MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f2111247977f79b9772ee487e9e96ee536b8dc901c27af2b2f309fc0f66f6c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f2111247977f79b9772ee487e9e96ee536b8dc901c27af2b2f309fc0f66f6c2
SHA3-384 hash: cff86a55dd6082255e4a990c2419a3c49dd4019026edc24fc507e8150e504490e283d685174c402ca7e6c76b28076e2d
SHA1 hash: 4008620c17beabb86265b9f44eea57141f629c4a
MD5 hash: ac0d3ae2b09c7632f38077794e4358a4
humanhash: bluebird-tennessee-earth-utah
File name:SOA AUG 2021.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:922'112 bytes
First seen:2021-09-22 16:23:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'647 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:Q7/5YK3q4D9A9CXNr9lqT1elXQgPSZ4vAmV3qAYDNQ:I+x4UYNr9lqT1eGgPS2vAmdqdD
Threatray 624 similar samples on MalwareBazaar
TLSH T1B7157A394D2682F747EEC66CD08C1BCEDEA6A4837B919F1AC496D7D2025B70FE48845C
Reporter GovCERT_CH
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
200
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SOA AUG 2021.exe
Verdict:
Malicious activity
Analysis date:
2021-09-22 16:27:25 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/8a3cc2fb-1611-49a4-8fd0-f92e100d99f6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/190344/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1037-1.UNOFFICIAL
Create hunting rule

Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/843d8fe9-a56e-43e9-8990-30e8b20fdc18
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/855787
Signature
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 488218 Sample: SOA AUG 2021.exe Startdate: 22/09/2021 Architecture: WINDOWS Score: 100 29 Found malware configuration 2->29 31 Malicious sample detected (through community Yara rule) 2->31 33 Multi AV Scanner detection for dropped file 2->33 35 12 other signatures 2->35 7 SOA AUG 2021.exe 6 2->7         started        process3 file4 21 C:\Users\user\AppData\Roaming\RVrYUBZaF.exe, PE32 7->21 dropped 23 C:\Users\user\AppData\Local\...\tmp8EA4.tmp, XML 7->23 dropped 25 C:\Users\user\...\SOA AUG 2021.exe.log, ASCII 7->25 dropped 37 Injects a PE file into a foreign processes 7->37 11 SOA AUG 2021.exe 2 4 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 27 172.111.234.11, 2404, 8080 SOFTLAYERUS United States 11->27 39 Installs a global keyboard hook 11->39 17 conhost.exe 11->17         started        19 conhost.exe 15->19         started        signatures8 process9
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6f2111247977f79b9772ee487e9e96ee536b8dc901c27af2b2f309fc0f66f6c2/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-22 15:55:01 UTC
AV detection:
19 of 45 (42.22%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=n4qrcjdzo73zxf3s5zeh5huw5zjwxdojahbhv4vs6me7yd3g63ba._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
133a9234dee77f774077fd79e3edbdc22b9a8252a4e855fab33aeae974d2fa15
RemcosRAT
5ce84e35cdb6590c162cd421a8a281385bc9195fb4ce3e2e589280ca8903d3b6
RemcosRAT
724c5c5649720c7ded1b006fe6fd4cd16b49f8d1596f0c358cac8a29d8dab9c9
RemcosRAT
864081d9870b1b81cb2c750b630a828b191f7c664790c54115a8033351f50ea1
RemcosRAT
8cf6ef1cbaa0c0ef138d67b14417847fb2bc73bbcaf88f8f45780eb8042e3002
RemcosRAT
a895ff58cb18d3a5fa3900d36f150c9a1bd213240f77ef8218fec015d6355825
RemcosRAT
af8ee88bf85615f2c305ce230560485be949dbb7355640e0498bf93f154df714
RemcosRAT
ca90a8391204ee90d138b7eddbd1f2e9a1193c1ea1a5ee28cc0d373f9d167c52
RemcosRAT
+ 614 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos rat upx
Link:
https://tria.ge/reports/210922-tweaxafgdr/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
UPX packed file
Remcos
Unpacked files
SH256 hash:
c00e08467721d3d6b95f281200b1841263d0eb06253d057a8c3d3203ea52b05d
MD5 hash:
cac3b69ca3c5f104603af11568395bb8
SHA1 hash:
a2def7b4ef93d9c671bad7c607515fff1eff3130
Detections:
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/f4b6e398-3364-478f-a3e3-60a75c54548a/
SH256 hash:
e4194daef91e4b721f546922f57678b1a76ae5a833de77412f37bc6d9c0737df
MD5 hash:
2720b4dabeda40671856bbcdfae94bff
SHA1 hash:
86be396851ff756bd3fb95297dee37991afbb00f
Link:
https://www.unpac.me/results/f4b6e398-3364-478f-a3e3-60a75c54548a/
SH256 hash:
43e38f251dbca9aa20f3470167e5427a7e7a7cdcd25f0b6b045ae8577cd3e345
MD5 hash:
f62ab5d3528d5a3b9e270ea1f9347868
SHA1 hash:
6a74e87711c615adbd9145f829a33f55b7e42dd6
Link:
https://www.unpac.me/results/f4b6e398-3364-478f-a3e3-60a75c54548a/
SH256 hash:
6f2111247977f79b9772ee487e9e96ee536b8dc901c27af2b2f309fc0f66f6c2
MD5 hash:
ac0d3ae2b09c7632f38077794e4358a4
SHA1 hash:
4008620c17beabb86265b9f44eea57141f629c4a
Link:
https://www.unpac.me/results/f4b6e398-3364-478f-a3e3-60a75c54548a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6f2111247977f79b9772ee487e9e96ee536b8dc901c27af2b2f309fc0f66f6c2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 6f2111247977f79b9772ee487e9e96ee536b8dc901c27af2b2f309fc0f66f6c2

(this sample)

  
Dropped by
RemcosRAT
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/190344/

Comments