MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64d9ad7fa453939964d045971555233437f87c747989ff1d41f28b60258a4b97. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 64d9ad7fa453939964d045971555233437f87c747989ff1d41f28b60258a4b97
SHA3-384 hash: de123858dc5fb3f7aef60a19ea6f403d7e902f9c61f31e303407699d188b051a5276f4f5ad6e2ce9341cf75fd0f3b9b4
SHA1 hash: e0eaab5c02fd128b3eaf877f7cca627ab69fc75f
MD5 hash: 9dc730ada2150bb542e6b18f4a86c065
humanhash: montana-delaware-stream-comet
File name:9dc730ada2150bb542e6b18f4a86c065.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:688'128 bytes
First seen:2021-06-24 15:38:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:l9xAA5I0hMVv4X01h2VEno5aJUgFnMVyr7Nb+RYtEibEglM3KIbnT8b8:HxNZMVv2m2VEnoo/nM4rpnaglcKKX
Threatray 901 similar samples on MalwareBazaar
TLSH ACE4021866FE6329D1BBCFF90AE02545C7BBB4632117E48D0C9221CB2563F41DD91ABB
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9dc730ada2150bb542e6b18f4a86c065.exe
Verdict:
Malicious activity
Analysis date:
2021-06-24 15:42:04 UTC
Tags:
rat remcos stealer keylogger
Link:
https://app.any.run/tasks/f546cc81-8fde-4357-9361-07f1cea2060a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/168076/
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ee4c6d9b-7418-4a4c-9683-aa1d93072f1a
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807594
Signature
.NET source code contains very large strings
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected Remcos RAT
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 440005 Sample: OQgRyt6hCF.exe Startdate: 24/06/2021 Architecture: WINDOWS Score: 100 69 sdegreenfieldsdeeenf.duckdns.org 2->69 71 fieldsdegreenf.duckdns.org 2->71 73 aaeeerbbbeee.duckdns.org 2->73 91 Found malware configuration 2->91 93 Malicious sample detected (through community Yara rule) 2->93 95 Multi AV Scanner detection for submitted file 2->95 97 12 other signatures 2->97 14 OQgRyt6hCF.exe 3 2->14         started        18 remcos.exe 2 2->18         started        20 remcos.exe 2 2->20         started        signatures3 process4 file5 67 C:\Users\user\AppData\...\OQgRyt6hCF.exe.log, ASCII 14->67 dropped 121 Contains functionality to steal Chrome passwords or cookies 14->121 123 Contains functionality to inject code into remote processes 14->123 125 Contains functionality to steal Firefox passwords or cookies 14->125 127 Delayed program exit found 14->127 22 OQgRyt6hCF.exe 4 5 14->22         started        25 OQgRyt6hCF.exe 14->25         started        129 Injects a PE file into a foreign processes 18->129 27 remcos.exe 18->27         started        29 remcos.exe 20->29         started        signatures6 process7 file8 61 C:\Users\user\AppData\Roaming\...\remcos.exe, PE32 22->61 dropped 63 C:\Users\user\...\remcos.exe:Zone.Identifier, ASCII 22->63 dropped 65 C:\Users\user\AppData\Local\...\install.vbs, data 22->65 dropped 31 wscript.exe 1 22->31         started        process9 process10 33 cmd.exe 1 31->33         started        process11 35 remcos.exe 3 33->35         started        38 conhost.exe 33->38         started        signatures12 99 Multi AV Scanner detection for dropped file 35->99 101 Detected unpacking (creates a PE file in dynamic memory) 35->101 103 Machine Learning detection for dropped file 35->103 105 Injects a PE file into a foreign processes 35->105 40 remcos.exe 3 35->40         started        process13 dnsIp14 77 sdegreenfieldsdeeenf.duckdns.org 31.210.21.185, 6553 PLUSSERVER-ASN1DE Netherlands 40->77 79 fieldsdegreenf.duckdns.org 203.159.80.101, 49710, 49712, 49752 LOVESERVERSGB Netherlands 40->79 81 aaeeerbbbeee.duckdns.org 40->81 107 Writes to foreign memory regions 40->107 109 Allocates memory in foreign processes 40->109 111 Installs a global keyboard hook 40->111 113 Injects a PE file into a foreign processes 40->113 44 remcos.exe 40->44         started        47 remcos.exe 40->47         started        49 remcos.exe 40->49         started        51 svchost.exe 40->51         started        signatures15 process16 dnsIp17 115 Tries to steal Instant Messenger accounts or passwords 44->115 117 Tries to steal Mail credentials (via file access) 44->117 119 Tries to harvest and steal browser information (history, passwords, etc) 47->119 75 192.168.2.1 unknown unknown 51->75 54 iexplore.exe 51->54         started        signatures18 process19 process20 56 iexplore.exe 54->56         started        59 iexplore.exe 54->59         started        dnsIp21 83 github.com 140.82.121.3, 443, 49721, 49722 GITHUBUS United States 56->83 85 avatars.githubusercontent.com 185.199.110.133, 443, 49726, 49727 FASTLYUS Netherlands 56->85 87 js.monitor.azure.com 56->87 89 185.199.108.133, 443, 49743, 49744 FASTLYUS Netherlands 59->89
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/64d9ad7fa453939964d045971555233437f87c747989ff1d41f28b60258a4b97/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-06-24 14:23:52 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
13 of 28 (46.43%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mtm2275ekojzszgqiwlrkvjdgq37q7dupge76hkb6kfwajmkjolq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
30552657a06df54de322d5d689ca77d2cacbf8e85136ca915843c9a99e4f26c0
RemcosRAT
40dc655d06780c3f628f6ec2c3848d797c8ba88dcc50e3397e4e464ec12aaade
RemcosRAT
54b91d6b1324d8b3dec856922b4566b362535d84538297b612c5323e9230daf0
RemcosRAT
8017cf230cb7f4e72b6128a7e696821749c4990dbd446f8206d948c3ed6530ec
RemcosRAT
8fabd89f985aae235b63098a58da4c32773e2aa81aae19f1e27467fd8924fc33
RemcosRAT
a0bb5a244b144a8e10087fd70a04580c3bb8c4c8add7da671a06f10020473004
RemcosRAT
af0249150bee4fec74c124f89019cd260c9aacd7b7a7715192b5097f1948eb82
RemcosRAT
ba410d1931172915171c7769f798d6aaa1eab9f923c98f178f615ad75a6544f2
RemcosRAT
c85d33153d768a2f98066c8ba07e58890cbac4c185e4ef45739fb03750e1088b
RemcosRAT
f99a929a42f7c6931aa9e45861aea8e8d24f20da66f8144c7d9e324386364034
RemcosRAT
+ 891 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:chrome persistence rat spyware stealer
Link:
https://tria.ge/reports/210624-c1jh9ty7l6/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
fieldsdegreenf.duckdns.org:6553
aaeeerbbbeee.duckdns.org:6553
sdegreenfieldsdeeenf.duckdns.org:6553
Unpacked files
SH256 hash:
5bede9eedf6ae6df5a9d587c116c9583b31474c159c2b53486b000093cb3fde6
MD5 hash:
072eeac61b35d3f09edee4ff4f80f52d
SHA1 hash:
696fd9905a47e526470c2e234fef32f1ec1b74ad
Link:
https://www.unpac.me/results/05fd4946-c1aa-4806-b225-6d577715968d/
SH256 hash:
10154044d04566a19e4ac8af38a838cd71fdc5d0f9492c41286a93afebcbb67d
MD5 hash:
0cca63d806f3d2e51f9bc1f96d6ac547
SHA1 hash:
b653755c54acbd17684ceaa96aadd4377ef916f3
Link:
https://www.unpac.me/results/05fd4946-c1aa-4806-b225-6d577715968d/
SH256 hash:
64fd550196cfbf8f9854eb62b65e0f5ee3cc6319bd4f01f846e807239a1e250b
MD5 hash:
ce4ac3931a40013266cda2a02d011c61
SHA1 hash:
c1d78d27f8d6fcfb680d6fed61373da11b935d41
Detections:
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/05fd4946-c1aa-4806-b225-6d577715968d/
Parent samples :
8fabd89f985aae235b63098a58da4c32773e2aa81aae19f1e27467fd8924fc33
64d9ad7fa453939964d045971555233437f87c747989ff1d41f28b60258a4b97
f9807029dd75acb1884904779d4c7ae3af050a6d754fcbd71a015031a3e73e78
SH256 hash:
64d9ad7fa453939964d045971555233437f87c747989ff1d41f28b60258a4b97
MD5 hash:
9dc730ada2150bb542e6b18f4a86c065
SHA1 hash:
e0eaab5c02fd128b3eaf877f7cca627ab69fc75f
Link:
https://www.unpac.me/results/05fd4946-c1aa-4806-b225-6d577715968d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/64d9ad7fa453939964d045971555233437f87c747989ff1d41f28b60258a4b97

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 64d9ad7fa453939964d045971555233437f87c747989ff1d41f28b60258a4b97

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1394876/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/168076/

Comments