MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a7b9d57d98b3a41796c905dae1bb7e3ffc077e0607c39181693e91b220904b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a7b9d57d98b3a41796c905dae1bb7e3ffc077e0607c39181693e91b220904b4
SHA3-384 hash: 2743b664470eb1f2ab5f1429f199875ea235f14197269f4a12ca94d9d6e8cffbc7521a9142ca4f79cf06fd2601c15f71
SHA1 hash: 8fd07bd61db93daafbfe3da82c7ee6c4e5adfa1b
MD5 hash: 2b3860c4e5b673465d073e31f46f3c9f
humanhash: spring-echo-muppet-vermont
File name:4a7b9d57d98b3a41796c905dae1bb7e3ffc077e0607c39181693e91b220904b4
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'237'016 bytes
First seen:2021-08-30 07:04:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:lAHnh+eWsN3skA4RV1Hom2KXMmHaWbfD4+wvfMkAVf5:Uh+ZkldoPK8YaWY+we
Threatray 1'963 similar samples on MalwareBazaar
TLSH T1AF45AD0263918036FFAE92739B6AB24156BD69253133CC3F13981DB9B9701B11E7D26F
dhash icon 3038b870e0828000 (2 x RemcosRAT)
Reporter JAMESWT_WT
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
61ca76f870979b256a19ef6bd2be6e54fafcbb5af20401e2811e16966f915b23
Verdict:
Suspicious activity
Analysis date:
2021-08-30 07:10:40 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/b687a077-82f4-48a1-9add-5c8aab99f629

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/183583/
Detection(s):
Win.Malware.Autoit-7080596-0
Create hunting rule

SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Creating a file
Unauthorized injection to a recently created process
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Deleting a recently created file
Running batch commands
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Setting a global event handler for the keyboard
Connection attempt to an infection source
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2e3bd442-6a24-4ff5-b712-f82d8e5868a1
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/842005
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Detected Remcos RAT
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 474435 Sample: qnLmVm4z1A Startdate: 31/08/2021 Architecture: WINDOWS Score: 100 87 Malicious sample detected (through community Yara rule) 2->87 89 Antivirus / Scanner detection for submitted sample 2->89 91 Multi AV Scanner detection for submitted file 2->91 93 6 other signatures 2->93 10 qnLmVm4z1A.exe 1 3 2->10         started        14 wscript.exe 1 2->14         started        16 remcos.exe 2->16         started        18 3 other processes 2->18 process3 file4 81 C:\Users\user\AppData\Roaming\...\setupcl.bat, PE32 10->81 dropped 83 C:\Users\Public\KHodniNRED.vbs, ASCII 10->83 dropped 113 Contains functionalty to change the wallpaper 10->113 115 Creates autostart registry keys with suspicious values (likely registry only malware) 10->115 117 Contains functionality to detect virtual machines (IN, VMware) 10->117 123 5 other signatures 10->123 20 qnLmVm4z1A.exe 5 5 10->20         started        24 qnLmVm4z1A.exe 3 1 10->24         started        26 qnLmVm4z1A.exe 2 10->26         started        29 setupcl.bat 14->29         started        119 Drops executables to the windows directory (C:\Windows) and starts them 16->119 121 Injects a PE file into a foreign processes 16->121 31 remcos.exe 16->31         started        33 remcos.exe 16->33         started        35 setupcl.bat 18->35         started        37 remcos.exe 18->37         started        39 remcos.exe 18->39         started        signatures5 process6 dnsIp7 75 C:\Windows\SysWOW64\remcos\remcos.exe, PE32 20->75 dropped 77 C:\Windows\...\remcos.exe:Zone.Identifier, ASCII 20->77 dropped 79 C:\Users\user\AppData\Local\...\install.vbs, data 20->79 dropped 95 Creates multiple autostart registry keys 20->95 97 Creates an autostart registry key pointing to binary in C:\Windows 20->97 41 wscript.exe 1 20->41         started        99 Detected Remcos RAT 24->99 101 Writes to foreign memory regions 24->101 103 Allocates memory in foreign processes 24->103 43 iexplore.exe 24->43         started        85 79.134.225.108, 49706, 49707, 49709 FINK-TELECOM-SERVICESCH Switzerland 26->85 105 Antivirus detection for dropped file 29->105 107 Multi AV Scanner detection for dropped file 29->107 109 Binary is likely a compiled AutoIt script file 29->109 46 setupcl.bat 29->46         started        48 setupcl.bat 29->48         started        50 setupcl.bat 29->50         started        111 Injects a PE file into a foreign processes 35->111 52 setupcl.bat 35->52         started        file8 signatures9 process10 signatures11 54 cmd.exe 1 41->54         started        125 Injects a PE file into a foreign processes 43->125 56 iexplore.exe 43->56         started        58 iexplore.exe 43->58         started        60 iexplore.exe 43->60         started        process12 process13 62 remcos.exe 54->62         started        65 conhost.exe 54->65         started        signatures14 127 Antivirus detection for dropped file 62->127 129 Multi AV Scanner detection for dropped file 62->129 131 Binary is likely a compiled AutoIt script file 62->131 133 Injects a PE file into a foreign processes 62->133 67 remcos.exe 62->67         started        69 remcos.exe 62->69         started        71 remcos.exe 62->71         started        73 remcos.exe 62->73         started        process15
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4a7b9d57d98b3a41796c905dae1bb7e3ffc077e0607c39181693e91b220904b4/
Threat name:
Win32.Trojan.AutoitInject
Create hunting rule
Status:
Malicious
First seen:
2021-08-17 17:18:54 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
39 of 46 (84.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jj5z2v6zrm5ec6lmsbo24g5x4p74a57amb6dsgawspurwiqjas2a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0846f11a89ffa91fb4e519d10e65a260032870e77d0a37d9bd3c9c4404337c83
RemcosRAT
388a7968ce64a2834be388b83ead8011a8f3ab4c40bfd5588beedb89d9409b4d
RemcosRAT
3a6558baa19564bc64f9054329de0f2575b6e2b8ea850d59d2646a6c048401ba
RemcosRAT
61ca76f870979b256a19ef6bd2be6e54fafcbb5af20401e2811e16966f915b23
RemcosRAT
63740d7b3addf0f30f355423d35734d95a58bcd459272c26529f148f245c4c24
RemcosRAT
774a46e4bb4ee0cb2586e6bd1de176a0c55ecae0189a2c6b8ba268f5b971c383
RemcosRAT
7b33267a200d3c6e07be475321fe92421b28ca6c3ebcd31c744bf71ca24d45b4
RemcosRAT
a3476a145b528bff0519f4816509a99ee7c5bcf26ae6d5c14e97dbdc8dca2e8e
RemcosRAT
bcafad25801d28aaad6c1b91322120542e5312ec18310610db6c21394d9fa52e
RemcosRAT
d31e14f4a5e7503e2fc47e0d20070b2abce700da82fc93bee2bf233f541c39c5
RemcosRAT
+ 1'953 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat
Link:
https://tria.ge/reports/210830-23pvrztdks/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
autoit_exe
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
79.134.225.108:6868
Unpacked files
SH256 hash:
4d0c193f635b7542c8f31ef4875d40ccc4f08832d94bfec7e715fe26b10bef93
MD5 hash:
b03a3f3cfa14f842fb2a87d011d30403
SHA1 hash:
a0d0097cb0dcfc7dbfc04d3fadeca1b8730c659f
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/67b50e21-8fba-469e-b069-581fd15c3cb0/
SH256 hash:
4a7b9d57d98b3a41796c905dae1bb7e3ffc077e0607c39181693e91b220904b4
MD5 hash:
2b3860c4e5b673465d073e31f46f3c9f
SHA1 hash:
8fd07bd61db93daafbfe3da82c7ee6c4e5adfa1b
Link:
https://www.unpac.me/results/67b50e21-8fba-469e-b069-581fd15c3cb0/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4a7b9d57d98b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4a7b9d57d98b3a41796c905dae1bb7e3ffc077e0607c39181693e91b220904b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/183583/

Comments