MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6887d3d4d5baa135418c2305915c56b448960d03c427f6c63c430465ddaa6547. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments 1

SHA256 hash:	6887d3d4d5baa135418c2305915c56b448960d03c427f6c63c430465ddaa6547
SHA3-384 hash:	4737fd86a2c91599761c67100d961798bc8c0f77db9bd8a9d638d635ab0d06c9ff491db37e0450f7467bc0b10ae78879
SHA1 hash:	9dd25e5caa3d591537f519f6a9d0c76e1202451f
MD5 hash:	01e485104be49a9f059e6b591273bcd1
humanhash:	beer-shade-alaska-football
File name:	01e485104be49a9f059e6b591273bcd1
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'078'272 bytes
First seen:	2022-07-05 14:22:01 UTC
Last seen:	2022-07-05 16:33:32 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	24576:P4Jd1feus9NhJ252RwEX/hUoN0ai/+nxrZiZ/3sBO:P4rhDqJU2eaOoN0aZ/i5sB
Threatray	461 similar samples on MalwareBazaar
TLSH	T1CF353312420A1379F33FC5B8916ECB49C7D5AA67074A1A6B507623ED0E704C3CEF2DA9
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	eaa98b5c243d8ab6 (4 x AZORult, 3 x RemcosRAT, 2 x XFilesStealer)
Reporter	zbetcheckin
Tags:	32 exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

259

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.Siggen18.12001.6896.16265.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Сreating synchronization primitives

Creating a process from a recently created file

Launching a process

Creating a file

Sending an HTTP POST request

Sending an HTTP GET request

Reading critical registry keys

Creating a window

DNS request

Sending a custom TCP request

Creating a process with a hidden window

Creating a file in the %AppData% subdirectories

Changing a file

Running batch commands

Unauthorized injection to a recently created process

Forced shutdown of a system process

Stealing user critical data

Unauthorized injection to a recently created process by context flags manipulation

Unauthorized injection to a system process

Enabling autorun by creating a file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

67%

Tags:

fingerprint packed stealer vidar

Link:

https://www.filescan.io/uploads/62c4494911764e36f8172069/reports/7c7e2331-56ad-436e-b10a-b8621b5313a6/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/14e6abf7-1f72-4a9a-a0d4-1e3fdcb6e462

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1024888

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/6887d3d4d5baa135418c2305915c56b448960d03c427f6c63c430465ddaa6547/

Threat name:

ByteCode-MSIL.Downloader.Seraph

Status:

Malicious

First seen:

2022-06-25 14:58:22 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 25 (84.00%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ncd5hvgvxkqtkqmmemczcxcwwrejmdidyqt7nrr4imcglxnkmvdq._file

Verdict:

malicious

Label(s):

azorult

remcos

RemcosRAT

697efd2047357081f70b698da5a259ab714a4827e440815b8e835d2decb5008a

RemcosRAT

923a5b3b1edf8a0f3d67e4637f16e1df38ce33716ccd6fcfb0854de72343522b

RemcosRAT

9989eb35d1fd25b884bd2994f7abd5c855c97b80a1a22b9dfca837f9db278e50

RemcosRAT

bee5f76f3cc9bf2ae2a71a4136d7b3d110e43cef60bb253a3a7301b3f58e5d9f

RemcosRAT

c7229a4bd75fb6d9169fc447cd50092a1c2bfd6787022d0dbac7b50a975cab8e

RemcosRAT

da447849ebea6a9648bf29e1b1fb5f22b9be881ded2a548357758337c0c42074

RemcosRAT

e184f759aa550bfbc5bd7edb8f59f9068ca0c5df436c49441ed27e91a2e033da

RemcosRAT

+ 451 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:arkei family:azorult family:raccoon family:remcos botnet:06192022 botnet:5f3e2ed386ddeccffbb4e34c56fc2efd botnet:default infostealer persistence rat spyware stealer suricata trojan

Link:

https://tria.ge/reports/220705-rpj7gaaafn/

Behaviour

Checks processor information in registry

Creates scheduled task(s)

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks computer location settings

Loads dropped DLL

Downloads MZ/PE file

Executes dropped EXE

Arkei

Azorult

Raccoon

Remcos

suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4

suricata: ET MALWARE Generic Stealer Config Download Request

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M15

suricata: ET MALWARE Win32/RecordBreaker CnC Checkin

suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil

Malware Config

C2 Extraction:

http://193.106.191.146/
http://185.215.113.89/
http://195.245.112.115/index.php
nikahuve.ac.ug:6968
kalskala.ac.ug:6968
tuekisaa.ac.ug:6968
parthaha.ac.ug:6968

Unpacked files

SH256 hash:

6887d3d4d5baa135418c2305915c56b448960d03c427f6c63c430465ddaa6547

MD5 hash:

01e485104be49a9f059e6b591273bcd1

SHA1 hash:

9dd25e5caa3d591537f519f6a9d0c76e1202451f

Link:

https://www.unpac.me/results/df264a70-a3cd-4d49-bf49-e644c878426e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6887d3d4d5baa135418c2305915c56b448960d03c427f6c63c430465ddaa6547

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.