MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6fcac658bbef930bb0f7472b82c10b4fa5c7ef9fcd634687b53ef8034cbc49d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6fcac658bbef930bb0f7472b82c10b4fa5c7ef9fcd634687b53ef8034cbc49d2
SHA3-384 hash: a5908cc841d3acfbbeba5b3f5efdce0eb1850365cf7549d2ed7e9e21f7b1544147a9534ed3b40d66dd815f82780c18bf
SHA1 hash: 5907c842fb304694039c289302348de5b41a56d4
MD5 hash: d70776f8fe46166dc8e335cfab27ff3f
humanhash: winter-connecticut-louisiana-bulldog
File name:d70776f8fe46166dc8e335cfab27ff3f
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'301'504 bytes
First seen:2022-03-09 16:49:36 UTC
Last seen:2022-03-09 18:38:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:FMfCxhSmqrjajBoxtjU+p2VhyC9mxMlAtnnOgSvvdoE2xJg:FdSJjqoHX6h59ar1CyEoO
Threatray 2'482 similar samples on MalwareBazaar
TLSH T13255E010A96A503AF27E9A791BC5F86349D7BDA61600E0BE5C6CF59A0FF193D9CC0C31
File icon (PE):PE icon
dhash icon 00a2baaabaaa9400 (3 x AveMariaRAT, 1 x RemcosRAT)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
219
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/248806/
Detection(s):
SecuriteInfo.com.Suspicious.Win32.Save.a.30151.6267.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Setting a keyboard event handler
Creating a file in the %AppData% subdirectories
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/6228dac8b94fb38cb4492b83/reports/af28563e-5781-49c0-9097-83042661f358/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0bccd38b-8ceb-4ecb-bd52-176384b87c03
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/953480
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Sigma detected: Suspicious Svchost Process
Sigma detected: Suspicius Schtasks From Env Var Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6fcac658bbef930bb0f7472b82c10b4fa5c7ef9fcd634687b53ef8034cbc49d2/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-09 16:50:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=n7fmmwf356jqxmhxi4vyfqilj6s4p347zvrunb5vh34agtf4jhja._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
38c2822b3929fe567273c89ddbdc3fb49a750199cd795f36ad6dc29bb614e4c6
RemcosRAT
5e9b46a05976ce885f8ad6afbda3debe8147ce7769fbbea18e78320ca04f6c5c
RemcosRAT
6a4b5aab71a352d6ae6140f99a28b0c38df78a8985b3383f1bc424ca74e046fe
RemcosRAT
7b5f70276fe64b0ec64ff186af6706b1dbbf2e2dc69e4b1546745b293121116f
RemcosRAT
a02d52f23eb9e8a857c9ed01d81e6220e787a1e2838d42c2734e99bc73cff250
RemcosRAT
b0ac37aec0eef942e0ff9c35828584b8d887f951ec13afbd80cdc4ce23595ae4
RemcosRAT
bd250e1cb4f8d322a5464549dc067ac7bcbecfc2d4fca46c40af8d23173011d3
RemcosRAT
c530ab34e439bbcaf995290504072a5f77ec085e2ef485e4ef324b7a957f5738
RemcosRAT
d1ececa600d9b37a14dbdee36b5cd58a20932bf976cab21c461c42b96e79f196
RemcosRAT
+ 2'472 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:enginekeys rat
Link:
https://tria.ge/reports/220309-vcadaadeen/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
marcobalassoneets.ddns.net:9794
Unpacked files
SH256 hash:
581916bd0bca5f10a87664ac5a8c055dd30d64e5dbb3211f5ddfb05c684efdf0
MD5 hash:
fc740ce5979830d5a26af7242828ab49
SHA1 hash:
2949f862043475755900d28f1f4358a75a1d6803
Link:
https://www.unpac.me/results/04885edc-6541-4010-9cd2-b95b5da34d1d/
SH256 hash:
c1a1fe3198d35f00ec5eeeec31fdec7e8ac03d5284df739ac2b45b4e8d24c8b1
MD5 hash:
3a8fae814d67ec58d41e12fa920fa770
SHA1 hash:
75a50e4b4f3b246833f7d00f64c502849f84377c
Link:
https://www.unpac.me/results/04885edc-6541-4010-9cd2-b95b5da34d1d/
SH256 hash:
175285bfa8a73b3990f54994b8825c1f3396635bc344939cd8d9fc60b9569b46
MD5 hash:
f26eb90c6addfc99fa0c2e63896216d2
SHA1 hash:
77e01b96d8c211d4d24fc0a1aae91122caf5f668
Link:
https://www.unpac.me/results/04885edc-6541-4010-9cd2-b95b5da34d1d/
SH256 hash:
ab20d0d126cd11b920ba11475d432980ac067c6cca11ae673674c992e3c7f6c4
MD5 hash:
f639d2e29a79d7911ab7ee0a979f5273
SHA1 hash:
8f2f8ee7ace6fadc19416582cc58f255fcde79dc
Link:
https://www.unpac.me/results/04885edc-6541-4010-9cd2-b95b5da34d1d/
SH256 hash:
6fcac658bbef930bb0f7472b82c10b4fa5c7ef9fcd634687b53ef8034cbc49d2
MD5 hash:
d70776f8fe46166dc8e335cfab27ff3f
SHA1 hash:
5907c842fb304694039c289302348de5b41a56d4
Link:
https://www.unpac.me/results/04885edc-6541-4010-9cd2-b95b5da34d1d/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6fcac658bbef/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6fcac658bbef930bb0f7472b82c10b4fa5c7ef9fcd634687b53ef8034cbc49d2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 6fcac658bbef930bb0f7472b82c10b4fa5c7ef9fcd634687b53ef8034cbc49d2

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/248806/
  
URLhaus
https://urlhaus.abuse.ch/url/2086255/

Comments


Avatar
zbet commented on 2022-03-09 16:49:39 UTC

url : hxxp://107.174.138.202/990/vbc.exe