MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b6fdf9cbea14e56b10f5e4d5c4c8fbe34de5454ec1b246814a9464e8c81e314. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b6fdf9cbea14e56b10f5e4d5c4c8fbe34de5454ec1b246814a9464e8c81e314
SHA3-384 hash: 9ca17cb9232bcfc80a2baa6cbbfcd34767066fb5930695e04d0581f911f9e567163babb5b1a8e8a08ffbda190d346646
SHA1 hash: 1d65a3f31ee59b9da8e175bf5d09c4e95d596953
MD5 hash: 977a62444517295a0cfeb9e6e6f8e27a
humanhash: hydrogen-mirror-fruit-freddie
File name:977a62444517295a0cfeb9e6e6f8e27a
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:680'960 bytes
First seen:2021-08-18 23:08:31 UTC
Last seen:2021-08-18 23:54:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8f3e676294c31e2087b43dceda162efb (1 x RemcosRAT)
ssdeep 12288:iFaS5hDku4BW/vgeURfvtSotoaM9wx+DgbvenAAAAAAAAAAAAAAAJAA:2f/J4BeOXSotolw4Dgb
Threatray 460 similar samples on MalwareBazaar
TLSH T13BE49D6772918931D1162A7CEE0FA3E8A029FEF12D11A4463FF9399C0FFB5527825093
dhash icon 48958834524ae410 (6 x RemcosRAT, 4 x DBatLoader, 3 x AveMariaRAT)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
977a62444517295a0cfeb9e6e6f8e27a
Verdict:
Malicious activity
Analysis date:
2021-08-18 23:09:25 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/d4a9cdfa-6961-4622-aaa9-418c9d4c2c10

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/180477/
Detection(s):
SecuriteInfo.com.Win32.Injector.EPVD.23791.20484.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/69d446fa-c622-4190-b7c8-d3d053f31aac
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/835430
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 467861 Sample: QJuq3fap2K Startdate: 19/08/2021 Architecture: WINDOWS Score: 100 57 twistednerd.dvrlists.com 2->57 75 Multi AV Scanner detection for domain / URL 2->75 77 Found malware configuration 2->77 79 Malicious sample detected (through community Yara rule) 2->79 81 6 other signatures 2->81 9 QJuq3fap2K.exe 1 24 2->9         started        14 Gehnhmu.exe 14 2->14         started        16 Gehnhmu.exe 2->16         started        signatures3 process4 dnsIp5 63 twistednerd.dvrlists.com 9->63 65 sn-files.fe.1drv.com 9->65 73 2 other IPs or domains 9->73 55 C:\Users\Public\Libraries\...behaviorgraphehnhmu.exe, PE32 9->55 dropped 91 Writes to foreign memory regions 9->91 93 Allocates memory in foreign processes 9->93 95 Creates a thread in another existing process (thread injection) 9->95 18 mshta.exe 5 2 9->18         started        23 BackgroundTransferHost.exe 13 9->23         started        25 cmd.exe 1 9->25         started        27 cmd.exe 1 9->27         started        67 sn-files.fe.1drv.com 14->67 69 onedrive.live.com 14->69 71 a2q8ua.sn.files.1drv.com 14->71 97 Multi AV Scanner detection for dropped file 14->97 99 Injects a PE file into a foreign processes 14->99 29 dialer.exe 2 14->29         started        file6 signatures7 process8 dnsIp9 59 twistednerd.dvrlists.com 62.102.148.152, 49711, 49712, 49713 TEKNIKBYRANSE Sweden 18->59 53 C:\Users\...\fjwdyydwdvrusglolqiccivxjujr.vbs, data 18->53 dropped 83 Contains functionality to steal Chrome passwords or cookies 18->83 85 Contains functionality to inject code into remote processes 18->85 87 Contains functionality to steal Firefox passwords or cookies 18->87 89 2 other signatures 18->89 31 mshta.exe 1 23->31         started        34 mshta.exe 2 23->34         started        37 mshta.exe 1 23->37         started        39 wscript.exe 23->39         started        41 reg.exe 1 25->41         started        43 conhost.exe 25->43         started        45 cmd.exe 1 27->45         started        47 conhost.exe 27->47         started        file10 signatures11 process12 dnsIp13 101 Tries to steal Instant Messenger accounts or passwords 31->101 103 Tries to steal Mail credentials (via file access) 31->103 61 192.168.2.1 unknown unknown 34->61 105 Tries to harvest and steal browser information (history, passwords, etc) 34->105 49 conhost.exe 41->49         started        51 conhost.exe 45->51         started        signatures14 process15
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4b6fdf9cbea14e56b10f5e4d5c4c8fbe34de5454ec1b246814a9464e8c81e314/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-08-18 22:47:49 UTC
AV detection:
11 of 46 (23.91%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0b10f51931ebadefe515c5db78b89095df9ff47ad1bd042eace9d47047c5a09d
RemcosRAT
4c0c348d5fe6d35084087f5df83a5d5f15aa75a30b1dc37204f701383a7685eb
RemcosRAT
5d888bc6d0a7f5da0c94a55113d93a3f8b894472c4d42af88c7cf7cb885d95ad
RemcosRAT
7d521241af50289decdd245380a3f26e5abd47d50f8e318d2758bb2a990da440
RemcosRAT
8d076437949873b971f9534e630ebe26a8437f50786c430eaeb46c71d53a88e5
RemcosRAT
be6c146acab77dfb4116c0805a1244c79a5da7393ce8ee582f59ae8c1773e406
RemcosRAT
d694d9cbdcd2253844ad1f1e44226574420e58fd5fb14d35c32447b4780dd1d7
RemcosRAT
e85ecd006f87b6e19f200e637cf0430caa02f0af5e58d68437f270668a7fed59
RemcosRAT
f1751a576879ffed0fed1eee73ab099833ef0c019c6307cab9919275927ba6b6
RemcosRAT
+ 450 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:augusta persistence rat trojan
Link:
https://tria.ge/reports/210818-dran3dbp7a/
Behaviour
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
twistednerd.dvrlists.com:8618
Unpacked files
SH256 hash:
795b2b5d6668147d7924ac96f90741ddc2a2b5003f455fb842b613a286fbf8fc
MD5 hash:
53011b69a7231aea23d66805a681144b
SHA1 hash:
e3d0d157e763c865e79ccc5bedc2fd5fd90413f7
Link:
https://www.unpac.me/results/72b02abd-6374-4629-9496-681f805b26ae/
SH256 hash:
4b6fdf9cbea14e56b10f5e4d5c4c8fbe34de5454ec1b246814a9464e8c81e314
MD5 hash:
977a62444517295a0cfeb9e6e6f8e27a
SHA1 hash:
1d65a3f31ee59b9da8e175bf5d09c4e95d596953
Link:
https://www.unpac.me/results/72b02abd-6374-4629-9496-681f805b26ae/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4b6fdf9cbea14e56b10f5e4d5c4c8fbe34de5454ec1b246814a9464e8c81e314

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EnvVarScheduledTasks
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC (ab)using Environment Variables in Scheduled Tasks
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 4b6fdf9cbea14e56b10f5e4d5c4c8fbe34de5454ec1b246814a9464e8c81e314

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1544807/
Cape
Cape
https://www.capesandbox.com/analysis/180477/

Comments


Avatar
zbet commented on 2021-08-18 23:08:32 UTC

url : hxxp://198.23.251.110/cop.exe