MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57fbc090b3644bb9760b859c6bbdc8486892d10736adcc1dd6dca642e218acf7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57fbc090b3644bb9760b859c6bbdc8486892d10736adcc1dd6dca642e218acf7
SHA3-384 hash: 9c7ca4008906626213ae6348f2cfb4a26ac1b5e2892154f94a92e99a7ef5eb046f0e9ca6777d9013092d3f831aa705a0
SHA1 hash: ed75d37d14424f88b1bcbfcd5dc63dc31f92c281
MD5 hash: f56bf9f1e47e6b4160860260ed79ab56
humanhash: tango-delta-iowa-freddie
File name:57fbc090b3644bb9760b859c6bbdc8486892d10736adcc1dd6dca642e218acf7
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:603'648 bytes
First seen:2022-12-08 11:49:13 UTC
Last seen:2022-12-08 11:49:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:kcO5fmuDqQJgWWh2Ae1IUzjSCAmZJbxpDF:/O5fDqQJLIUaCA
TLSH T18FD41ADF59553E08C38CBA70681735887F919C504548E0E8A7E937CA5A37FADCEA123E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 72ceaeaeb2968eaa (57 x AgentTesla, 9 x Formbook, 7 x RemcosRAT)
Reporter adrian__luca
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
171
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
57fbc090b3644bb9760b859c6bbdc8486892d10736adcc1dd6dca642e218acf7
Verdict:
Malicious activity
Analysis date:
2022-12-08 11:48:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/31539c90-07db-4569-85d1-9abcef2d2bd0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/344321/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.48217.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Creating a process with a hidden window
Running batch commands
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6391cf6d55eb3470cd4ff2e5/reports/7d531876-e174-4769-adc4-f55c17686d30/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f48e7a1e-5e04-48b9-9ae7-6d9c458e8a9b
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1130679
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Detected Remcos RAT
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 763404 Sample: vXAbVewf19.exe Startdate: 08/12/2022 Architecture: WINDOWS Score: 100 87 Malicious sample detected (through community Yara rule) 2->87 89 Sigma detected: Scheduled temp file as task from temp location 2->89 91 Multi AV Scanner detection for submitted file 2->91 93 8 other signatures 2->93 10 vXAbVewf19.exe 7 2->10         started        14 arqUBl.exe 5 2->14         started        16 remcos.exe 4 2->16         started        18 remcos.exe 2->18         started        process3 file4 75 C:\Users\user\AppData\Roaming\arqUBl.exe, PE32 10->75 dropped 77 C:\Users\user\...\arqUBl.exe:Zone.Identifier, ASCII 10->77 dropped 79 C:\Users\user\AppData\Local\...\tmp5A97.tmp, XML 10->79 dropped 81 C:\Users\user\AppData\...\vXAbVewf19.exe.log, ASCII 10->81 dropped 107 Uses schtasks.exe or at.exe to add and modify task schedules 10->107 109 Adds a directory exclusion to Windows Defender 10->109 20 vXAbVewf19.exe 1 5 10->20         started        23 powershell.exe 21 10->23         started        25 schtasks.exe 1 10->25         started        111 Multi AV Scanner detection for dropped file 14->111 113 Machine Learning detection for dropped file 14->113 115 Injects a PE file into a foreign processes 14->115 27 schtasks.exe 14->27         started        37 3 other processes 14->37 29 schtasks.exe 16->29         started        31 remcos.exe 16->31         started        33 schtasks.exe 18->33         started        35 remcos.exe 18->35         started        signatures5 process6 file7 71 C:\Users\user\remcos\remcos.exe, PE32 20->71 dropped 73 C:\Users\user\...\remcos.exe:Zone.Identifier, ASCII 20->73 dropped 39 cmd.exe 1 20->39         started        42 conhost.exe 23->42         started        44 conhost.exe 25->44         started        46 conhost.exe 27->46         started        48 conhost.exe 29->48         started        50 conhost.exe 33->50         started        process8 signatures9 103 Uses ping.exe to sleep 39->103 105 Uses ping.exe to check the status of other devices and networks 39->105 52 remcos.exe 5 39->52         started        55 PING.EXE 1 39->55         started        58 conhost.exe 39->58         started        process10 dnsIp11 95 Multi AV Scanner detection for dropped file 52->95 97 Machine Learning detection for dropped file 52->97 99 Adds a directory exclusion to Windows Defender 52->99 101 Injects a PE file into a foreign processes 52->101 60 powershell.exe 52->60         started        62 schtasks.exe 52->62         started        64 remcos.exe 52->64         started        85 127.0.0.1 unknown unknown 55->85 signatures12 process13 dnsIp14 67 conhost.exe 60->67         started        69 conhost.exe 62->69         started        83 91.192.100.41, 49701, 49702, 49703 AS-SOFTPLUSCH Switzerland 64->83 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/57fbc090b3644bb9760b859c6bbdc8486892d10736adcc1dd6dca642e218acf7/
Threat name:
ByteCode-MSIL.Trojan.Dothetuk
Create hunting rule
Status:
Malicious
First seen:
2022-11-25 02:28:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k754beftmrf3s5qlqwogxpoijbujfuihg2w4yhow3stefyqyvt3q._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:host persistence rat
Link:
https://tria.ge/reports/221208-nzllhahh53/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Runs ping.exe
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
91.192.100.41:8600
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/436d4217-7881-4404-a6d9-ae154bd5f10f
Unpacked files
SH256 hash:
7697b94b5a3988784a03ec34e0bf3babddae284cc4457695bb85dc89934b741d
MD5 hash:
6b24764afcb8b5d742bba478d730f5eb
SHA1 hash:
e5660f61b9746efe154d3fb48d795cf2ec6ea24a
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/8136ddc9-d437-48d9-b4df-de4671f20e34/
SH256 hash:
babedcfd5858e86de4f725411e0770dac3d0876844eeb3db099c21d9a77fd44c
MD5 hash:
6bfaa8d23d69b6f2c7ac95748a4be3c3
SHA1 hash:
7a6442ca252e982adea4d933d26d3692dde6c36c
Link:
https://www.unpac.me/results/8136ddc9-d437-48d9-b4df-de4671f20e34/
SH256 hash:
de4ce9c6e3c9c5d3e7f88d9303f137377ba188a0e23b8e07df2ca0be349dbedb
MD5 hash:
90dd2450dc51fb637237a71337e6c774
SHA1 hash:
7885756cd9b31e0b11903dd7048e69b07b2f886a
Link:
https://www.unpac.me/results/8136ddc9-d437-48d9-b4df-de4671f20e34/
SH256 hash:
744928a56b4d36f17e73eea0534c5e99103d1553d5b0a864a6fd9d4f9899b47f
MD5 hash:
91fed5db1afcdf48e0cd6d4058a013ba
SHA1 hash:
3717b3346e25d3f66f00626ad1a771d8655f485f
Link:
https://www.unpac.me/results/8136ddc9-d437-48d9-b4df-de4671f20e34/
SH256 hash:
ab19f28c700d64814b0c55df868c30dfb94e0a1f9fb6f7bca05bac6eb78a4e52
MD5 hash:
1f2a6c02dcf9aa00a28a5039fb5b8ce0
SHA1 hash:
1ef480867d39b98368af7586a8e6ba38c0c3893a
Link:
https://www.unpac.me/results/8136ddc9-d437-48d9-b4df-de4671f20e34/
SH256 hash:
57fbc090b3644bb9760b859c6bbdc8486892d10736adcc1dd6dca642e218acf7
MD5 hash:
f56bf9f1e47e6b4160860260ed79ab56
SHA1 hash:
ed75d37d14424f88b1bcbfcd5dc63dc31f92c281
Link:
https://www.unpac.me/results/8136ddc9-d437-48d9-b4df-de4671f20e34/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/57fbc090b364/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/57fbc090b3644bb9760b859c6bbdc8486892d10736adcc1dd6dca642e218acf7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/344321/

Comments