MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 625f25dedd3f7e114dc89cff907dfec350df5cbb4efa09942f2b5ed9950c1216. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 625f25dedd3f7e114dc89cff907dfec350df5cbb4efa09942f2b5ed9950c1216
SHA3-384 hash: 5c657b0befc9327b02914347b5ba8ff2587c130376ad7ac21264856c4dbd7bca66ebb9ba71505db9bdf4b6c3cba133b9
SHA1 hash: 83aef750504ea05509307913c8c4dde4630188b7
MD5 hash: 29281d12f960505212f4548d18e36815
humanhash: football-early-failed-california
File name:29281d12f960505212f4548d18e36815.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'839'616 bytes
First seen:2022-04-05 18:21:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:4cZJJ494cQmiwALCcnfq5xPg5sKqshlWtSYW7oR:4qBNmiwALrfq4hXAS17u
Threatray 14'674 similar samples on MalwareBazaar
TLSH T136856D6D93518C86FD80D378DDB35B61275486764D8A8307F3F25939D82BBFA6E00B22
File icon (PE):PE icon
dhash icon cc1cf4b0d863e2c0 (1 x RemcosRAT)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
375
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/261074/
Detection(s):
Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Win.Trojan.EmbeddedReversedDLL-9940922-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Unauthorized injection to a recently created process
Setting a keyboard event handler
Creating a file in the %AppData% subdirectories
Launching cmd.exe command interpreter
Searching for synchronization primitives
Setting browser functions hooks
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed update.exe
Link:
https://www.filescan.io/uploads/624c88d040ce5db9f411764d/reports/c84ce348-040d-43e9-991e-0be150e6789a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/00a486fb-8419-40b5-89b2-b559f7510f69
Result
Threat name:
FormBook Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/971070
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Drops executable to a common third party application directory
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Yara detected Costura Assembly Loader
Yara detected FormBook
Yara detected Generic Downloader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 603557 Sample: mCnYm0pevU.exe Startdate: 05/04/2022 Architecture: WINDOWS Score: 100 57 Malicious sample detected (through community Yara rule) 2->57 59 Antivirus detection for dropped file 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 11 other signatures 2->63 10 mCnYm0pevU.exe 1 5 2->10         started        process3 file4 47 C:\Users\user\AppData\Local\firefox.exe, PE32 10->47 dropped 49 C:\Users\user\...\Yhesyzhilnalvckay fb.exe, PE32 10->49 dropped 51 C:\Users\user\...\firefox.exe:Zone.Identifier, ASCII 10->51 dropped 53 C:\Users\user\AppData\...\mCnYm0pevU.exe.log, ASCII 10->53 dropped 65 Contains functionality to steal Chrome passwords or cookies 10->65 67 Contains functionality to inject code into remote processes 10->67 69 Contains functionality to steal Firefox passwords or cookies 10->69 71 3 other signatures 10->71 14 Yhesyzhilnalvckay fb.exe 10->14         started        17 mCnYm0pevU.exe 2 3 10->17         started        20 cmd.exe 1 10->20         started        signatures5 process6 dnsIp7 83 Modifies the context of a thread in another process (thread injection) 14->83 85 Maps a DLL or memory area into another process 14->85 87 Sample uses process hollowing technique 14->87 89 Queues an APC in another process (thread injection) 14->89 22 explorer.exe 3 14->22 injected 55 emarketinglatakva.ddns.net 45.134.173.174, 49768, 9794 CLOUDIE-AS-APCloudieLimitedHK Russian Federation 17->55 91 Installs a global keyboard hook 17->91 24 timeout.exe 1 20->24         started        26 conhost.exe 20->26         started        signatures8 process9 process10 28 cmmon32.exe 22->28         started        31 firefox.exe 3 22->31         started        33 firefox.exe 1 22->33         started        35 conhost.exe 24->35         started        37 timeout.exe 24->37         started        signatures11 73 Modifies the context of a thread in another process (thread injection) 28->73 75 Maps a DLL or memory area into another process 28->75 77 Tries to detect virtualization through RDTSC time measurements 28->77 79 Multi AV Scanner detection for dropped file 31->79 81 Machine Learning detection for dropped file 31->81 39 cmd.exe 1 31->39         started        41 cmd.exe 33->41         started        process12 process13 43 conhost.exe 39->43         started        45 timeout.exe 39->45         started       
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/625f25dedd3f7e114dc89cff907dfec350df5cbb4efa09942f2b5ed9950c1216/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-04-05 18:22:21 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mjpslxw5h57bctoitt7za7p6ynin6xf3j35atfbpfnpntfimcila._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
remcos
Create hunting rule
Similar samples:
07b410374e6c8e4bf019940912986c0fb1279241bd86d135be323d89df9298b3
RemcosRAT
2d40f472fa610ec9068b1bb4d057ca2293e2389fe7915acd2237b6df85e9b6b3
RemcosRAT
3ff28d4f5a5b236c660c2714bf1b5a515cf72cd738afea35b916938024644538
RemcosRAT
452d0b533d6269e64c54982fbe5e07ad2f20e113650d559829b27135d8adc285
RemcosRAT
5fd22c8bf1e7e06ccaa6ebc23410086fe0e3bc30b1613cd6ee734f280c0d6979
RemcosRAT
6a7753dba591a0f953c07a4e13ef1682c3839bcc380545a647da6e24bef41786
RemcosRAT
7c0ab1d837684e8d37e75578f4821e25d7729cb9d3739f397cabbb9c95f2ddae
RemcosRAT
8392408d685d10ddf024a7e4f47976e03a00fd787bd4ee0932766c4b9b278bc0
RemcosRAT
c652919676cc6f3ea808c6e1023de343d27ed8f72f4f1b94523c4ecfb09bf223
RemcosRAT
+ 14'664 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:remcos botnet:barcelona campaign:w83h persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220405-wzwqgabcf6/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
Formbook Payload
Formbook
Remcos
Malware Config
C2 Extraction:
emarketinglatakva.ddns.net:9794
Unpacked files
SH256 hash:
3014bee276a0991d31f86d6994110323d95daa4e9cf163a08afc31bda8b2967d
MD5 hash:
b5be117cbd635b121b97f6d366d9eaee
SHA1 hash:
2ec1cc7437647da3ed400b7e7ea62ac9133de192
Link:
https://www.unpac.me/results/ccae5cec-c2e5-4ca7-9267-f7bf89743e3c/
SH256 hash:
f47980488f5df76b253bbeb46e8c16d21b37322a3329ab75183d60a5e40b7b59
MD5 hash:
1f8331e3aebb7a5bf56e001321233b44
SHA1 hash:
1a52f91c019456db461f4eb3bcf58d2af2d95d23
Link:
https://www.unpac.me/results/ccae5cec-c2e5-4ca7-9267-f7bf89743e3c/
SH256 hash:
bce3096744fb88dd1d0fc1907230ccca08f1b71b9a6640c6b11fb811c56ad8ee
MD5 hash:
da242d39a2894332d8f67b41633898ff
SHA1 hash:
08fd1e3e80ba80b8f57824f64a63bc45d94030c0
Link:
https://www.unpac.me/results/ccae5cec-c2e5-4ca7-9267-f7bf89743e3c/
SH256 hash:
95284cfb2e063f252a5a25836188fb2fbcd7f9ef7e972832fe8c2af150011281
MD5 hash:
6307b661467355f1fdcf099df7ae8c6a
SHA1 hash:
02d48bff127c2de2981e5e44ad3ad09d09ee07ea
Link:
https://www.unpac.me/results/ccae5cec-c2e5-4ca7-9267-f7bf89743e3c/
SH256 hash:
184d8721f8fd9a1152be3dfdb14abf294e24e811164d797db819e66e72a30bdb
MD5 hash:
bf21047f4ca49789efd5169a4b92b63a
SHA1 hash:
b1c11c9d29e3a8f03a67b0e70512a7b714f2b5b2
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/ccae5cec-c2e5-4ca7-9267-f7bf89743e3c/
Parent samples :
625f25dedd3f7e114dc89cff907dfec350df5cbb4efa09942f2b5ed9950c1216
dea9a9f7f1904e22a19045d3a243b1bb595dcc8f75fd613578ee4ae2b84b75e0
SH256 hash:
625f25dedd3f7e114dc89cff907dfec350df5cbb4efa09942f2b5ed9950c1216
MD5 hash:
29281d12f960505212f4548d18e36815
SHA1 hash:
83aef750504ea05509307913c8c4dde4630188b7
Link:
https://www.unpac.me/results/ccae5cec-c2e5-4ca7-9267-f7bf89743e3c/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/625f25dedd3f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/625f25dedd3f7e114dc89cff907dfec350df5cbb4efa09942f2b5ed9950c1216

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:pe_imphash
Create hunting rule
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 625f25dedd3f7e114dc89cff907dfec350df5cbb4efa09942f2b5ed9950c1216

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2133014/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/261074/

Comments