MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f31f28d716f4d118974c5fd130a02fb742e20f164ea12b2f1e471f58fa5b817. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f31f28d716f4d118974c5fd130a02fb742e20f164ea12b2f1e471f58fa5b817
SHA3-384 hash: 671c481f0b7555528bf083e23379c2263706622b757db0b2ff13f21da52c2fe4c13e4390567cbacd58e0d0947aeb1313
SHA1 hash: ae4f5f50f98ba3aa77f891ae6a691869e51dc7e5
MD5 hash: 2562ad2e3b7633531bafa6737c6c245b
humanhash: india-charlie-orange-berlin
File name:2562AD2E3B7633531BAFA6737C6C245B.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:541'184 bytes
First seen:2024-03-18 04:15:15 UTC
Last seen:2024-03-18 06:20:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:bvu8+/mPTjv4dvLLy6gLPTznyl8PzBJZdR2hhTpjKsPLPPPPPPSPPP:K8++PT7EvXy6gLPfu87BGRVPLPPPPPPK
Threatray 3'664 similar samples on MalwareBazaar
TLSH T19FB4128D1656F6B2CDA80DBDDC52409C4F72D067009BF313AAC5DA618F0DEDA22E45BB
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 74ecd0f0f8e8f0d4 (1 x RemcosRAT)
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
194.147.140.146:6609

Intelligence

File Origin
# of uploads :
2
# of downloads :
382
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
6f31f28d716f4d118974c5fd130a02fb742e20f164ea12b2f1e471f58fa5b817.exe
Verdict:
Malicious activity
Analysis date:
2024-03-18 04:18:10 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/16a0002b-cb9f-4016-8f8f-818b9bdb7236

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.28245.12569.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Running batch commands
Creating a file
Сreating synchronization primitives
DNS request
Connection attempt
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Moving a file to the Program Files subdirectory
Replacing files
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed packed remcos smartassembly smart_assembly
Link:
https://www.filescan.io/uploads/65f7c003c1137bbf149d919d/reports/59de962a-e11c-4f34-8baa-38b15c38493d/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/6f31f28d716f4d118974c5fd130a02fb742e20f164ea12b2f1e471f58fa5b817
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/442bfaf8-1158-4306-8c93-16edea76c117
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1410553
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Snort IDS alert for network traffic
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1410553 Sample: SFwpxUaKtF.exe Startdate: 18/03/2024 Architecture: WINDOWS Score: 100 62 busbuctomorrrw.ddns.net 2->62 64 geoplugin.net 2->64 76 Snort IDS alert for network traffic 2->76 78 Multi AV Scanner detection for domain / URL 2->78 80 Found malware configuration 2->80 84 8 other signatures 2->84 8 SFwpxUaKtF.exe 2 2->8         started        11 Phots.exe 1 2->11         started        13 Phots.exe 2->13         started        15 3 other processes 2->15 signatures3 82 Uses dynamic DNS services 62->82 process4 signatures5 86 Writes to foreign memory regions 8->86 88 Allocates memory in foreign processes 8->88 90 Injects a PE file into a foreign processes 8->90 17 vbc.exe 3 13 8->17         started        21 cmd.exe 2 8->21         started        23 cmd.exe 3 8->23         started        26 cmd.exe 1 8->26         started        92 Multi AV Scanner detection for dropped file 11->92 94 Machine Learning detection for dropped file 11->94 28 cmd.exe 11->28         started        32 3 other processes 11->32 30 cmd.exe 13->30         started        34 3 other processes 13->34 36 12 other processes 15->36 process6 dnsIp7 58 busbuctomorrrw.ddns.net 194.147.140.146, 49729, 6609 PTPEU unknown 17->58 60 geoplugin.net 178.237.33.50, 49730, 80 ATOM86-ASATOM86NL Netherlands 17->60 66 Contains functionality to bypass UAC (CMSTPLUA) 17->66 68 Contains functionalty to change the wallpaper 17->68 70 Contains functionality to steal Chrome passwords or cookies 17->70 74 3 other signatures 17->74 72 Uses schtasks.exe or at.exe to add and modify task schedules 21->72 38 conhost.exe 21->38         started        56 C:\Users\user\AppData\Local\...\Phots.exe, PE32 23->56 dropped 40 conhost.exe 23->40         started        42 conhost.exe 26->42         started        44 schtasks.exe 1 26->44         started        46 2 other processes 28->46 48 2 other processes 30->48 50 2 other processes 32->50 52 2 other processes 34->52 54 12 other processes 36->54 file8 signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6f31f28d716f4d118974c5fd130a02fb742e20f164ea12b2f1e471f58fa5b817
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6f31f28d716f4d118974c5fd130a02fb742e20f164ea12b2f1e471f58fa5b817/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-03-16 04:44:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n4y7fdlrn5grdcluyx6rgcqc7n2c4ihrmtvbfmxr4ry7ld5fxalq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
3e32447ea3b5f07c7f6a180269f5443378acb32c5d0e0bf01a5e39264f691587
RemcosRAT
7c81d05dd82233e0278c83ca0b1a3b3ad9f0fa4b8b56bef98bba964752369754
RemcosRAT
a0c4a547b08cd4669362420f9c50b04f084e0174f13911f4e8b95cec7ba12cd8
RemcosRAT
a739f75be90696d11429b7b5003af6ae0318009bdabdecdcd49b18d80c60d946
RemcosRAT
a79174e7371a00a56fd0991adde5e1d50b4cb857681930be331c1532aeea9c6a
RemcosRAT
ab4c9b244a1604655032a8f69acc4273265fa35337906e05a1dc2b274b3b13a6
RemcosRAT
+ 3'654 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:rrrrrrrr rat
Link:
https://tria.ge/reports/240318-evspksgg6v/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Executes dropped EXE
Uses the VBS compiler for execution
Remcos
Malware Config
C2 Extraction:
busbuctomorrrw.ddns.net:6609
Unpacked files
SH256 hash:
a215068adccbcc44b1f14bb81e0e6913d82f385dbbc80e9ecdf78233a97ee196
MD5 hash:
55ef1b697c438bd7aef9dba5fa584b0c
SHA1 hash:
fd20f8090864337ac0130347202826dda1913d43
Detections:
Remcos
Create hunting rule
win_remcos_w0
Create hunting rule
win_remcos_auto
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Link:
https://www.unpac.me/results/68476811-d19c-4e00-99c9-4050a864530b/
SH256 hash:
6f31f28d716f4d118974c5fd130a02fb742e20f164ea12b2f1e471f58fa5b817
MD5 hash:
2562ad2e3b7633531bafa6737c6c245b
SHA1 hash:
ae4f5f50f98ba3aa77f891ae6a691869e51dc7e5
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/68476811-d19c-4e00-99c9-4050a864530b/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6f31f28d716f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6f31f28d716f4d118974c5fd130a02fb742e20f164ea12b2f1e471f58fa5b817

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.
Rule name:win_remcos_w0
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:yarahub_win_remcos_rat_unpacked_aug_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments