MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b4d0ff0d2bb85c989bd090151a64651f0520709840a0b646168166f5ad5f10a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b4d0ff0d2bb85c989bd090151a64651f0520709840a0b646168166f5ad5f10a
SHA3-384 hash: 57cd4264ea6b22f8d1c2fac3e3b38924549c3f0ad0324a9c1afbf932c80650c425a22540cda8be9db944c3a2c63cbc87
SHA1 hash: 9b9b57d22370bb5c04c31360daeec550ad6f4430
MD5 hash: 43da6da02ab057b4b4b100c727b3fc69
humanhash: yankee-tennis-fourteen-alpha
File name:43da6da02ab057b4b4b100c727b3fc69
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'895'310 bytes
First seen:2023-05-04 04:04:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (389 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 49152:LBF4fConfgEO/xmkAdTojvMwtzKCA7aPWU:1OaonfgEbujUwtz3A7aOU
Threatray 2'378 similar samples on MalwareBazaar
TLSH T131952302FDC184B2D0620D76453A6F22AA3D7F702FA5B9CF23D8771986716C1EA31766
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 7cf0a49c94988894 (8 x SnakeKeylogger, 5 x RemcosRAT, 2 x XWorm)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
254
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
https://newk1.shop/zzyDAObA/hulkbanks.hta
Verdict:
Malicious activity
Analysis date:
2023-04-30 16:20:45 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/dc00254d-7bf7-4dc6-af03-13c23d119ca6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/386356/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Sending a custom TCP request
Launching a process
Creating a process from a recently created file
Creating a file in the %temp% directory
Setting a keyboard event handler
DNS request
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/82375/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm autoit greyware keylogger overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/64532eef961a21dc785cb652/reports/868a49fb-6f62-4912-bd62-3dd40dd65842/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/6b4d0ff0d2bb85c989bd090151a64651f0520709840a0b646168166f5ad5f10a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/af3a4055-f5fe-4eae-90f5-80806c88aa86
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1225782
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Starts an encoded Visual Basic Script (VBE)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AntiVM autoit script
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 858745 Sample: PQ0rcuuWCE.exe Startdate: 04/05/2023 Architecture: WINDOWS Score: 100 47 Multi AV Scanner detection for domain / URL 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 8 other signatures 2->53 8 PQ0rcuuWCE.exe 73 2->8         started        12 eepvjjf.pif 1 2->12         started        14 eepvjjf.pif 2->14         started        16 eepvjjf.pif 2->16         started        process3 file4 35 C:\eegv\eepvjjf.pif, PE32 8->35 dropped 55 Drops PE files with a suspicious file extension 8->55 57 Starts an encoded Visual Basic Script (VBE) 8->57 18 wscript.exe 1 8->18         started        59 Writes to foreign memory regions 12->59 61 Allocates memory in foreign processes 12->61 63 Injects a PE file into a foreign processes 12->63 20 RegSvcs.exe 12->20         started        22 RegSvcs.exe 14->22         started        24 RegSvcs.exe 16->24         started        signatures5 process6 process7 26 eepvjjf.pif 1 3 18->26         started        file8 37 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 26->37 dropped 65 Multi AV Scanner detection for dropped file 26->65 67 Writes to foreign memory regions 26->67 69 Allocates memory in foreign processes 26->69 71 Injects a PE file into a foreign processes 26->71 30 RegSvcs.exe 3 16 26->30         started        signatures9 process10 dnsIp11 41 report1.duckdns.org 185.16.38.253, 3380, 49696 PL-SKYTECH-ASPL Poland 30->41 43 geoplugin.net 178.237.33.50, 49697, 80 ATOM86-ASATOM86NL Netherlands 30->43 39 C:\ProgramData\remcos\logs.dat, data 30->39 dropped 45 Installs a global keyboard hook 30->45 file12 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b4d0ff0d2bb85c989bd090151a64651f0520709840a0b646168166f5ad5f10a/
Threat name:
Win32.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2023-04-28 12:27:16 UTC
File Type:
PE (Exe)
Extracted files:
567
AV detection:
24 of 37 (64.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nngq74gsxoc4tcn5beavdjsgkhyfebyjqqfawzdbnalg6wwv6efa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
37203c38c11b529b8d10382dfb610e739ceb38daae8bc1c19f28506edf3dfdd1
RemcosRAT
51ba2b6912305fd63c041dccff36db067314cab3f93227aaf21990801efa0b25
RemcosRAT
592217d2590ae9ca688346688b2d7d13a78190f9562889597ebb79060136034c
RemcosRAT
7f355da803f4fbc034f8b14b4a4c68a5139fb1a2a3f7094ca03d7957e2134ad6
RemcosRAT
8e16304b756988b8fedf67c9c0eee38873fa743a2e9beae9bfc7bc44206e6a5d
RemcosRAT
baa1926f8f9eb46243f4591d418581fc422268a40aec9a83fccf7e3ee2f913af
RemcosRAT
d12374b77206c950e02f93c953e663d3f09a9708f9313ae0a74c636cae4851b8
RemcosRAT
d7fa00b86a82099c9e5e35e938eddacc3d912f13c8976628c56490217db19f11
RemcosRAT
fe8269a96b39d622796d4ded1ba8c9bed83e8abb17d0c159f8a3eac96594c965
RemcosRAT
+ 2'368 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:dream persistence rat
Link:
https://tria.ge/reports/230504-enhk2ahg47/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Remcos
Malware Config
C2 Extraction:
report1.duckdns.org:3380
Unpacked files
SH256 hash:
5c82af9d2842b5934af6e04c6c41a42241bfe45c6a007a4cc5c223aeccec1fe3
MD5 hash:
b5c4926257d8ce5d4a26bdda78687cf9
SHA1 hash:
e0620ba7dfb2d7f40744891552f2b5fe7a7b9bb7
Link:
https://www.unpac.me/results/ebb42ce9-7e69-4a44-a048-af5a2daf2dc2/
SH256 hash:
9ed00adc50cc25eebdd572952f34ad65887531fb11737c996ba24cc940448109
MD5 hash:
64dffac8f07c6b5389aa6c935be624f9
SHA1 hash:
54c5248797ccb4633634ab493d3dadd640a1e4cd
Detections:
Remcos
Create hunting rule
Link:
https://www.unpac.me/results/ebb42ce9-7e69-4a44-a048-af5a2daf2dc2/
SH256 hash:
6b4d0ff0d2bb85c989bd090151a64651f0520709840a0b646168166f5ad5f10a
MD5 hash:
43da6da02ab057b4b4b100c727b3fc69
SHA1 hash:
9b9b57d22370bb5c04c31360daeec550ad6f4430
Link:
https://www.unpac.me/results/ebb42ce9-7e69-4a44-a048-af5a2daf2dc2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6b4d0ff0d2bb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6b4d0ff0d2bb85c989bd090151a64651f0520709840a0b646168166f5ad5f10a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 6b4d0ff0d2bb85c989bd090151a64651f0520709840a0b646168166f5ad5f10a

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/386356/
  
URLhaus
https://urlhaus.abuse.ch/url/2623974/

Comments


Avatar
zbet commented on 2023-05-04 04:04:16 UTC

url : hxxps://newk1.shop/pPKcBMeH/Halkbank.exe