MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a327504361bd864a42e057da4bd562e38ae30f79ac3daabcb0082bd2b7e9b4f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6a327504361bd864a42e057da4bd562e38ae30f79ac3daabcb0082bd2b7e9b4f
SHA3-384 hash: 9decdd12a78718d9ff544eb2d116cd1e9aef0bcc276f7d93cf6a19475fd8ceec93a57c37938c52e991cef5f6f8b97474
SHA1 hash: fc339c5c4376f8ee5100a61605897786d578dff2
MD5 hash: 77f481a4d952080e2d475f1fbf578a20
humanhash: red-moon-lima-lake
File name:77f481a4d952080e2d475f1fbf578a20.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:659'968 bytes
First seen:2022-10-01 07:41:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 6144:zBCbpQcfUfKGitJdoDn9ySTD9zRoXaX5hs5vfQidfwF9aeYUooMvsajJDM:gdQ4OHUJMwSTpzRXJC5vIqwHaeYToin
Threatray 2'848 similar samples on MalwareBazaar
TLSH T117E4CF370BEA8B0BD014B67885D0D2B6A3ADDD11F167C2D76BCA9C1FF08A465DB61360
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon ce9c9496e4949c9c (73 x AgentTesla, 51 x SnakeKeylogger, 30 x Formbook)
Reporter abuse_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
304
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/315431/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.389.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching cmd.exe command interpreter
Launching a process
Running batch commands
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6337ef4c5c60ccc9fcfea3da/reports/510da13e-c671-4ff6-b908-a4ae861eea2a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d7eb186f-c232-4123-88d9-a5642f27b3e2
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1081408
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates an autostart registry key pointing to binary in C:\Windows
Detected Remcos RAT
Disables UAC (registry)
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 713963 Sample: N8p6FolVW4.exe Startdate: 01/10/2022 Architecture: WINDOWS Score: 100 66 arttronova23.duckdns.org 2->66 80 Multi AV Scanner detection for domain / URL 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 Multi AV Scanner detection for dropped file 2->84 86 10 other signatures 2->86 12 N8p6FolVW4.exe 3 2->12         started        15 Microsoft Security Start.exe 2 2->15         started        signatures3 process4 file5 64 C:\Users\user\AppData\...648p6FolVW4.exe.log, ASCII 12->64 dropped 18 N8p6FolVW4.exe 1 5 12->18         started        102 Drops executables to the windows directory (C:\Windows) and starts them 15->102 22 Microsoft Security Start.exe 3 15->22         started        signatures6 process7 dnsIp8 60 C:\Windows\...\Microsoft Security Start.exe, PE32 18->60 dropped 62 Microsoft Security...exe:Zone.Identifier, ASCII 18->62 dropped 88 Creates an autostart registry key pointing to binary in C:\Windows 18->88 25 cmd.exe 1 18->25         started        28 cmd.exe 1 18->28         started        70 arttronova23.duckdns.org 91.192.100.38, 4045, 49710, 49711 AS-SOFTPLUSCH Switzerland 22->70 90 Installs a global keyboard hook 22->90 30 cmd.exe 22->30         started        file9 signatures10 process11 signatures12 96 Uses ping.exe to sleep 25->96 32 Microsoft Security Start.exe 3 25->32         started        34 PING.EXE 1 25->34         started        37 conhost.exe 25->37         started        98 Uses cmd line tools excessively to alter registry or file data 28->98 100 Uses ping.exe to check the status of other devices and networks 28->100 39 reg.exe 1 28->39         started        42 conhost.exe 28->42         started        44 conhost.exe 30->44         started        46 reg.exe 1 30->46         started        process13 dnsIp14 48 Microsoft Security Start.exe 2 1 32->48         started        68 127.0.0.1 unknown unknown 34->68 94 Disables UAC (registry) 39->94 signatures15 process16 signatures17 72 Detected Remcos RAT 48->72 74 Writes to foreign memory regions 48->74 76 Allocates memory in foreign processes 48->76 78 Injects a PE file into a foreign processes 48->78 51 cmd.exe 48->51         started        54 iexplore.exe 48->54         started        process18 signatures19 92 Uses cmd line tools excessively to alter registry or file data 51->92 56 conhost.exe 51->56         started        58 reg.exe 1 51->58         started        process20
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6a327504361bd864a42e057da4bd562e38ae30f79ac3daabcb0082bd2b7e9b4f/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-09-30 21:01:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
26 of 42 (61.90%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nizhkbbwdpmgjjboav62jpkwfy4k4mhxtlb5vk6lacbl2k36tnhq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
2435aff7e691f28e5b1e98780fde77e2d690f088f0205f69a648c7eaa55ef076
RemcosRAT
43ecf48abd7270d67f21bc933f9e9f7b830727a72b3287882767da9efa1758c8
RemcosRAT
44ce30b3b4431308b5f14e2a6647841aa2a5e862793081836e2f7c7c2da3029c
RemcosRAT
5a480784ad22ec95046f7b80a14d3e9d9b476826b4d45ee1d8f51fa670dd07d1
RemcosRAT
7c3438a76874fe406655fed423d72b8a194ad461213b414a97b4927211929d1a
RemcosRAT
a8ea6d7396aee16dfaa77560df46c54e21d723d5e8af2849a7fa52499c31573c
RemcosRAT
b81b2885828a95d83e21c5e30ada433fc502c76e469229136a588dc21f047ec8
RemcosRAT
e3d805e701266e0b8b17d850419bdfa89045096e8e1dc7ea0295ff843be281db
RemcosRAT
e94981ca0da699cd4c54ceae54a7f713ca999003aa5fd023aa8fa94707877f6e
RemcosRAT
ebb443f00afcb7b69099209821b747076d16ec48c76c13100c9e15da7ed2beda
RemcosRAT
+ 2'838 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:27th sept brand:microsoft evasion persistence phishing rat trojan
Link:
https://tria.ge/reports/221001-jjpk1agfhn/
Behaviour
Enumerates system info in registry
Modifies registry class
Modifies registry key
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Detected potential entity reuse from brand microsoft.
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Remcos
UAC bypass
Malware Config
C2 Extraction:
arttronova23.duckdns.org:4045
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1e84cbe4-66cd-4df5-acb0-65f9d1d2bfc1
Unpacked files
SH256 hash:
9c16a6477f9fd5c43d8f62ed833d4e3fa782d067ae03eba076d2a012357106b2
MD5 hash:
90ad0635a82247369022d2d107e2e8d7
SHA1 hash:
79784012e3b71deddf5eacbaef44c55785c72ae4
Link:
https://www.unpac.me/results/4a824569-ce10-42ff-8211-c00a64fcfbc0/
SH256 hash:
8251c060e910d912cd599821bba1cda1d4e97260e05a4a10f8cbf043040ac739
MD5 hash:
d1089790c54c8740fa626764548b9b87
SHA1 hash:
54708cb2fc17ab12b8aab109b17167f9241287d8
Link:
https://www.unpac.me/results/4a824569-ce10-42ff-8211-c00a64fcfbc0/
SH256 hash:
8653828abd039815a20268d12e9f9dfe7d75c5d664ff3f78872287dbeea980bd
MD5 hash:
4b12b41f04b846a11d49942fd8e9f2f9
SHA1 hash:
15af503bfaf43f6520d4674478b2a53d9a9bdddf
Detections:
win_remcos_auto
Create hunting rule
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/4a824569-ce10-42ff-8211-c00a64fcfbc0/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/4a824569-ce10-42ff-8211-c00a64fcfbc0/
SH256 hash:
2470b39032f6182252039c88199016566b0de30c6aa02163a143427afedd12af
MD5 hash:
c3a1924684ca30ed22234ce1d9111dfc
SHA1 hash:
7347706241422758c06440fd6044ae4e042b456b
Link:
https://www.unpac.me/results/4a824569-ce10-42ff-8211-c00a64fcfbc0/
SH256 hash:
6a327504361bd864a42e057da4bd562e38ae30f79ac3daabcb0082bd2b7e9b4f
MD5 hash:
77f481a4d952080e2d475f1fbf578a20
SHA1 hash:
fc339c5c4376f8ee5100a61605897786d578dff2
Link:
https://www.unpac.me/results/4a824569-ce10-42ff-8211-c00a64fcfbc0/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6a327504361b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6a327504361bd864a42e057da4bd562e38ae30f79ac3daabcb0082bd2b7e9b4f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 6a327504361bd864a42e057da4bd562e38ae30f79ac3daabcb0082bd2b7e9b4f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2272201/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/315431/

Comments