MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d97621e71741cf4e2b90ebd16281ddb2c1fe806b3c4e6be5aef738cdf79089b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5d97621e71741cf4e2b90ebd16281ddb2c1fe806b3c4e6be5aef738cdf79089b
SHA3-384 hash: 2197e34fc1f77090a46040d0fb925d318e6ebb4a955502dc176b557a34561590ced4dd869ff0f7f67b6db9db9e2e7490
SHA1 hash: 5a51f6bddb0e890a710fe8c13017e8902e7123fd
MD5 hash: 4841f41452ae6adfbfdcaa30e253261f
humanhash: hawaii-bacon-west-magazine
File name:4841f41452ae6adfbfdcaa30e253261f.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:491'520 bytes
First seen:2022-07-11 09:23:42 UTC
Last seen:2022-08-10 09:28:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:ffYAT7r3CNnY74Cfie3tC3Vl5kJlLljwBkuIoiCg5y:fgICM46iAtGCJlxMdiCg5
Threatray 3'236 similar samples on MalwareBazaar
TLSH T1C6A42317EA0B1E8FDA1EB37A3DA505CE4A6C9B2358864725ECD071770E213D6901BB7C
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon eaa98b5c243d8ab6 (4 x AZORult, 3 x RemcosRAT, 2 x XFilesStealer)
Reporter abuse_ch
Tags:dropped exe goldrushaw-ug RAT RemcosRAT

Intelligence

File Origin
# of uploads :
7
# of downloads :
255
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
4841f41452ae6adfbfdcaa30e253261f.exe
Verdict:
Malicious activity
Analysis date:
2022-07-11 20:57:39 UTC
Tags:
remcos
Link:
https://app.any.run/tasks/65a50b31-5a92-4cf8-8c0f-9a24ea5b313d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/286101/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.22900.23943.29642.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Launching a process
Creating a file
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Enabling the 'hidden' option for recently created files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Query of malicious DNS domain
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed remcos
Link:
https://www.filescan.io/uploads/62cbec3a7d5b150059f2fd77/reports/834b4f93-b6db-4b3c-a829-028b87bca948/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
gzRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d82b558a-0e12-4468-b885-ca0eec2cb153
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1028481
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 660980 Sample: HZCKGJbpkR.exe Startdate: 11/07/2022 Architecture: WINDOWS Score: 100 35 tuekisaa.ac.ug 2->35 37 parthaha.ac.ug 2->37 39 2 other IPs or domains 2->39 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 6 other signatures 2->53 7 HZCKGJbpkR.exe 1 6 2->7         started        11 Yjlgdlfzs.exe 3 2->11         started        13 Yjlgdlfzs.exe 2 2->13         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\Yjlgdlfzs.exe, PE32 7->29 dropped 31 C:\Users\...\Yjlgdlfzs.exe:Zone.Identifier, ASCII 7->31 dropped 33 C:\Users\user\AppData\...\HZCKGJbpkR.exe.log, ASCII 7->33 dropped 55 Writes to foreign memory regions 7->55 57 Allocates memory in foreign processes 7->57 59 Injects a PE file into a foreign processes 7->59 15 InstallUtil.exe 7->15         started        18 InstallUtil.exe 2 3 7->18         started        21 InstallUtil.exe 7->21         started        61 Antivirus detection for dropped file 11->61 63 Multi AV Scanner detection for dropped file 11->63 65 Machine Learning detection for dropped file 11->65 23 InstallUtil.exe 11->23         started        25 InstallUtil.exe 13->25         started        27 InstallUtil.exe 13->27         started        signatures6 process7 dnsIp8 67 Contains functionality to steal Chrome passwords or cookies 15->67 69 Contains functionality to inject code into remote processes 15->69 71 Contains functionality to steal Firefox passwords or cookies 15->71 73 Delayed program exit found 15->73 41 nikahuve.ac.ug 194.5.98.107, 49704, 49708, 49709 DANILENKODE Netherlands 18->41 43 tuekisaa.ac.ug 18->43 45 3 other IPs or domains 18->45 75 Installs a global keyboard hook 18->75 signatures9
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5d97621e71741cf4e2b90ebd16281ddb2c1fe806b3c4e6be5aef738cdf79089b/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-07-10 16:10:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lwlwehtroqopjyvzb26rmka53mwb72agwpconps255zyzx3zbcnq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
082525150d7aace7e21b3bfb469f86c2e7239593c50cebc143d7f8a66b898b83
RemcosRAT
0a7baae0933a14082beb95b1c5484dd958e333f7fc499f645c1d550d8ad124a1
RemcosRAT
21323faa5f74ccc103e64f30bc31b36e0cfc971a601b59502713151ad4f465db
RemcosRAT
5482c9775362ce202cf44b082ce747f7e69f522a903ccc031c975cc714c82a8c
RemcosRAT
62671da23d0acb718d487ed7e7ad280f615915d3551e0a65b0ac82966a6610d9
RemcosRAT
91dfebe2d0d1f9ac3e495529066a6cd987ad302d33be7fb7fc744f5905daf832
RemcosRAT
b6d46263696ceeab50c8a9088bf3cedecad1bf4f8d8f452c1b1773f877d8e4a0
RemcosRAT
db8a8a4bf1e1e63ef1bd27f8131dfeb14bca74e9d68605cf71e9eac5126baa48
RemcosRAT
dfa6c38c1b3b33a94e1e884e47e0864808c8af196c260b6b8045cb4ed37d300e
RemcosRAT
+ 3'226 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:06192022 persistence rat
Link:
https://tria.ge/reports/220711-lc2m4aabf2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
nikahuve.ac.ug:6968
kalskala.ac.ug:6968
tuekisaa.ac.ug:6968
parthaha.ac.ug:6968
Unpacked files
SH256 hash:
9eb8089033e6a97cf2d6b37cfb7401c1df8d5d08276bab45a24133357ec3703f
MD5 hash:
fdb3ec775b4fb87a32b0c7d73a4fef0e
SHA1 hash:
ffe9b75809a596b1b73516783cf143e8c40f7a55
Link:
https://www.unpac.me/results/704fb185-5e8b-4b1c-bd8c-c9d2b866c1e2/
SH256 hash:
b7c4ca3c35e1920b15085def9e241c842adff950787176c9450f970d2f87bd0f
MD5 hash:
35beb0844ec7d898527e7342a163aecb
SHA1 hash:
cce3c0e1762bbb03a05bc4f0fefc88b76015f623
Link:
https://www.unpac.me/results/704fb185-5e8b-4b1c-bd8c-c9d2b866c1e2/
SH256 hash:
3621a51526c891964aa7114acd96aa35f4c6c0f0b50033a9904addeeb3c5648b
MD5 hash:
32594ee43a12fdc1814a210ba75d3cf5
SHA1 hash:
a6af7ef26e6af33b62f29eaf22c601635014f0ce
Link:
https://www.unpac.me/results/704fb185-5e8b-4b1c-bd8c-c9d2b866c1e2/
SH256 hash:
e73a30ffb8a5d5336c2c4a835cc19c4c8218b9f4ff6d9cdce401cbc1588a5530
MD5 hash:
8349487a92c07d77e9cef262b651a375
SHA1 hash:
51b5408b0321ac474e4b968ae595f7998742611a
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/704fb185-5e8b-4b1c-bd8c-c9d2b866c1e2/
Parent samples :
a1098873c94184cf24edd24c3883f4be52224575da34f0469ad4a525c852ef28
5d97621e71741cf4e2b90ebd16281ddb2c1fe806b3c4e6be5aef738cdf79089b
SH256 hash:
5d97621e71741cf4e2b90ebd16281ddb2c1fe806b3c4e6be5aef738cdf79089b
MD5 hash:
4841f41452ae6adfbfdcaa30e253261f
SHA1 hash:
5a51f6bddb0e890a710fe8c13017e8902e7123fd
Link:
https://www.unpac.me/results/704fb185-5e8b-4b1c-bd8c-c9d2b866c1e2/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5d97621e7174/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5d97621e71741cf4e2b90ebd16281ddb2c1fe806b3c4e6be5aef738cdf79089b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:pe_imphash
Create hunting rule
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 5d97621e71741cf4e2b90ebd16281ddb2c1fe806b3c4e6be5aef738cdf79089b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2244880/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/286101/

Comments