tfs6xkn/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Remcos
xmrig
Malware Config
C2 Extraction:
style.ptbagasps.co.id:42024
Unpacked files
SH256 hash:
8f63001a412f92b1e28e17cf0ca84b5d4fa126a661cdae11c5221b7344c26999
MD5 hash:
77fbc4c0b74cf1b87fa3804f3c4c0ff1
SHA1 hash:
721f7b2c9db79c8a34b8ad43f103b22df632d2dc
Link:
https://www.unpac.me/results/c2b6b2ac-4c85-4d7e-ba59-2bb592b88e24/
SH256 hash:
4969dc5e2b7349e189cdc079c2e9e02014e559d1315564b6d6fd18eeb252c605
MD5 hash:
621cb2fb281f8fc1a1e0bfdbd317570e
SHA1 hash:
378b0726c6d90a9ba4c3f58ca4bef518e6ef6410
Link:
https://www.unpac.me/results/c2b6b2ac-4c85-4d7e-ba59-2bb592b88e24/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4969dc5e2b7349e189cdc079c2e9e02014e559d1315564b6d6fd18eeb252c605

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_DLAgent07
Create hunting rule
Author:ditekSHen
Description:Detects delf downloader agent

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/148215/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-03 07:26:01 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.025] Anti-Behavioral Analysis::Software Breakpoints
1) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
2) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
3) [F0002.002] Collection::Polling
5) [C0026.002] Data Micro-objective::XOR::Encode Data
7) [C0051] File System Micro-objective::Read File
8) [C0052] File System Micro-objective::Writes File
9) [C0007] Memory Micro-objective::Allocate Memory
10) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
11) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
12) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
13) [C0038] Process Micro-objective::Create Thread
14) [C0041] Process Micro-objective::Set Thread Local Storage Value
15) [C0018] Process Micro-objective::Terminate Process