MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 576f3d1efa9d9cc9d03d9bd4a57ac9f5fc009ae9c58ece73294dcdd188a0c5c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 576f3d1efa9d9cc9d03d9bd4a57ac9f5fc009ae9c58ece73294dcdd188a0c5c5
SHA3-384 hash: 8e953937d4f2a4c2a49c82949d8ea3c7cff4062e3ac597ab402cc365b26a58205dabe6b4fabba4b369c4e78ac10def0f
SHA1 hash: 0424dbd881ddc17423108da34ec178d1f51694d3
MD5 hash: 49107cf57f544aef993aa1826a4a0207
humanhash: cold-failed-lima-friend
File name:Document.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:771'072 bytes
First seen:2022-06-06 11:35:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0f36bbdc85b36e5694ab5c5cef2c2763 (2 x RemcosRAT, 1 x Formbook)
ssdeep 12288:hYeDiSus6JJR8fwxZZXvxrW6Cr+NHJbdzJjAWoJ:hY0ivs6x8fsvXllCSpJ3RoJ
TLSH T1B0F46B2EA69043F3D3B61A39DC1A795C59167EE0ED14794E3ADF3A5C0A3428D7C1B8C2
TrID 46.4% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
31.5% (.EXE) Win32 Executable Borland Delphi 5 (451463/56/28)
18.3% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
0.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
0.9% (.SCR) Windows screen saver (13101/52/3)
File icon (PE):PE icon
dhash icon 74f4888b8c8980a4 (2 x RemcosRAT, 1 x Formbook)
Reporter madjack_red
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
302
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Document.exe
Verdict:
Malicious activity
Analysis date:
2022-06-06 11:57:09 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/1654ea6c-ce42-40e9-b6f5-88b8e4aba999

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/277012/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.29153.23515.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching the process to interact with network services
Launching a process
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe keylogger
Link:
https://www.filescan.io/uploads/629de6865dc88d357164932a/reports/808855f3-e7e7-4425-a5f8-1b5442503c99/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0cc5578d-1a2d-4c58-bd73-8d0cf6dbf5cc
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1007301
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 639792 Sample: Document.exe Startdate: 06/06/2022 Architecture: WINDOWS Score: 100 41 Multi AV Scanner detection for domain / URL 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 6 other signatures 2->47 8 Document.exe 1 21 2->8         started        13 Lahylvxgux.exe 2->13         started        15 Lahylvxgux.exe 2->15         started        process3 dnsIp4 35 l-0004.l-dc-msedge.net 13.107.43.13, 443, 49757, 49759 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 8->35 37 zplkaa.dm.files.1drv.com 8->37 39 2 other IPs or domains 8->39 29 C:\Users\Public\Libraries\Lahylvxgux.exe, PE32 8->29 dropped 31 C:\Users\...\Lahylvxgux.exe:Zone.Identifier, ASCII 8->31 dropped 55 Writes to foreign memory regions 8->55 57 Creates a thread in another existing process (thread injection) 8->57 59 Injects a PE file into a foreign processes 8->59 17 logagent.exe 2 3 8->17         started        21 cmd.exe 1 8->21         started        61 Multi AV Scanner detection for dropped file 13->61 63 Machine Learning detection for dropped file 13->63 file5 signatures6 process7 dnsIp8 33 stopeet.camdvr.org 45.133.174.192, 2404, 49763 ASBLANKPROXIESGB United Kingdom 17->33 49 Contains functionality to steal Chrome passwords or cookies 17->49 51 Contains functionality to steal Firefox passwords or cookies 17->51 53 Delayed program exit found 17->53 23 cmd.exe 1 21->23         started        25 conhost.exe 21->25         started        signatures9 process10 process11 27 conhost.exe 23->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/576f3d1efa9d9cc9d03d9bd4a57ac9f5fc009ae9c58ece73294dcdd188a0c5c5/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-06-06 00:04:43 UTC
File Type:
PE (Exe)
Extracted files:
45
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k5xt2hx2twomtub5tpkkk6wj6x6abgxjywhm44zjjxg5dcfayxcq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:remotehost collection persistence rat trojan
Link:
https://tria.ge/reports/220606-np1bxafge6/
Behaviour
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
ModiLoader Second Stage
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
stopeet.camdvr.org:2404
amalar.camdvr.org:2404
prosir.casacam.net:2404
Unpacked files
SH256 hash:
0b4b7d7628499c9d0c62562dc64f22baf5390cd32f71e0317c259511ae85b5b6
MD5 hash:
d6e8fb9c9383709a7475144fbc74cb44
SHA1 hash:
3dc32f98eb13d725511b64924730132883ad3591
Link:
https://www.unpac.me/results/ba70507e-e80b-4f00-bbe2-10058664e083/
SH256 hash:
576f3d1efa9d9cc9d03d9bd4a57ac9f5fc009ae9c58ece73294dcdd188a0c5c5
MD5 hash:
49107cf57f544aef993aa1826a4a0207
SHA1 hash:
0424dbd881ddc17423108da34ec178d1f51694d3
Link:
https://www.unpac.me/results/ba70507e-e80b-4f00-bbe2-10058664e083/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/576f3d1efa9d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/576f3d1efa9d9cc9d03d9bd4a57ac9f5fc009ae9c58ece73294dcdd188a0c5c5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/277012/

Comments