MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6fa3c14d56fe37c531bbb2aa8b8a44d5172231519a5972903fb37d7cdfe58978. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6fa3c14d56fe37c531bbb2aa8b8a44d5172231519a5972903fb37d7cdfe58978
SHA3-384 hash: cb4b9b6e65b0ae04e2f6c64728d14e2154ff6308421f5a1aa98701182e3c63e556de1f5df35882da1213624c3056219b
SHA1 hash: b75c25f1c3b36a0d63c61de185365607e6e8b7e8
MD5 hash: f561be2f6479540b2e96ca3e45bbac0c
humanhash: bravo-alanine-lactose-fish
File name:f561be2f6479540b2e96ca3e45bbac0c.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:2'169'160 bytes
First seen:2022-08-27 07:09:32 UTC
Last seen:2022-08-27 07:54:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:iYyLWRv988NO1a0WVIZpeBw9aVHDiQ6HECdg24L1X+rE:8LW19b70C2QV+Q6HpO24L1X+
Threatray 190 similar samples on MalwareBazaar
TLSH T15FA5D02A22402C71E46F4A12A70E63C545DA6786536B70D934E94A0D4BFB3334E7F9BF
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
355
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f561be2f6479540b2e96ca3e45bbac0c.exe
Verdict:
Suspicious activity
Analysis date:
2022-08-27 07:11:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/30abcc19-a811-4a64-9a19-fb46064aa75d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/301542/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.16861.19637.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6309c3d1393b1c8c47193ef8/reports/b2024502-c68a-4965-b369-084a160e93b5/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a2eea1c8-e301-488d-a443-abc7362e25c3
Result
Threat name:
AsyncRAT, PrivateLoader, Remcos, Xmrig
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1058813
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to many ports of the same IP (likely port scanning)
Detected Stratum mining protocol
Found hidden mapped module (file has been removed from disk)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses powercfg.exe to modify the power settings
Writes many files with high entropy
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected Generic Downloader
Yara detected PrivateLoader
Yara detected Remcos RAT
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 691330 Sample: kyf2nJc9T6.exe Startdate: 27/08/2022 Architecture: WINDOWS Score: 100 79 Snort IDS alert for network traffic 2->79 81 Multi AV Scanner detection for domain / URL 2->81 83 Malicious sample detected (through community Yara rule) 2->83 85 17 other signatures 2->85 9 kyf2nJc9T6.exe 3 2->9         started        13 svchost.exe 2->13         started        15 svchost.exe 1 2->15         started        17 6 other processes 2->17 process3 dnsIp4 55 C:\Users\user\AppData\...\kyf2nJc9T6.exe.log, ASCII 9->55 dropped 91 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 9->91 93 Writes to foreign memory regions 9->93 95 Injects a PE file into a foreign processes 9->95 20 InstallUtil.exe 2 60 9->20         started        97 Changes security center settings (notifications, updates, antivirus, firewall) 13->97 25 MpCmdRun.exe 1 13->25         started        99 System process connects to network (likely due to code injection or exploit) 15->99 61 127.0.0.1 unknown unknown 17->61 file5 signatures6 process7 dnsIp8 63 cothdesigns.com 37.139.129.221, 3456, 443, 49727 LVLT-10753US Germany 20->63 65 geoplugin.net 178.237.33.50, 49732, 80 ATOM86-ASATOM86NL Netherlands 20->65 47 C:\Users\user\AppData\Local\...\jjxpiezf.exe, PE32+ 20->47 dropped 49 C:\Users\user\...\time_20220829_034620.dat, data 20->49 dropped 51 C:\Users\user\...\time_20220829_024619.dat, data 20->51 dropped 53 41 other malicious files 20->53 dropped 87 Writes many files with high entropy 20->87 89 Installs a global keyboard hook 20->89 27 jjxpiezf.exe 7 20->27         started        31 conhost.exe 25->31         started        file9 signatures10 process11 file12 57 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 27->57 dropped 59 C:\Users\user\AppData\Roaming\F955.tmp, PE32+ 27->59 dropped 101 Antivirus detection for dropped file 27->101 103 Multi AV Scanner detection for dropped file 27->103 105 Machine Learning detection for dropped file 27->105 107 5 other signatures 27->107 33 cmd.exe 1 27->33         started        36 svchost.exe 27->36         started        signatures13 process14 dnsIp15 71 Uses powercfg.exe to modify the power settings 33->71 73 Modifies power options to not sleep / hibernate 33->73 39 conhost.exe 33->39         started        41 powercfg.exe 1 33->41         started        43 powercfg.exe 1 33->43         started        45 2 other processes 33->45 67 xmr.2miners.com 51.89.96.41, 2222, 49747 OVHFR France 36->67 69 cothdesigns.com 36->69 75 Query firmware table information (likely to detect VMs) 36->75 signatures16 77 Detected Stratum mining protocol 67->77 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6fa3c14d56fe37c531bbb2aa8b8a44d5172231519a5972903fb37d7cdfe58978/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2022-08-27 07:10:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
18 of 26 (69.23%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=n6r4ctkw7y34kmn3wkvixcse2ulsemkrtjmxfeb7wn6xzx7frf4a._file
Verdict:
unknown
Similar samples:
1c0d0b7350789ac3cd3aaac71175646d9f06f9240689be3b62293e94ffc12658
RemcosRAT
21717cdfec5b3e14e7493537a9ca67045929faa591dc041350bc29070ca65681
RemcosRAT
326920546c2f54782c27ab6c8b53948b8b2cbb1efe709d322c84d4d7a0806911
RemcosRAT
3f4a92916d3f26c17475017df9881acb7a6bb11f3e684e548d166e46f6363bbd
RemcosRAT
59da950a2dd3a562e305d2b810d169fb9abe9a11928ad014cbdc87d657b32ca3
RemcosRAT
7b8c63fc9564c82db7c23fcf523fea4e7e69de4ef7dbc5c2b3bb06a7491b4f26
RemcosRAT
82ceaad56c8928f9d0bd09357499847ef059640db0689760b5bbab95f3068287
RemcosRAT
9e9384a14b3cb6360a27e6f5b5d772332054c47ca8258f541d2095a815fd825a
RemcosRAT
a5383b4e2f4ba2bd28112bfb06a100850109568b5e3fc7bcdff4c0fcf12fa6ff
RemcosRAT
ef8351385a327e1883639d1fc36d8e806f4d9f601e4630912763611b16213bb0
RemcosRAT
+ 180 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:220827 rat
Link:
https://tria.ge/reports/220827-hzdb8sgfa5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Remcos
Malware Config
C2 Extraction:
cothdesigns.com:3456
Unpacked files
SH256 hash:
5da94504102b7f25448f520bf9d263e3ab575fb0dfa1a27fbc802494ccc01960
MD5 hash:
0de74c258f8d4c7bea8b24edbdf9b5b5
SHA1 hash:
d6576606dc928ef2e8c6010d9273689670acb565
Link:
https://www.unpac.me/results/feab3ff6-fe8a-4134-820d-651618c0bc0b/
SH256 hash:
6fa3c14d56fe37c531bbb2aa8b8a44d5172231519a5972903fb37d7cdfe58978
MD5 hash:
f561be2f6479540b2e96ca3e45bbac0c
SHA1 hash:
b75c25f1c3b36a0d63c61de185365607e6e8b7e8
Link:
https://www.unpac.me/results/feab3ff6-fe8a-4134-820d-651618c0bc0b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6fa3c14d56fe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/6fa3c14d56fe37c531bbb2aa8b8a44d5172231519a5972903fb37d7cdfe58978

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 6fa3c14d56fe37c531bbb2aa8b8a44d5172231519a5972903fb37d7cdfe58978

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/301542/
  
URLhaus
https://urlhaus.abuse.ch/url/2276782/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2276802/

Comments