MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6097ee7a7f386804b11c435db24b34c3e54bb26b4cb4569c6c8c06f471513c73. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6097ee7a7f386804b11c435db24b34c3e54bb26b4cb4569c6c8c06f471513c73
SHA3-384 hash: 1beb7125abff1b987e07f9a92a4950e4fffa7e6c40c7a369a2bbaa92f3b462a1ffcac614269665327f28296a269ae8ac
SHA1 hash: 20a733b4648841b814cf75c54b0c25115929681f
MD5 hash: 8228733874fb4ab20e6408b1a9614702
humanhash: fix-rugby-finch-louisiana
File name:SecuriteInfo.com.W32.AIDetect.malware2.11754.31686
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:660'992 bytes
First seen:2022-04-13 15:33:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fc08e3dcf581592f42dd52ef0693ef6f (2 x NetWire, 2 x Formbook, 1 x RemcosRAT)
ssdeep 12288:SV5hrBcyifyiAjphZ141ynGoL1RhZOxhLh2xZec4qOr:eD+yif1AXZ2mL1RKxhcxbc
Threatray 7'347 similar samples on MalwareBazaar
TLSH T147E48E11F290CE33E83B1EB94C0B679C5927BE536E1862C736F49E0D7B766813529293
File icon (PE):PE icon
dhash icon 0c321272b98ca6d9 (12 x Formbook, 7 x RemcosRAT, 5 x DBatLoader)
Reporter SecuriteInfoCom
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
403
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.W32.AIDetect.malware2.11754.31686
Verdict:
Malicious activity
Analysis date:
2022-04-13 15:35:48 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/f9d38c19-b7c7-4ca4-ab13-5390c9809b6e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/263475/
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

SecuriteInfo.com.W32.AIDetect.malware2.11754.31686.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching the process to interact with network services
Launching a process
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/13788/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe keylogger packed
Link:
https://www.filescan.io/uploads/6256ed78ffe27d5119c33417/reports/291a79d4-8edd-4035-9cae-65a1b5657c8f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f257e5a3-158f-44a8-a70d-1b7c3b2dce7e
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/976305
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Program Location with Network Connections
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 608792 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 13/04/2022 Architecture: WINDOWS Score: 100 63 Multi AV Scanner detection for domain / URL 2->63 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 5 other signatures 2->69 8 Isclsci.exe 16 2->8         started        12 SecuriteInfo.com.W32.AIDetect.malware2.11754.exe 1 23 2->12         started        15 Isclsci.exe 16 2->15         started        process3 dnsIp4 41 i-am3p-cor003.api.p001.1drv.com 40.90.142.224, 443, 49749, 49751 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 8->41 49 5 other IPs or domains 8->49 71 Multi AV Scanner detection for dropped file 8->71 73 Writes to foreign memory regions 8->73 75 Allocates memory in foreign processes 8->75 17 DpiScaling.exe 8->17         started        43 i-am3p-cor001.api.p001.1drv.com 40.90.142.230, 443, 49740, 49742 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 12->43 45 tp5e5w.am.files.1drv.com 12->45 51 4 other IPs or domains 12->51 33 C:\Users\Public\Libraries\Isclsci.exe, PE32 12->33 dropped 35 C:\Users\...\Isclsci.exe:Zone.Identifier, ASCII 12->35 dropped 77 Creates a thread in another existing process (thread injection) 12->77 79 Injects a PE file into a foreign processes 12->79 20 logagent.exe 2 2 12->20         started        23 cmd.exe 1 12->23         started        47 i-am3p-cor006.api.p001.1drv.com 13.104.158.180, 443, 49757, 49760 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 15->47 53 5 other IPs or domains 15->53 25 logagent.exe 15->25         started        file5 signatures6 process7 dnsIp8 55 Contains functionality to steal Chrome passwords or cookies 17->55 57 Contains functionality to inject code into remote processes 17->57 59 Contains functionality to steal Firefox passwords or cookies 17->59 37 moroga.camdvr.org 104.214.103.50, 2404, 49747 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 20->37 39 192.168.2.1 unknown unknown 20->39 61 Delayed program exit found 20->61 27 cmd.exe 1 23->27         started        29 conhost.exe 23->29         started        signatures9 process10 process11 31 conhost.exe 27->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6097ee7a7f386804b11c435db24b34c3e54bb26b4cb4569c6c8c06f471513c73/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2022-04-13 15:34:07 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mcl646t7hbuajmi4ino3eszuypsuxmtljs2fnhdmrqdpi4krhrzq._file
Verdict:
malicious
Similar samples:
3ba7ad2a718413ab6d36dd156bbdd5ac1bcca860f039b14c4cb4382aee58bc88
RemcosRAT
3e755ebc4b3e451616df6473cf0f804e3c0d79e06e4f7bd54f94544848961f12
RemcosRAT
48d05f98dc0e107ca09492b3f4e3728464d8c844870057c0aabc728f0043b2f7
RemcosRAT
6353828ddb8f70dd9a535d3314ac328b044539563334f093173b86fd96e24707
RemcosRAT
6a52acf5de13a2c4d6fa927727fb868db6d97220c5eb837ca307d19c0b7cf128
RemcosRAT
9ef6b1868ca09cf927398496746dc5c1e73980fe7e3c1ffe4f45004a1f11d16b
RemcosRAT
c122639d652908b10751cb546a1c48e753427aa4d74f6a638fcb6c829b65e12f
RemcosRAT
+ 7'337 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:remotehost persistence rat trojan
Link:
https://tria.ge/reports/220413-szqyfacher/
Behaviour
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
moroga.camdvr.org:2404
amalar.camdvr.org:2404
stopeet.camdvr.org:2404
stopeet1.camdvr.org:2404
stopeet2.camdvr.org:2404
stopeet3.camdvr.org:2404
Unpacked files
SH256 hash:
4f921407dc157cd3ec27cf0bfb6bba1e1b5463076526378fa65e8121288a774b
MD5 hash:
f125d9101ccc3b42b5a847f8182b85e5
SHA1 hash:
c2f18fe8876110488df97d0818e0dd3cb89b0105
Detections:
win_dbatloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/292d36c2-8a11-40a3-a0e3-27a683652df8/
Parent samples :
3e25c1a249031c7ec06d4d6ad15a9dcd9f6cf0a72053663ebdd7a31eafb59c35
710c03f2e039d3bde583d2fa87faa58d17cbe6655a31b1e4e7890bf9687952c5
3bdc8a2cdae7fb2ab12ead1f0ced298aefb6cdcd9d35e88295a71192e193d481
805d05e4bc4ea60742052443cb9e2a4b3527aee8f311862ed37ec98559884555
571776f9f0168eb83034055ce51c1c72d1dcc6cb10445ac4de70104f97a170ff
2bc652d367cd94c0eb550959e49567754d73f8eb19a485cc229ffe4caab5605d
afb058fdd8aa200fe754289c9b48d8876f4bbd7cbcefc964742d76c32a990340
7ac202314f674281f31bad6e38a61c4bdd54c07f14b6dfd260d0665b8f2d0fa5
4690e84717b8b884bec65eddf700c6c99cfd19ebacbeadd766f9c3088c291112
03632b99b5401681e8dacf45710bfce9919f840843b836bad53c3113dacb097e
7cb6095dfefda254e0f96c3613cddcbcff7ce50b57a78e7f369d846d222eef49
82fc93baeea70f5e1c60ea976212b5cd2a33402ede66cd0efb059eaa5fae8150
b931f34008a112398ad48f0bd4e2e955dd7385bcc5cafd41cdb2220f26bddc44
6353828ddb8f70dd9a535d3314ac328b044539563334f093173b86fd96e24707
687b7b359a5cac51eeb2d8bd04b147bdca3af96f148c2e560b3aff235d48e6b0
bea87dfd8f3d79c5948163bb57da34a9c86b798817c9e5b9c8f169175b3f2a33
27309bb8844a4d48af2527787b781fdac2917d6f75f870743428a3e7aa44fc1a
fcc249e21fb278d56fcc3758f3b5f3730420688791b2195255ae8e6cc4bc5334
a421a1405a23a9e8e3807cee8c264a3068171e19f01f3d00e318a1757024db18
ee0e3ef0d4e024fee83ad9744a0c2fda54ea009c099144d7f3f5972b0e3c7c4d
4f921407dc157cd3ec27cf0bfb6bba1e1b5463076526378fa65e8121288a774b
70784bb09d094929ecd5666ae8d5ee613c7dbee18a21b009595f0b19777f5ec5
3f402617d9bbe740d49a4c0e0b17e4c704a11f04ad5c708a08c5a6988e7c181f
c122639d652908b10751cb546a1c48e753427aa4d74f6a638fcb6c829b65e12f
5a66917ff5fd5809f0c83a8240aeb983799f54916c0f45d2f1af61de5b7741f1
ac749d4dc15be0711d85256e946a41958427a7468dc3e15f0069d3691364c45a
c130e105a03b4d144a63a8be13f6c84aa4bb01df2a566756e022e79bec487c20
6a52acf5de13a2c4d6fa927727fb868db6d97220c5eb837ca307d19c0b7cf128
9ef6b1868ca09cf927398496746dc5c1e73980fe7e3c1ffe4f45004a1f11d16b
75b7d30e6f26fbb3fbac284ed75356cc874e73365764130209d4937d80a6c80d
08c0273e2bd04a047d150303d4cd05076c2d2877afa82543ce43fc8296d86a7c
dcccbb97201914164dc8bed003f14daadfa300a6206b7ce835f6c7ee8b686405
3e755ebc4b3e451616df6473cf0f804e3c0d79e06e4f7bd54f94544848961f12
d228e18c458c31492267b3167e1bde3b8702de493ea612d0ecf400835f490982
6097ee7a7f386804b11c435db24b34c3e54bb26b4cb4569c6c8c06f471513c73
c97ea7770bdc793b6e4f5ecdd0ab4454b51475faebb2368f338f620b353a0db1
6db572b2a372da55a29c00656ffdc03d279b01a57eaf854f58441847d3915ebc
9ea23f24620fd64243f22df105d30b97810377238aed2fd83aa31665198175db
26b24f28b0173c020071085d65b260207d5856a8a93c1c1acce7d5cca5e8835f
101159b2df3d82639b34a56f1b72524504492b91c80543689484a6e4ead0848c
a51e73ec5bca72dcebd78f128e76fa4bcb942ee0509d9c549e721806301a3e13
5be80161a65053eed5a2e9f84fd3c28eed3b40df540614ac86b56f6c5a3a5233
c27f65a625e611d0d29febe606a4e48421b30085f1536fe18fa8d41e665ccced
240970ef6292a02db1cd7c6fec1aa55036b11a20a3bed21318a056f9063e5088
SH256 hash:
6097ee7a7f386804b11c435db24b34c3e54bb26b4cb4569c6c8c06f471513c73
MD5 hash:
8228733874fb4ab20e6408b1a9614702
SHA1 hash:
20a733b4648841b814cf75c54b0c25115929681f
Link:
https://www.unpac.me/results/292d36c2-8a11-40a3-a0e3-27a683652df8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6097ee7a7f38/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6097ee7a7f386804b11c435db24b34c3e54bb26b4cb4569c6c8c06f471513c73

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/263475/

Comments