MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f7e671c26e269961ffa6a6639a5522b66c06c8c119bdfb297797473bb7b4cbc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f7e671c26e269961ffa6a6639a5522b66c06c8c119bdfb297797473bb7b4cbc
SHA3-384 hash: 589356b0f14959ce6f1c6f7249573ff3d73065ac884d03170bbc7ac2df398a2fd1bc1ca259b01839d8c27fd1e5ef250f
SHA1 hash: ff42b517c77a1e7fd1e8c133cdc3702f455e2a2f
MD5 hash: ebb80429c2ab3a4b98092d9681c83a0f
humanhash: kilo-aspen-october-tango
File name:ebb80429c2ab3a4b98092d9681c83a0f
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:330'682 bytes
First seen:2022-10-11 15:55:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (719 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 6144:HNeZm2smfQ8gA3mXO5cOZuIpkgaB/uPLDmzxxznqJRMVYaWp2Oal0t8FqD:HNl3mfQq3/JX0QLDi/zsaaz
Threatray 2'006 similar samples on MalwareBazaar
TLSH T1DC64138516A4C57BEEF28B722D3E1B15E7FB2C122478221F37440B89B4639D1BD8E359
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
253
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/319007/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.6896.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Creating a file
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
Running batch commands
Searching for the window
Setting a keyboard event handler
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/42535/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/634591d985e82ed6ff0e96cd/reports/51b1af3c-5c4b-4dd1-b59a-3b49538a15ed/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e787c0a6-f473-4dd6-8669-9d75967a1b03
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1088137
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found hidden mapped module (file has been removed from disk)
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Sigma detected: Remcos
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 720730 Sample: UNOspUakIB.exe Startdate: 11/10/2022 Architecture: WINDOWS Score: 100 86 Malicious sample detected (through community Yara rule) 2->86 88 Antivirus detection for dropped file 2->88 90 Yara detected Remcos RAT 2->90 92 3 other signatures 2->92 11 UNOspUakIB.exe 18 2->11         started        14 remcos.exe 2 2->14         started        17 remcos.exe 2->17         started        process3 file4 70 C:\Users\user\AppData\Local\Temp\mzzfe.exe, PE32 11->70 dropped 19 mzzfe.exe 1 11->19         started        72 C:\Users\user\AppData\Local\Temp\51E0.tmp, PE32 14->72 dropped 74 C:\Users\user\AppData\Local\Temp\4B95.tmp, PE32 14->74 dropped 106 Maps a DLL or memory area into another process 14->106 23 remcos.exe 14->23         started        25 remcos.exe 14->25         started        27 WerFault.exe 14->27         started        76 C:\Users\user\AppData\Local\Temp\6B62.tmp, PE32 17->76 dropped 29 remcos.exe 17->29         started        31 WerFault.exe 17->31         started        signatures5 process6 file7 66 C:\Users\user\AppData\Local\Temp\F613.tmp, PE32 19->66 dropped 94 Contains functionalty to change the wallpaper 19->94 96 Contains functionality to steal Chrome passwords or cookies 19->96 98 Contains functionality to register a low level keyboard hook 19->98 100 4 other signatures 19->100 33 mzzfe.exe 5 4 19->33         started        36 WerFault.exe 23 9 19->36         started        signatures8 process9 file10 62 C:\ProgramData\Remcos\remcos.exe, PE32 33->62 dropped 64 C:\Users\user\AppData\Local\...\install.vbs, data 33->64 dropped 38 wscript.exe 1 33->38         started        process11 process12 40 cmd.exe 1 38->40         started        42 remcos.exe 1 38->42         started        file13 46 remcos.exe 1 40->46         started        50 conhost.exe 40->50         started        68 C:\Users\user\AppData\Local\Temp\288D.tmp, PE32 42->68 dropped 104 Maps a DLL or memory area into another process 42->104 52 WerFault.exe 42->52         started        54 remcos.exe 42->54         started        signatures14 process15 file16 78 C:\Users\user\AppData\Local\Temp\137E.tmp, PE32 46->78 dropped 108 Found hidden mapped module (file has been removed from disk) 46->108 110 Maps a DLL or memory area into another process 46->110 56 remcos.exe 2 16 46->56         started        60 WerFault.exe 19 9 46->60         started        signatures17 process18 dnsIp19 80 geoplugin.net 178.237.33.50, 49698, 80 ATOM86-ASATOM86NL Netherlands 56->80 82 91.192.100.20, 49697, 7967 AS-SOFTPLUSCH Switzerland 56->82 102 Installs a global keyboard hook 56->102 84 192.168.2.1 unknown unknown 60->84 signatures20
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4f7e671c26e269961ffa6a6639a5522b66c06c8c119bdfb297797473bb7b4cbc/
Threat name:
Win32.Trojan.Elevator
Create hunting rule
Status:
Malicious
First seen:
2022-10-11 15:20:52 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=j57gohbg4juzmh72njtdtjksfntma3emcgn57muxpf2hho33js6a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
2f53875cb56cc1a1f69655fcfca71ac0f952b8d582bda33e101d8b262e38d0f9
RemcosRAT
3ab2ca682019279e28525a8ff1a72e08badba1c0f3012f926bad1528b2b0944a
RemcosRAT
3c21819ed32b31c231e20b51b1f956e4160a7b8dbfe7468b096ce64b4b138007
RemcosRAT
5957f22f5a9db32e32e71ac070731648a1c3305dd4483375aaa8192a9ca20836
RemcosRAT
8c2653e4d9998668579383d87f291afe6ba5740ec3bc6d8f44618c0f9af77189
RemcosRAT
9378e7d749031db44b0ba686cfaf2bb02011e7877f688f4edd601fb48fdbdd7e
RemcosRAT
+ 1'996 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:test persistence rat upx
Link:
https://tria.ge/reports/221011-tcrrwschak/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
UPX packed file
Remcos
Malware Config
C2 Extraction:
91.192.100.20:7967
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f7d4df23-3eff-4f86-8f29-f932314590b9
Unpacked files
SH256 hash:
6eed9b3d658b78350df592eeac27e672dcb06b596ee92ea3dcedb48f3bedae12
MD5 hash:
bde82f7ae3aa0ef8abcfd541aa8fdb56
SHA1 hash:
d68ae4535984b7fa28468e10440ef2fbc419ecfa
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/c66af954-625e-4357-9e25-81d58354f63e/
Parent samples :
9bd4004d7b777b2b3e5228419c24ded2b93b128b1a9becd9d8914c008a04d2a0
6666e726f66dfa52c7c2e17523f4a72b3936539fd6baddea1cf5b2b35e9f49b0
4f7e671c26e269961ffa6a6639a5522b66c06c8c119bdfb297797473bb7b4cbc
SH256 hash:
a1c19d3a781af8ce19836bf600f4d49b3df02338af7bcab960ea6a6f03ce914d
MD5 hash:
0441aaf5a815eeb2e69a76b1a462fb5a
SHA1 hash:
c315440ae55e779c8a0c4cf7c6fb9dbb9a03daf5
Link:
https://www.unpac.me/results/c66af954-625e-4357-9e25-81d58354f63e/
SH256 hash:
4f7e671c26e269961ffa6a6639a5522b66c06c8c119bdfb297797473bb7b4cbc
MD5 hash:
ebb80429c2ab3a4b98092d9681c83a0f
SHA1 hash:
ff42b517c77a1e7fd1e8c133cdc3702f455e2a2f
Link:
https://www.unpac.me/results/c66af954-625e-4357-9e25-81d58354f63e/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4f7e671c26e2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4f7e671c26e269961ffa6a6639a5522b66c06c8c119bdfb297797473bb7b4cbc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 4f7e671c26e269961ffa6a6639a5522b66c06c8c119bdfb297797473bb7b4cbc

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/319007/
  
URLhaus
https://urlhaus.abuse.ch/url/2360265/

Comments