MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59d705df5b4d6a3e818d5529de6270397899239ba61a19f746a7149768b47917. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 59d705df5b4d6a3e818d5529de6270397899239ba61a19f746a7149768b47917
SHA3-384 hash: 32e97566f8be2d27fb751a92565eeff5fb72838e4f64f5b40d3ce47a29ba152fea853675a3b7c6cab6f784b2ce162be2
SHA1 hash: 1e681faa82a3e65e1ea9f7e829af35aebf99da1e
MD5 hash: 20a500fd451c33e49c77aaf6cd79b1d9
humanhash: black-maryland-asparagus-spaghetti
File name:59d705df5b4d6a3e818d5529de6270397899239ba61a19f746a7149768b47917
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'044'992 bytes
First seen:2023-06-08 12:07:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:fEmFxUYl8y5VHiiR7Ya2yvTzLeTl28APMmQZglLam:smFxUYzeiR7DTEVfhZK
Threatray 2'032 similar samples on MalwareBazaar
TLSH T1E42512A462D68B27C03F07FD40A18DB403FA599ABA31E7539DD370ED2B1BB698D05907
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter adrian__luca
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
259
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
59d705df5b4d6a3e818d5529de6270397899239ba61a19f746a7149768b47917
Verdict:
Malicious activity
Analysis date:
2023-06-08 12:09:58 UTC
Tags:
remcos
Link:
https://app.any.run/tasks/c1e594ca-a49a-4f7a-92cf-e682a22bba4e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/396946/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67283466.2429.5547.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Launching a process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6481c4a3ac63cac41b536a02/reports/487f9c39-ff2b-40b4-9457-b2e97958440f/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/59d705df5b4d6a3e818d5529de6270397899239ba61a19f746a7149768b47917
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f600a09d-3440-4792-942e-d28832d6fed2
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1251274
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 884292 Sample: gAhlYsnGKU.exe Startdate: 08/06/2023 Architecture: WINDOWS Score: 100 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Sigma detected: Scheduled temp file as task from temp location 2->47 49 7 other signatures 2->49 7 gAhlYsnGKU.exe 7 2->7         started        11 AShWCrYsHjW.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\...\AShWCrYsHjW.exe, PE32 7->31 dropped 33 C:\Users\...\AShWCrYsHjW.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmpD4C2.tmp, XML 7->35 dropped 37 C:\Users\user\AppData\...\gAhlYsnGKU.exe.log, ASCII 7->37 dropped 51 Uses schtasks.exe or at.exe to add and modify task schedules 7->51 53 Adds a directory exclusion to Windows Defender 7->53 13 vbc.exe 3 13 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        55 Multi AV Scanner detection for dropped file 11->55 57 Machine Learning detection for dropped file 11->57 21 schtasks.exe 1 11->21         started        23 vbc.exe 11->23         started        signatures5 process6 dnsIp7 39 89.37.99.49, 49694, 5888 BANDWIDTH-ASGB Romania 13->39 41 geoplugin.net 178.237.33.50, 49695, 80 ATOM86-ASATOM86NL Netherlands 13->41 59 Contains functionality to bypass UAC (CMSTPLUA) 13->59 61 Contains functionality to steal Chrome passwords or cookies 13->61 63 Contains functionality to modify clipboard data 13->63 65 2 other signatures 13->65 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        signatures8 process9
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/59d705df5b4d6a3e818d5529de6270397899239ba61a19f746a7149768b47917/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-29 01:22:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lhlqlx23jvvd5amnkuu54ytqhf4jsi43uynbt52gu4kjo2fupelq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
08e14938644b60afa9c05d77d66bfd6e91c212f528b9c73b9e3734862fb17c12
RemcosRAT
2098668fe81c2be59b73307a7f9d4b730dd1a654aff3751ed6698b3f0235c6b4
RemcosRAT
44b9c7b495d855d23b1dce528639b2a726a1b89f0f5968df842a508d0f6d3f43
RemcosRAT
5b1e8d8e1c47866009a79f371befaff9f673cb07656a0eb9509771dffd8f7ea7
RemcosRAT
88c915fc9b19666779df6aa7bf4be92a7bc293ba9a00269ae1e83f2605a54f50
RemcosRAT
b6c627336f2b88a0eaa3a58ef166fa2c5eed3b409c649a7228b1d3c8573a770b
RemcosRAT
c57ef56c3465d7d32b6851cdfd6d950fbbc53a40c825f547f4b4cc0f01123346
RemcosRAT
d4bbd5ce6f012df9861c4bee326c87539c7b92b5cbdfb73b54fd7f1321d15eb9
RemcosRAT
d7300cfd284114c32015ed2c8d711f8d5c204428e85addd79fc73539c024ca7e
RemcosRAT
d935d16b1603eb83d9c8587e3fe36ba247341adb572bac99a291f35bd13d7292
RemcosRAT
+ 2'022 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/230608-pawkvafg9w/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Uses the VBS compiler for execution
Remcos
Malware Config
C2 Extraction:
89.37.99.49:5888
Unpacked files
SH256 hash:
dcf06daa3fa698b1c13d0bf26009b4bfbefca519a6a3752fb3dbcf6706ebce5e
MD5 hash:
50a6292d294284a2c21378f183888508
SHA1 hash:
d6edb6c579287f762463e55cd4c89cbb85f53ef3
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/cdc60261-afa5-4a11-ae09-01b3634b703c/
Parent samples :
44b9c7b495d855d23b1dce528639b2a726a1b89f0f5968df842a508d0f6d3f43
08e14938644b60afa9c05d77d66bfd6e91c212f528b9c73b9e3734862fb17c12
59d705df5b4d6a3e818d5529de6270397899239ba61a19f746a7149768b47917
SH256 hash:
e8a270eddc30b24d9c1ced3a6605c3a678c07f3f2caa151268ee0536181d23bc
MD5 hash:
3e70f963bf5ff96fda2569b468dccb8c
SHA1 hash:
adc942057fbfef08ab76fb75c9dfbe0b87453c27
Link:
https://www.unpac.me/results/cdc60261-afa5-4a11-ae09-01b3634b703c/
SH256 hash:
71529d90d5b98732515a2a21debbfade6f2cde9eb97822389e4d8db6171bcc17
MD5 hash:
4594e0d81c10eafe903bd0c739729f61
SHA1 hash:
a92e934eba600e1e40738967c799f076d842c796
Link:
https://www.unpac.me/results/cdc60261-afa5-4a11-ae09-01b3634b703c/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/cdc60261-afa5-4a11-ae09-01b3634b703c/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
0b861d0e19d173621dba77fc3954b6325b3e89e0856817eb9ac1b0e4b4b6f9a0
MD5 hash:
34e9924238cc9c184aed0f7e0dd905ab
SHA1 hash:
42e0e3852a327ae2d232858ba41fca9cadd628db
Link:
https://www.unpac.me/results/cdc60261-afa5-4a11-ae09-01b3634b703c/
SH256 hash:
59d705df5b4d6a3e818d5529de6270397899239ba61a19f746a7149768b47917
MD5 hash:
20a500fd451c33e49c77aaf6cd79b1d9
SHA1 hash:
1e681faa82a3e65e1ea9f7e829af35aebf99da1e
Link:
https://www.unpac.me/results/cdc60261-afa5-4a11-ae09-01b3634b703c/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/59d705df5b4d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/59d705df5b4d6a3e818d5529de6270397899239ba61a19f746a7149768b47917

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/396946/

Comments