MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5773fd214b8cb2cbc8a3ad95f4ab9cfadf011c4a823e1cfbb389b1bc1852f081. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5773fd214b8cb2cbc8a3ad95f4ab9cfadf011c4a823e1cfbb389b1bc1852f081
SHA3-384 hash: 74d2cfb83c7a29406600d6a870bd07f1241440a84cab927b1b996d92a347bdc96e9e8d1211eda14e5f8c3b38fbb00089
SHA1 hash: 7983c391402adceefa13970da43cf2447827486f
MD5 hash: 83d5b25a4413fbf2460d42d4ba6adee2
humanhash: fish-jig-stairway-aspen
File name:83d5b25a4413fbf2460d42d4ba6adee2
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:743'936 bytes
First seen:2021-06-25 18:36:36 UTC
Last seen:2021-06-25 19:38:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:K6097AnrMYczBQlUfXH3ZU7hDtTEJ5W3iHuwICYPMnsdtojP3UOEbbZvXbTXBUv:K6k7kXgBwUv321DyJgE8CWvcfUrZa
Threatray 279 similar samples on MalwareBazaar
TLSH 1BF4F18837F88F63D1BA47F956A5640083F97A3B663AE5491DC330CA06B5F004E95F6B
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
83d5b25a4413fbf2460d42d4ba6adee2
Verdict:
Malicious activity
Analysis date:
2021-06-25 18:41:28 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/7008dcac-a27e-4866-b7af-11e208bcc44e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/168380/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.13184.23349.11573.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4fd6bb16-e511-473a-8393-1450911ea725
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/808272
Signature
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected Remcos RAT
Document exploit detected (process start blacklist hit)
Found malware configuration
Injects a PE file into a foreign processes
Injects files into Windows application
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: MS Office Product Spawning Exe in User Dir
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 440683 Sample: sw5Bl89Q05 Startdate: 25/06/2021 Architecture: WINDOWS Score: 100 79 Multi AV Scanner detection for domain / URL 2->79 81 Found malware configuration 2->81 83 Malicious sample detected (through community Yara rule) 2->83 85 11 other signatures 2->85 11 sw5Bl89Q05.exe 6 2->11         started        16 EXCEL.exe 4 2->16         started        18 EXCEL.exe 2->18         started        process3 dnsIp4 77 192.168.2.1 unknown unknown 11->77 67 C:\Users\user\AppData\Roaming\OlaJGJsgC.exe, PE32 11->67 dropped 69 C:\Users\user\AppData\Local\...\tmp857B.tmp, XML 11->69 dropped 71 C:\Users\user\AppData\...\sw5Bl89Q05.exe.log, ASCII 11->71 dropped 89 Contains functionality to steal Chrome passwords or cookies 11->89 91 Contains functionality to inject code into remote processes 11->91 93 Uses schtasks.exe or at.exe to add and modify task schedules 11->93 99 2 other signatures 11->99 20 sw5Bl89Q05.exe 4 5 11->20         started        23 schtasks.exe 1 11->23         started        95 Injects a PE file into a foreign processes 16->95 97 Injects files into Windows application 16->97 25 schtasks.exe 16->25         started        27 EXCEL.exe 16->27         started        29 EXCEL.exe 16->29         started        31 schtasks.exe 18->31         started        33 EXCEL.exe 18->33         started        file5 signatures6 process7 file8 61 C:\Users\user\AppData\Roaming\...XCEL.exe, PE32 20->61 dropped 63 C:\Users\user\...XCEL.exe:Zone.Identifier, ASCII 20->63 dropped 65 C:\Users\user\AppData\Local\...\install.vbs, data 20->65 dropped 35 wscript.exe 1 20->35         started        37 conhost.exe 23->37         started        39 conhost.exe 25->39         started        41 conhost.exe 31->41         started        process9 process10 43 cmd.exe 1 35->43         started        process11 45 EXCEL.exe 5 43->45         started        49 conhost.exe 43->49         started        file12 73 C:\Users\user\AppData\Local\...\tmp34A7.tmp, XML 45->73 dropped 101 Document exploit detected (process start blacklist hit) 45->101 103 Injects a PE file into a foreign processes 45->103 105 Injects files into Windows application 45->105 51 EXCEL.exe 45->51         started        55 schtasks.exe 45->55         started        57 EXCEL.exe 45->57         started        signatures13 process14 dnsIp15 75 mk.gdssa.cloudns.ph 194.5.98.41, 49767, 9007 DANILENKODE Netherlands 51->75 87 Installs a global keyboard hook 51->87 59 conhost.exe 55->59         started        signatures16 process17
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5773fd214b8cb2cbc8a3ad95f4ab9cfadf011c4a823e1cfbb389b1bc1852f081/
Threat name:
ByteCode-MSIL.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2021-06-25 18:37:09 UTC
AV detection:
12 of 29 (41.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k5z72iklrszmxsfdvwk7jk447lpqchckqi7bz65trgy3ygcs6caq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
27a607812f2e113484b27f50f1337cad704713a356fb24a74103d8ef027da16d
RemcosRAT
4969dc5e2b7349e189cdc079c2e9e02014e559d1315564b6d6fd18eeb252c605
RemcosRAT
4e4463e40d78f3eb63012ed1f3aa7727d98ff68fc9c7b69cf6c0f482c9483476
RemcosRAT
57bbdab22d9197c60e2bb9aa35a36321276518c07716a71a0c7005944473a03d
RemcosRAT
6761993e603b7084d87c6abe972c61d7129a11a60bc1ef564971f183b66e6ae8
RemcosRAT
741ffe5460a43194d3a8cf76729abd8f6a5fb7d991e219037215920195a38c5e
RemcosRAT
a0bb5a244b144a8e10087fd70a04580c3bb8c4c8add7da671a06f10020473004
RemcosRAT
ba410d1931172915171c7769f798d6aaa1eab9f923c98f178f615ad75a6544f2
RemcosRAT
c85d33153d768a2f98066c8ba07e58890cbac4c185e4ef45739fb03750e1088b
RemcosRAT
f4dcc52b899bbe0d34ffbb44032c0186953c174beaf647c0556c7e71385c6bb4
RemcosRAT
+ 269 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat
Link:
https://tria.ge/reports/210625-vmx49bq7ln/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
mk.gdssa.cloudns.ph:9007
Unpacked files
SH256 hash:
fb9ff006fbc9ec37c3131807e075c8d10dfa28f0896af8dfaac5fd01fa02f992
MD5 hash:
eb450384812161b04aa04708320c4549
SHA1 hash:
594f181efc2cb452a9b5ec191c46461b9223a019
Detections:
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/f387e70c-3d09-4bbe-9aee-7dd4f8b8edde/
SH256 hash:
37d0b22e44048ddf692a1bf84c866b81cf1433af7b412d44565cb5a92846bb21
MD5 hash:
a0b2bf005d06954728550cbf0a00ed4f
SHA1 hash:
57cbe08f5d8de65a4ffa230156ab9b2dabe0aa89
Link:
https://www.unpac.me/results/f387e70c-3d09-4bbe-9aee-7dd4f8b8edde/
SH256 hash:
5bede9eedf6ae6df5a9d587c116c9583b31474c159c2b53486b000093cb3fde6
MD5 hash:
072eeac61b35d3f09edee4ff4f80f52d
SHA1 hash:
696fd9905a47e526470c2e234fef32f1ec1b74ad
Link:
https://www.unpac.me/results/f387e70c-3d09-4bbe-9aee-7dd4f8b8edde/
SH256 hash:
5773fd214b8cb2cbc8a3ad95f4ab9cfadf011c4a823e1cfbb389b1bc1852f081
MD5 hash:
83d5b25a4413fbf2460d42d4ba6adee2
SHA1 hash:
7983c391402adceefa13970da43cf2447827486f
Link:
https://www.unpac.me/results/f387e70c-3d09-4bbe-9aee-7dd4f8b8edde/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5773fd214b8cb2cbc8a3ad95f4ab9cfadf011c4a823e1cfbb389b1bc1852f081

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 5773fd214b8cb2cbc8a3ad95f4ab9cfadf011c4a823e1cfbb389b1bc1852f081

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1395138/
Cape
Cape
https://www.capesandbox.com/analysis/168380/

Comments