MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ea16cb1cf48e7eaec58a6f2aa22119b3753adff7782d5ce96282ba99e6ffa42. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ea16cb1cf48e7eaec58a6f2aa22119b3753adff7782d5ce96282ba99e6ffa42
SHA3-384 hash: 3137b7beb0e0ab54bd495a046417a08d01f292c240a58685028e1a825e7de1c69adfc21d91ffbd92b8d6beff43f61c38
SHA1 hash: d15a57165f9077c13b45bcaa7e7ab666f1b374ee
MD5 hash: 2efec95a8b2e9b2ca6b1084d75cdaea4
humanhash: neptune-twelve-table-lake
File name:parking list details.pdf..exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'286'832 bytes
First seen:2022-03-14 14:11:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:Y/1JxUhwJUj3HuSQd26W0Vm79q/eSi7Xz/4mRil0HavRIn:2lJUjQYf0k79MeSi7XT7RjH2W
Threatray 2'856 similar samples on MalwareBazaar
TLSH T1FD55E1E1FF0CC67EDC00613AD4EC44301EB55B8D2429BF5A61AD219D0A77ACF19A6D2E
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
194.31.98.58:2405

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.31.98.58:2405 https://threatfox.abuse.ch/ioc/395086/

Intelligence

File Origin
# of uploads :
1
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/250225/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/622f4d36dfdfa8501c9e469e/reports/57d5b18a-1f62-4230-8f54-293a2732f49b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/333ec473-dd9b-4256-9d39-654e466c7846
Result
Threat name:
AsyncRAT Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/956171
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected unpacking (creates a PE file in dynamic memory)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 588658 Sample: parking list details.pdf..exe Startdate: 14/03/2022 Architecture: WINDOWS Score: 100 80 part-0032.t-0009.fb-t-msedge.net 2->80 82 part-0017.t-0009.fb-t-msedge.net 2->82 84 5 other IPs or domains 2->84 110 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->110 112 Malicious sample detected (through community Yara rule) 2->112 114 Antivirus / Scanner detection for submitted sample 2->114 116 21 other signatures 2->116 10 parking list details.pdf..exe 7 2->10         started        signatures3 process4 file5 72 C:\Users\user\AppData\...\fKJdEoVFchoRK.exe, PE32 10->72 dropped 74 C:\Users\user\AppData\Local\Temp\tmp5CA.tmp, XML 10->74 dropped 76 C:\...\parking list details.pdf..exe.log, ASCII 10->76 dropped 126 Adds a directory exclusion to Windows Defender 10->126 14 parking list details.pdf..exe 3 5 10->14         started        19 powershell.exe 25 10->19         started        21 schtasks.exe 1 10->21         started        signatures6 process7 dnsIp8 100 primetoolz.duckdns.org 194.31.98.58, 2404, 2405, 49768 BURSABILTR Netherlands 14->100 78 C:\Users\user\AppData\Roaming\dwn.exe, PE32 14->78 dropped 102 Writes to foreign memory regions 14->102 104 Allocates memory in foreign processes 14->104 106 Installs a global keyboard hook 14->106 108 Injects a PE file into a foreign processes 14->108 23 dwn.exe 14->23         started        27 parking list details.pdf..exe 14->27         started        29 svchost.exe 12 14->29         started        35 6 other processes 14->35 31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        file9 signatures10 process11 file12 70 C:\Users\user\AppData\Roaming\Adobe.exe, PE32 23->70 dropped 120 Multi AV Scanner detection for dropped file 23->120 37 cmd.exe 23->37         started        39 cmd.exe 23->39         started        122 Tries to steal Instant Messenger accounts or passwords 27->122 124 Tries to steal Mail credentials (via file / registry access) 27->124 41 chrome.exe 29->41         started        44 chrome.exe 29->44         started        46 chrome.exe 35->46         started        48 conhost.exe 35->48         started        50 chrome.exe 35->50         started        signatures13 process14 dnsIp15 52 Adobe.exe 37->52         started        56 conhost.exe 37->56         started        58 timeout.exe 37->58         started        60 conhost.exe 39->60         started        62 schtasks.exe 39->62         started        94 192.168.2.3, 137, 138, 2404 unknown unknown 41->94 96 192.168.2.1 unknown unknown 41->96 98 2 other IPs or domains 41->98 64 chrome.exe 41->64         started        66 chrome.exe 44->66         started        68 chrome.exe 46->68         started        process16 dnsIp17 86 primetoolz.duckdns.org 52->86 118 Multi AV Scanner detection for dropped file 52->118 88 part-0017.t-0009.fb-t-msedge.net 13.107.253.45, 443, 49788, 49967 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 64->88 90 part-0032.t-0009.fb-t-msedge.net 13.107.253.60, 443, 49789, 49799 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 64->90 92 13 other IPs or domains 64->92 signatures18
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6ea16cb1cf48e7eaec58a6f2aa22119b3753adff7782d5ce96282ba99e6ffa42/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-03-14 14:12:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=n2qwzmopjdt6v3cyu3zkuiqrtm3vhlp7o6bnltuwfav2thtp7jba._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
remcos
Create hunting rule
Similar samples:
09b75cdc3edcad3cc8b1729683a1132506e851c9d7a1d864fc842284822d1ba5
RemcosRAT
3d80ce9c358e80b99744631236e2ed9b598d4cec9951f937f23b0d308da9487e
RemcosRAT
4d1cfc06d50c33a02572d8d32f34c277bb89bad8d2932c4e0549409d98d5ddda
RemcosRAT
5c11002af13588619d7183c6cca0855bdb7b57fc980b9ac9478c6316e8a5f94d
RemcosRAT
775c620223eba329bb771afc6e18b58a01c646bde0e72776854f5d670e131764
RemcosRAT
88a52cb96bc7ae6d6788e1c3f4bca7c4bd379037cba08c6a86f28694f767d9d9
RemcosRAT
a439a0f9a25819c7b124965c1d48eff1f981aa3d6190c3f24239c97ec39b2c39
RemcosRAT
c530ab34e439bbcaf995290504072a5f77ec085e2ef485e4ef324b7a957f5738
RemcosRAT
d1ececa600d9b37a14dbdee36b5cd58a20932bf976cab21c461c42b96e79f196
RemcosRAT
fa7229938d7109be9b5947f67058cb3cab1d366ababae65b83786b80584a160a
RemcosRAT
+ 2'846 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:remcos botnet:default botnet:remotehost collection persistence rat spyware stealer
Link:
https://tria.ge/reports/220314-rhvdvsgch3/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
.NET Reactor proctector
Async RAT payload
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
AsyncRat
Remcos
Malware Config
C2 Extraction:
primetoolz.duckdns.org:2404
primetoolz.duckdns.org:2405
Unpacked files
SH256 hash:
996635db23a42050186706e53ffa0d51d14b32398b97a42d15d9836c41b316fb
MD5 hash:
3752e84f7317c73423ee056f3adb02e9
SHA1 hash:
fdf0584805309fc64f573dc25f1d6a94e48a26bc
Link:
https://www.unpac.me/results/3b5bce8c-3507-4e59-82e5-236db00d4f7f/
SH256 hash:
5e83a4107df4578ffdfcf101845cbb157dff3fff5a806c5dace678bb6add6e77
MD5 hash:
02879390ab1e28b008b3e27dde8680fd
SHA1 hash:
da84ad0f5fb62c6b890f3aaa60c645b60b3239fd
Link:
https://www.unpac.me/results/3b5bce8c-3507-4e59-82e5-236db00d4f7f/
SH256 hash:
9b00e2fa33ad72dec22a5e107ab6886da72bbe0bed89a721e877c1dc3ce6a662
MD5 hash:
b4c9c16228f0ee1de70ffc6264fb720c
SHA1 hash:
437049e452a511e220abdb32df695cdf07f5a7d0
Link:
https://www.unpac.me/results/3b5bce8c-3507-4e59-82e5-236db00d4f7f/
SH256 hash:
e3f773aeecd0175f8fced3179dc01ef341fddf2ee8479eb465edb76280a63e63
MD5 hash:
0f596946a2d351be7d8ed68d98fac665
SHA1 hash:
3353fb60d79c99553003418fef82e1ee811a226a
Link:
https://www.unpac.me/results/3b5bce8c-3507-4e59-82e5-236db00d4f7f/
SH256 hash:
6ea16cb1cf48e7eaec58a6f2aa22119b3753adff7782d5ce96282ba99e6ffa42
MD5 hash:
2efec95a8b2e9b2ca6b1084d75cdaea4
SHA1 hash:
d15a57165f9077c13b45bcaa7e7ab666f1b374ee
Link:
https://www.unpac.me/results/3b5bce8c-3507-4e59-82e5-236db00d4f7f/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6ea16cb1cf48/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6ea16cb1cf48e7eaec58a6f2aa22119b3753adff7782d5ce96282ba99e6ffa42

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/250225/

Comments