MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64eb3d68103cc47e6c3af8880d7cec9371cfd787a396ea0f3ac1418e0b80ff47. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 64eb3d68103cc47e6c3af8880d7cec9371cfd787a396ea0f3ac1418e0b80ff47
SHA3-384 hash: 19c763a22f7d915b49ed57bda78509747c6c0b41f1f10eb3f1f6b4c117b9a7f7f2b62180ead0c5f06070ef4b29f12046
SHA1 hash: a0782ba13181392cfe49df80a09578d6a70a1a74
MD5 hash: ddc2a9da83a777cb565b4b500d5c7609
humanhash: four-cola-emma-april
File name:ddc2a9da83a777cb565b4b500d5c7609.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:3'118'592 bytes
First seen:2023-03-09 06:05:29 UTC
Last seen:2023-03-09 07:31:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:ONcQx2AZUrrrLrLmrrrvrrtrRrrrrrrrHrRYJrrriUQrYwrrjM5trA5OLt4L1GMr:ONTRZUrrrLrLmrrrvrrtrRrrrrrrrHr+
Threatray 1'033 similar samples on MalwareBazaar
TLSH T109E59EB1EA93FD95C79E0B35C1DE14800F689A4B5256C30DB8CC123AA9D3765DEC92F2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 7832f079696969f0 (1 x RemcosRAT)
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
80.66.75.51:2290

Intelligence

File Origin
# of uploads :
2
# of downloads :
266
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
ddc2a9da83a777cb565b4b500d5c7609.exe
Verdict:
Malicious activity
Analysis date:
2023-03-09 06:08:07 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/8a9e6c52-8001-4c45-bf7b-36022d11dc06

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/372825/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65780024.22756.15702.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6409774b8b48bcea611f898c/reports/b5450ad2-8b1a-4fca-9fa5-2b1c997a79df/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/64eb3d68103cc47e6c3af8880d7cec9371cfd787a396ea0f3ac1418e0b80ff47
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5089c532-3d7c-476f-b270-787b9e341809
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1190046
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Generic Downloader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 822922 Sample: 5Q9scsPwLV.exe Startdate: 09/03/2023 Architecture: WINDOWS Score: 100 48 Snort IDS alert for network traffic 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for URL or domain 2->52 54 4 other signatures 2->54 7 5Q9scsPwLV.exe 1 7 2->7         started        11 Mpybzmyqp.exe 4 2->11         started        13 Mpybzmyqp.exe 3 2->13         started        process3 file4 38 C:\Users\user\AppData\...\Mpybzmyqp.exe, PE32 7->38 dropped 40 C:\Users\...\Mpybzmyqp.exe:Zone.Identifier, ASCII 7->40 dropped 42 C:\Users\user\AppData\...\5Q9scsPwLV.exe.log, ASCII 7->42 dropped 56 Encrypted powershell cmdline option found 7->56 58 Injects a PE file into a foreign processes 7->58 15 5Q9scsPwLV.exe 1 14 7->15         started        18 powershell.exe 16 7->18         started        20 5Q9scsPwLV.exe 7->20         started        60 Multi AV Scanner detection for dropped file 11->60 22 powershell.exe 13 11->22         started        24 Mpybzmyqp.exe 11->24         started        26 Mpybzmyqp.exe 11->26         started        28 powershell.exe 13 13->28         started        30 Mpybzmyqp.exe 13->30         started        signatures5 process6 dnsIp7 44 80.66.75.51, 2290, 49700 RISS-ASRU Russian Federation 15->44 46 geoplugin.net 178.237.33.50, 49701, 80 ATOM86-ASATOM86NL Netherlands 15->46 32 conhost.exe 18->32         started        34 conhost.exe 22->34         started        36 conhost.exe 28->36         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/64eb3d68103cc47e6c3af8880d7cec9371cfd787a396ea0f3ac1418e0b80ff47/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-03-05 03:13:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
22 of 39 (56.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mtvt22aqhtch43b27cea27hmsny47v4huoloudz2yfay4c4a75dq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
9ef247402ff781f7f8c5f01d6e611d2e2350e2a421530e1774d3cc4050637540
RemcosRAT
b7149d17821e8a67af81dc5cc7d7d09def03d6347e178434ec8923a1fcb74e66
RemcosRAT
bcaf8f9bb1cda543a06ef101b8f4ac8228360400ec35a2ef2fba27b372ba75e7
RemcosRAT
c06613844bf5641d98c53c9536a3103b686a3123b44a147046fad162a1f164e0
RemcosRAT
d6ef67304b2eca589df643aa3e30a21ce7b835bb66b0d3856ece4e46e7217d6e
RemcosRAT
e962f44882a6fc4f5289556b7b0169b24838ea2285cf961b82447ff71ff2dc0d
RemcosRAT
+ 1'023 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat upx
Link:
https://tria.ge/reports/230309-gtqvpshg5v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
UPX packed file
Remcos
Malware Config
C2 Extraction:
80.66.75.51:2290
Unpacked files
SH256 hash:
ffb339749fded934c0f54794bc1bddddbd76c11a404ebb968e9b2d28873aa156
MD5 hash:
2677b8022e9fd3c18334dd672e16f457
SHA1 hash:
06aabca8390dc928150fd01e951ae249645ab4e8
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/bb0e5abc-11a1-4b1b-8a5e-fdc8a4bbaae2/
SH256 hash:
5ff38aaab3234212d418717c795c6e1547334e129322a825b207617022d5459b
MD5 hash:
b5a5f93adf0a4bdd5ed01773efecd7a3
SHA1 hash:
6a1f7e8bb10a3e6c81ed025e8c2707732bc8d4eb
Link:
https://www.unpac.me/results/bb0e5abc-11a1-4b1b-8a5e-fdc8a4bbaae2/
SH256 hash:
4c8599bd80cbf72bcd3f8b7dbc96224185b09b52eafec86d47590589939eb42b
MD5 hash:
9e73a919046ecf6cb01850be77b0f6c6
SHA1 hash:
20660397a148ab1ac88afc1f4e1a03f1861782f7
Link:
https://www.unpac.me/results/bb0e5abc-11a1-4b1b-8a5e-fdc8a4bbaae2/
SH256 hash:
64eb3d68103cc47e6c3af8880d7cec9371cfd787a396ea0f3ac1418e0b80ff47
MD5 hash:
ddc2a9da83a777cb565b4b500d5c7609
SHA1 hash:
a0782ba13181392cfe49df80a09578d6a70a1a74
Link:
https://www.unpac.me/results/bb0e5abc-11a1-4b1b-8a5e-fdc8a4bbaae2/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/64eb3d68103c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/64eb3d68103cc47e6c3af8880d7cec9371cfd787a396ea0f3ac1418e0b80ff47

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/372825/

Comments