MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 71b37b08c29c3da6a2ce10a171c87767ba77dee171d94b48a56e4413e30b2169. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 71b37b08c29c3da6a2ce10a171c87767ba77dee171d94b48a56e4413e30b2169
SHA3-384 hash: a87edb65b7c3b6fb4891cc640bb1e350f3ae3a68fdfa6d9d8c726e4340af62c5b1056cce48cce652f82763bd90c905fa
SHA1 hash: 72bdbcd8778a3c6cba05c5cb8082388264ca02c7
MD5 hash: 23ea1c13952f27469f6f27e4367254ba
humanhash: lactose-lactose-happy-eighteen
File name:23ea1c13952f27469f6f27e4367254ba.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:695'296 bytes
First seen:2021-07-06 15:55:35 UTC
Last seen:2021-07-06 17:18:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:xMZoV4wmfyUp4dd6rYxlNoneq3M8J8z9aJu+/dmcw8wTra+zje+NUbfCTQ6:um1gvrolS9Kau
Threatray 1'859 similar samples on MalwareBazaar
TLSH 5EE48C9C7650B1DFC86BC936C9A42C64EA607477930BD303A45322ADDE4EA9BCF151F2
Reporter abuse_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
23ea1c13952f27469f6f27e4367254ba.exe
Verdict:
Malicious activity
Analysis date:
2021-07-06 16:00:34 UTC
Tags:
trojan rat remcos
Link:
https://app.any.run/tasks/4c28510d-a53b-4c33-b2eb-e14fd1974ac6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/170010/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.ABUV.16301.10791.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cf0f3015-1c94-4c48-9a73-0f6532e77c6c
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/812481
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Injects files into Windows application
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: MS Office Product Spawning Exe in User Dir
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 444890 Sample: lSeTqAso2F.exe Startdate: 06/07/2021 Architecture: WINDOWS Score: 100 63 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->63 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 8 other signatures 2->69 9 lSeTqAso2F.exe 3 2->9         started        13 EXCEL.exe 2 2->13         started        15 EXCEL.exe 2 2->15         started        process3 file4 49 C:\Users\user\AppData\...\lSeTqAso2F.exe.log, ASCII 9->49 dropped 71 Contains functionality to detect virtual machines (IN, VMware) 9->71 73 Contains functionality to steal Chrome passwords or cookies 9->73 75 Contains functionality to capture and log keystrokes 9->75 81 2 other signatures 9->81 17 lSeTqAso2F.exe 1 5 9->17         started        77 Injects a PE file into a foreign processes 13->77 79 Injects files into Windows application 13->79 20 EXCEL.exe 13->20         started        22 EXCEL.exe 13->22         started        24 EXCEL.exe 13->24         started        26 EXCEL.exe 15->26         started        28 EXCEL.exe 15->28         started        signatures5 process6 file7 45 C:\Users\user\AppData\Roaming\...XCEL.exe, PE32 17->45 dropped 47 C:\Users\user\...XCEL.exe:Zone.Identifier, ASCII 17->47 dropped 30 cmd.exe 1 17->30         started        process8 signatures9 85 Uses ping.exe to sleep 30->85 87 Uses ping.exe to check the status of other devices and networks 30->87 33 EXCEL.exe 3 30->33         started        36 PING.EXE 1 30->36         started        39 conhost.exe 30->39         started        process10 dnsIp11 55 Multi AV Scanner detection for dropped file 33->55 57 Machine Learning detection for dropped file 33->57 59 Injects a PE file into a foreign processes 33->59 61 Injects files into Windows application 33->61 41 EXCEL.exe 1 3 33->41         started        51 127.0.0.1 unknown unknown 36->51 signatures12 process13 dnsIp14 53 KJJJK.3dxtras.com 136.144.41.183, 49744, 49747, 49749 WORLDSTREAMNL Netherlands 41->53 83 Installs a global keyboard hook 41->83 signatures15
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/71b37b08c29c3da6a2ce10a171c87767ba77dee171d94b48a56e4413e30b2169/
Threat name:
ByteCode-MSIL.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-07-06 15:56:23 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0b21cb47c8a19319e7a3ea04878670d09a51e7b377fdcb9e0009f1cb0700348b
RemcosRAT
34540a51780e487ff9426db2ea9e2ed985e6c46130439de2e434b4a804446566
RemcosRAT
3a222c1cf4a6781bec3be666c9093c809f80be4f1d4760805aba6f6827e1d278
RemcosRAT
4c11b7fb217b3675e60d659ce0a2c3eee1bdbd3e3ddba1ad6d762878f62534d1
RemcosRAT
657cf5b353228351f20b758886ed20ea09b2f2ad0740ab826e8ffdf2df8ab947
RemcosRAT
6654c75acd136f37aad63d828eea396361326bb422a91563998ff0302de2bd20
RemcosRAT
b09cafd97a01e079b28616295179f5ee5269b5f24b8bb25e4fa15625729077f7
RemcosRAT
ce4962d3126223b4bd68704159cbdc7479fb2df4263fb9f3d57492e770b74a94
RemcosRAT
d45d40989488d330e82db097aa2d857ea5d620526171cd8fb145ef62cb4ea701
RemcosRAT
f19b2e31a0bc55cb5d4ab540605cfeffca6dd241cbe4e96e065d403a7273534a
RemcosRAT
+ 1'849 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:host persistence rat
Link:
https://tria.ge/reports/210706-ksa328lr9n/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
KJJJK.3dxtras.com:7003
Unpacked files
SH256 hash:
121e0ca910a7a8d52775469abe5ce43285629978dd5e8dd1f6ad264cdfbd1501
MD5 hash:
ced9c5724e263a43413894c8a65e038f
SHA1 hash:
9f4bffbcb42dae817b88edcbaec22cf18aaa68fa
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/ddea1b0c-9cfa-48b5-8a74-525beadf80fa/
SH256 hash:
5bede9eedf6ae6df5a9d587c116c9583b31474c159c2b53486b000093cb3fde6
MD5 hash:
072eeac61b35d3f09edee4ff4f80f52d
SHA1 hash:
696fd9905a47e526470c2e234fef32f1ec1b74ad
Link:
https://www.unpac.me/results/ddea1b0c-9cfa-48b5-8a74-525beadf80fa/
SH256 hash:
c026efc545a6f880ceffc1fa6f03b2172a95ae44850c490211f74f2dce62ce99
MD5 hash:
5d675a8a054cd958b3a7926b62b07e7b
SHA1 hash:
4c395b7edc574a9f1a014a34bceac52d6545b413
Link:
https://www.unpac.me/results/ddea1b0c-9cfa-48b5-8a74-525beadf80fa/
SH256 hash:
71b37b08c29c3da6a2ce10a171c87767ba77dee171d94b48a56e4413e30b2169
MD5 hash:
23ea1c13952f27469f6f27e4367254ba
SHA1 hash:
72bdbcd8778a3c6cba05c5cb8082388264ca02c7
Link:
https://www.unpac.me/results/ddea1b0c-9cfa-48b5-8a74-525beadf80fa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/71b37b08c29c3da6a2ce10a171c87767ba77dee171d94b48a56e4413e30b2169

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 71b37b08c29c3da6a2ce10a171c87767ba77dee171d94b48a56e4413e30b2169

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1398049/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/170010/

Comments