MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a8195f159274fb6b2edf61864824e9c686398ce60df94d23fabb21c48d57499. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a8195f159274fb6b2edf61864824e9c686398ce60df94d23fabb21c48d57499
SHA3-384 hash: fab4b1a8afeef8f45977e469339c91797e97321a059ed7033cbacf391936cf935432383c28c47fd91619428e1d2b988e
SHA1 hash: 4563ccc9a48f4b0af56fba631a764f96d72edff0
MD5 hash: 0caf9f956453a97622f714c77409caaa
humanhash: cola-maryland-one-florida
File name:vbc.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'702'304 bytes
First seen:2022-11-28 11:36:37 UTC
Last seen:2022-11-28 16:44:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d29a25ea03cbea7c6c52ef946b45416b (2 x RedLineStealer, 1 x RemcosRAT)
ssdeep 24576:GBPnT4fd0x3OdiRrib/Zj/NJZtF5QURQrbdfBzUOQX6w4OK8J3XRXWz4:GBPmd014iNibNNJZtNQfrgX6wRK4Mz4
Threatray 19'027 similar samples on MalwareBazaar
TLSH T10275BD797ACF00C3D29745F45A953F2C497E0E58BF34A1C12946B4090E4BABE92E39F6
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 110ccacab2ca4c10 (1 x RemcosRAT)
Reporter pr0xylife
Tags:aviapages.com exe RemcosRAT signed

Code Signing Certificate

Organisation:aviapages.com
Issuer:R3
Algorithm:sha256WithRSAEncryption
Valid from:2022-10-03T16:04:58Z
Valid to:2023-01-01T16:04:57Z
Serial number: 044e360dd1849f4488d44068caa726313ce7
Thumbprint Algorithm:SHA256
Thumbprint: 2b9616d9075ae5e248a2a64a13a843e8059158f7cd099fca1e91a8cc59dd2431
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
256
Origin country :
IE IE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
__________0__0_0________00__.doc
Verdict:
Malicious activity
Analysis date:
2022-11-28 11:36:43 UTC
Tags:
trojan opendir exploit cve-2017-11882 loader
Link:
https://app.any.run/tasks/5f9b7595-e221-4a2e-a919-c32fc616769d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/339402/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
DNS request
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63849d6269830678d716029b/reports/8e1118eb-0ece-4079-885c-e6addb6eb33e/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/16224032-bc5d-4617-b15b-6d5d4c6d5539
Result
Threat name:
Remcos, RedLine
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1122465
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Self deletion via cmd or bat file
Sigma detected: Remcos
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 755193 Sample: vbc.exe Startdate: 28/11/2022 Architecture: WINDOWS Score: 100 70 geoplugin.net 2->70 72 api.ip.sb 2->72 100 Snort IDS alert for network traffic 2->100 102 Multi AV Scanner detection for domain / URL 2->102 104 Malicious sample detected (through community Yara rule) 2->104 106 12 other signatures 2->106 9 vbc.exe 10 2->9         started        14 dikohequ-cop cotehir yoxog.exe 12 2->14         started        signatures3 process4 dnsIp5 76 zwrd1xys4.laqk0w9wia9tl0igvoq 9->76 58 C:\Users\...\dikohequ-cop cotehir yoxog.exe, PE32 9->58 dropped 60 dikohequ-cop coteh...exe:Zone.Identifier, ASCII 9->60 dropped 108 Found evasive API chain (may stop execution after checking mutex) 9->108 110 Self deletion via cmd or bat file 9->110 112 Uses schtasks.exe or at.exe to add and modify task schedules 9->112 16 dikohequ-cop cotehir yoxog.exe 15 9->16         started        21 cmd.exe 1 9->21         started        23 schtasks.exe 1 9->23         started        78 zwrd1xys4.laqk0w9wia9tl0igvoq 14->78 114 Writes to foreign memory regions 14->114 116 Allocates memory in foreign processes 14->116 118 Injects a PE file into a foreign processes 14->118 25 ngentask.exe 14->25         started        27 fontview.exe 14->27         started        file6 signatures7 process8 dnsIp9 66 loopplanet.com 67.227.214.170, 443, 49697, 49701 LIQUIDWEBUS United States 16->66 68 zwrd1xys4.laqk0w9wia9tl0igvoq 16->68 54 C:\Users\user\AppData\Local\...\advapi32.dll, PE32 16->54 dropped 56 C:\Users\user\AppData\...\library[1].bin, PE32 16->56 dropped 92 Writes to foreign memory regions 16->92 94 Allocates memory in foreign processes 16->94 96 Injects a PE file into a foreign processes 16->96 29 ngentask.exe 2 16 16->29         started        34 fontview.exe 15 7 16->34         started        98 Uses ping.exe to check the status of other devices and networks 21->98 36 PING.EXE 1 21->36         started        38 conhost.exe 21->38         started        40 chcp.com 1 21->40         started        42 conhost.exe 23->42         started        file10 signatures11 process12 dnsIp13 80 zoz.mastercoa.co 192.30.89.75, 49698, 49699, 52814 CLOUDSINGULARITYCA Canada 29->80 82 geoplugin.net 178.237.33.50, 49700, 49706, 80 ATOM86-ASATOM86NL Netherlands 29->82 62 C:\ProgramData\remcos\logs.dat, data 29->62 dropped 126 Maps a DLL or memory area into another process 29->126 128 Installs a global keyboard hook 29->128 44 ngentask.exe 29->44         started        47 ngentask.exe 29->47         started        49 ngentask.exe 29->49         started        51 23 other processes 29->51 84 109.206.243.58, 4541, 49702, 49705 AWMLTNL Germany 34->84 86 loopplanet.com 34->86 88 api.ip.sb 34->88 64 C:\Users\user\AppData\Roaming\java.exe, PE32+ 34->64 dropped 130 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 34->130 132 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 34->132 134 Tries to harvest and steal browser information (history, passwords, etc) 34->134 136 Tries to steal Crypto Currency Wallets 34->136 90 127.0.0.1 unknown unknown 36->90 file14 signatures15 process16 dnsIp17 120 Tries to steal Instant Messenger accounts or passwords 44->120 122 Tries to steal Mail credentials (via file / registry access) 44->122 74 192.168.2.1 unknown unknown 51->74 124 Tries to harvest and steal browser information (history, passwords, etc) 51->124 signatures18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4a8195f159274fb6b2edf61864824e9c686398ce60df94d23fabb21c48d57499/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-11-28 11:37:12 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
21 of 26 (80.77%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jkazl4kze5h3nmxn6ymgjasotrughggomdpzjur7vozbysgvosmq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0773f517b40992fd3e6291eb906558588f1de9e3887bb2433f95bb4ea9f5904a
RemcosRAT
139d0b13776f8fea46db2d77f0391b480cf290abcca453aacd2e003e7a618787
RemcosRAT
1eb85ede00f809ba0f2ae9ea64c78615705f7314f31934887849c60f86b6505e
RemcosRAT
31edb5c9a0590d100f941cfcb0c142abf141fba4a90c6bddb6c7fc59b4475f28
RemcosRAT
7a5870c5e7f9253deca223afcbf295a99ad0cc014543b26e162e56ad2f22a36e
RemcosRAT
a54b78279717d2eb6b13e183e0f69e89a023a8b945dfe47e29819f526037548b
RemcosRAT
a7d483a24ac3326297b055b788a4163a59e56341c727dae392b331f4c4b86587
RemcosRAT
c8f7124c43eb317024e9e329f6a05b8e278b3c6ac99a2f202406b719dbb815ca
RemcosRAT
cdbd543a70aa9f54daccdf108189026ff621568c8084bef3020049155c4f7eab
RemcosRAT
+ 19'017 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/221128-nq5ysaag75/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Deletes itself
Loads dropped DLL
Uses the VBS compiler for execution
Executes dropped EXE
Unpacked files
SH256 hash:
1b65bd97b8390e72f557be23b37e53997384928a8e62c6b9a19f043d184f11d7
MD5 hash:
298de18bceffd00d051177fda939301e
SHA1 hash:
68e3e2dd32e6cf8405c21ca5cea7979022f2be38
Link:
https://www.unpac.me/results/5e67b962-da66-40c1-9561-88b4e64cf70c/
SH256 hash:
4a8195f159274fb6b2edf61864824e9c686398ce60df94d23fabb21c48d57499
MD5 hash:
0caf9f956453a97622f714c77409caaa
SHA1 hash:
4563ccc9a48f4b0af56fba631a764f96d72edff0
Link:
https://www.unpac.me/results/5e67b962-da66-40c1-9561-88b4e64cf70c/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4a8195f15927/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4a8195f159274fb6b2edf61864824e9c686398ce60df94d23fabb21c48d57499

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 4a8195f159274fb6b2edf61864824e9c686398ce60df94d23fabb21c48d57499

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/339402/
  
URLhaus
https://urlhaus.abuse.ch/url/2435779/
  
Delivery method
Distributed via web download

Comments