MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d54ba1e4eccdeaa5423f0bae61f1f97a9e21afc4ba3db55f6e6b78d84bf26cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4d54ba1e4eccdeaa5423f0bae61f1f97a9e21afc4ba3db55f6e6b78d84bf26cf
SHA3-384 hash: 0e429774291a819d8dcb8975f490acc1c44446d00ca42bd0f40dbd9683dc94ac9d632eba314801dff22d804e00ab67f9
SHA1 hash: 56c445922b3f489549b0e4986387d5b40a90b5b6
MD5 hash: 86c99e1afb407b679aea553f8d37f702
humanhash: football-four-snake-wisconsin
File name:86c99e1afb407b679aea553f8d37f702
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:2'408'344 bytes
First seen:2022-11-10 13:02:00 UTC
Last seen:2022-11-10 15:40:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b128da42edc801068b5469911b24a324 (3 x lgoogLoader, 1 x RemcosRAT, 1 x RedLineStealer)
ssdeep 49152:yBExct7mmdD3H7R3Im08xuwog6ILFsX/l3JFupaQr:YXtCm93HFrduEHc/PQr
TLSH T15AB5F1254EAE1CA3EAF1DBBF0AB2432587F0CD6B4079A61336C09F0057916DE6B74617
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon ccc8c492aab692c8 (1 x RemcosRAT)
Reporter zbetcheckin
Tags:32 exe RemcosRAT signed

Code Signing Certificate

Organisation:4ever.com
Issuer:R3
Algorithm:sha256WithRSAEncryption
Valid from:2022-10-11T09:40:24Z
Valid to:2023-01-09T09:40:23Z
Serial number: 047d80a5afe23c26f01674b5d4a01fb6c4d0
Intelligence: 5 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 9f9ea52a37444bf2b4e5e9eeeb630304b7eff9c92621755d00be1548c4c9a8cf
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
212
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
nomination for Cnee TC .xls
Verdict:
Malicious activity
Analysis date:
2022-11-10 12:24:28 UTC
Tags:
macros trojan opendir exploit cve-2017-11882 loader rat remcos keylogger stealer agenttesla
Link:
https://app.any.run/tasks/46c204c7-c373-4b11-b1a7-ecdcf0f1cc7e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/331937/
Detection(s):
SecuriteInfo.com.Generic.ML.PUA.18362.28123.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/50939/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/636cf65082dd9f2e2653558b/reports/6112749f-a3fc-4d80-9df4-efba74ea26f5/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7f33d581-b1bc-4bbf-9396-a038194dc7b3
Result
Threat name:
Remcos, AgentTesla
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1110395
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Self deletion via cmd or bat file
Sigma detected: Remcos
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Generic Downloader
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 743082 Sample: dV3si0Q3V7.exe Startdate: 10/11/2022 Architecture: WINDOWS Score: 100 92 Snort IDS alert for network traffic 2->92 94 Malicious sample detected (through community Yara rule) 2->94 96 Multi AV Scanner detection for submitted file 2->96 98 8 other signatures 2->98 10 dV3si0Q3V7.exe 4 2->10         started        14 Warixexi geniye fobecohi motipam forat raketigi cokac wivec.exe 2->14         started        16 Ccvzyymb.exe 2->16         started        18 Ccvzyymb.exe 2->18         started        process3 file4 68 Warixexi geniye fo...igi cokac wivec.exe, PE32 10->68 dropped 70 Warixexi geniye fo...exe:Zone.Identifier, ASCII 10->70 dropped 116 Self deletion via cmd or bat file 10->116 118 Uses schtasks.exe or at.exe to add and modify task schedules 10->118 20 Warixexi geniye fobecohi motipam forat raketigi cokac wivec.exe 10->20         started        23 cmd.exe 1 10->23         started        25 schtasks.exe 1 10->25         started        120 Writes to foreign memory regions 14->120 122 Allocates memory in foreign processes 14->122 124 Injects a PE file into a foreign processes 14->124 27 InstallUtil.exe 14->27         started        126 Machine Learning detection for dropped file 16->126 128 Encrypted powershell cmdline option found 16->128 29 powershell.exe 16->29         started        signatures5 process6 signatures7 100 Writes to foreign memory regions 20->100 102 Allocates memory in foreign processes 20->102 104 Injects a PE file into a foreign processes 20->104 31 InstallUtil.exe 2 19 20->31         started        106 Uses ping.exe to check the status of other devices and networks 23->106 36 PING.EXE 1 23->36         started        38 conhost.exe 23->38         started        40 chcp.com 1 23->40         started        42 conhost.exe 25->42         started        44 conhost.exe 29->44         started        process8 dnsIp9 80 maz.mastercoa.co 192.30.89.67, 3444, 49700, 49701 CLOUDSINGULARITYCA Canada 31->80 82 geoplugin.net 178.237.33.50, 49703, 80 ATOM86-ASATOM86NL Netherlands 31->82 84 192.168.2.1 unknown unknown 31->84 64 C:\Users\user\AppData\Local\Temp\dwn.exe, PE32 31->64 dropped 66 C:\ProgramData\remcos\logs.dat, data 31->66 dropped 88 Maps a DLL or memory area into another process 31->88 90 Installs a global keyboard hook 31->90 46 dwn.exe 1 6 31->46         started        50 InstallUtil.exe 1 31->50         started        52 InstallUtil.exe 2 31->52         started        54 InstallUtil.exe 1 31->54         started        86 127.0.0.1 unknown unknown 36->86 file10 signatures11 process12 file13 72 C:\Users\user\AppData\...\Ccvzyymb.exe, PE32 46->72 dropped 130 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 46->130 132 May check the online IP address of the machine 46->132 134 Machine Learning detection for dropped file 46->134 142 3 other signatures 46->142 56 dwn.exe 46->56         started        60 powershell.exe 46->60         started        136 Tries to steal Instant Messenger accounts or passwords 50->136 138 Tries to steal Mail credentials (via file / registry access) 50->138 140 Tries to harvest and steal browser information (history, passwords, etc) 52->140 signatures14 process15 dnsIp16 74 athath.com 23.235.211.235, 49705, 587 IMH-WESTUS United States 56->74 76 api.ipify.org.herokudns.com 54.91.59.199, 443, 49704 AMAZON-AESUS United States 56->76 78 2 other IPs or domains 56->78 108 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 56->108 110 Tries to steal Mail credentials (via file / registry access) 56->110 112 Tries to harvest and steal ftp login credentials 56->112 114 Tries to harvest and steal browser information (history, passwords, etc) 56->114 62 conhost.exe 60->62         started        signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4d54ba1e4eccdeaa5423f0bae61f1f97a9e21afc4ba3db55f6e6b78d84bf26cf/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-11-10 13:02:43 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
21 of 40 (52.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jvkluhsoztpkuvbd6c5omhy7s6u6egx4jor5wvpw423y3bf7e3hq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
remcos
Create hunting rule
masslogger
Create hunting rule
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:remcos botnet:remotehost collection keylogger persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/221110-p9sy1aaad4/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
AgentTesla
Remcos
Malware Config
C2 Extraction:
maz.mastercoa.co:3444
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/686d2d5d-d65c-4bb5-93b3-54549564eb66
Unpacked files
SH256 hash:
f186490c8b071d751ff4e3c3a0bde77ee58cb542297367b56ffa9f47a748e53e
MD5 hash:
e747c674d3dfed6a7effe7f406d7537f
SHA1 hash:
d63ce454961fa6bdd32aa8234877854236ad647d
Link:
https://www.unpac.me/results/d0ce03d6-b24b-441a-ad04-ee28bc6b9ea1/
SH256 hash:
4d54ba1e4eccdeaa5423f0bae61f1f97a9e21afc4ba3db55f6e6b78d84bf26cf
MD5 hash:
86c99e1afb407b679aea553f8d37f702
SHA1 hash:
56c445922b3f489549b0e4986387d5b40a90b5b6
Link:
https://www.unpac.me/results/d0ce03d6-b24b-441a-ad04-ee28bc6b9ea1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4d54ba1e4eccdeaa5423f0bae61f1f97a9e21afc4ba3db55f6e6b78d84bf26cf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 4d54ba1e4eccdeaa5423f0bae61f1f97a9e21afc4ba3db55f6e6b78d84bf26cf

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2406882/
Cape
Cape
https://www.capesandbox.com/analysis/331937/

Comments


Avatar
zbet commented on 2022-11-10 13:02:12 UTC

url : hxxp://35.178.245.215/670/vbc.exe