MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73ae45663ab13f813d5cbb751847c03c0dfd23cfa76df3c25e5aca2ff53b75dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	73ae45663ab13f813d5cbb751847c03c0dfd23cfa76df3c25e5aca2ff53b75dc
SHA3-384 hash:	943162f149b9aae732b5c86300d2a6fc68d6aa6dff996e19d2a6b9a07ffb6e0da07519aa0a40ca3517c6ab2875b57f13
SHA1 hash:	8b1ae49c7038ea640ec6cf4cb71bb402bd7ff359
MD5 hash:	05e285c9c4a5ea58269eef27c460708e
humanhash:	snake-aspen-uniform-massachusetts
File name:	SecuriteInfo.com.W32.AIDetectNet.01.24384.11528
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	938'496 bytes
First seen:	2022-05-30 10:41:00 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	24576:UawGhg7ykD/sSmy0QmCB0LXMz+JNNmyIZgXWE:ULG6sE0QmCB0L8KfNEZgXj
Threatray	1'899 similar samples on MalwareBazaar
TLSH	T174151259B7A5CE82D19A1470D0E3923043F1A6877633D78A2E8A27CD5F017A4CDDE7CA
TrID	69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.9% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	00ccf096ccc0d400 (21 x FormBook, 18 x AgentTesla, 11 x SnakeKeylogger)
Reporter	SecuriteInfoCom
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

261

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

SecuriteInfo.com.W32.AIDetectNet.01.24384.11528

Verdict:

Malicious activity

Analysis date:

2022-05-30 10:46:30 UTC

Tags:

rat remcos

Link:

https://app.any.run/tasks/83a2239d-c66a-4fbe-91c0-e81f8616552d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/275440/

Detection(s):

SecuriteInfo.com.W32.AIDetectNet.01.24384.11528.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

coinminer control.exe obfuscated packed replace.exe

Link:

https://www.filescan.io/uploads/62949f7c206e081618456ae8/reports/b500e9b3-29c6-45ea-b301-b14b3a12d5ad/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f25cb8e9-563f-4ad2-8d2b-086ef560b36e

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1003621

Signature

.NET source code contains method to dynamically call methods (often used by packers)

Adds a directory exclusion to Windows Defender

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/73ae45663ab13f813d5cbb751847c03c0dfd23cfa76df3c25e5aca2ff53b75dc/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2022-05-30 10:41:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ooxekzr2we7ycpk4xn2rqr6ahqg72i6pu5w7hqs6llfc75j3oxoa._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

6c8dbcbc22eeb8b7eef89e5ea97813f2be9a6b5635c8e3f1f186a694aa6a0ac2

RemcosRAT

7d86068523fe035aec83fcb57be4edc0bdca3000fa6046fb66ef246b20e15601

RemcosRAT

9ea26ea3cf4034580c0c02f1ce4627887fd5a68e069a2c4189c8f253b5919842

RemcosRAT

b69f04883131047159a3f3f13a7943ffdf43c742bc2a8994f7ef1f1a42c16eee

RemcosRAT

b712c36526719c3be98efe901fdb86a7cc7c3a325167daaba4c4fd6a34c14d92

RemcosRAT

+ 1'889 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost rat

Link:

https://tria.ge/reports/220530-mq3yragab2/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Remcos

Malware Config

C2 Extraction:

206.123.140.83:5888

Unpacked files

SH256 hash:

840be1d54ac08fdec3556b93ff92af7e2f6d7c909a7606c59c5ac777670e2742

MD5 hash:

cc4a8210cb3e6146e928003944c15fbf

SHA1 hash:

e218e2b2a8c8e204c19d6cc6aec987b87544d566

Link:

https://www.unpac.me/results/25cfe27b-77bc-4a22-82b2-610366ddecee/

SH256 hash:

2e39686a0d6d350648e56f090fdbfbd587f5108f59117abdfb0ab72ea829bbce

MD5 hash:

96754c0fc2f993fc34a316cc61f3327e

SHA1 hash:

dcfe5044b6f64446eb75581b7efb2f493fcb41a4

Detections:

win_remcos_auto

Link:

https://www.unpac.me/results/25cfe27b-77bc-4a22-82b2-610366ddecee/

Parent samples :

0a7f119fdf79b8cc120a81521e6e3477ac4b7743fe96b5b4a91be6072c0c6782
fce87d9ca3e073fa6fbbdde7032b4fd4a161e430a774ec550155d9836ad99d10
0b8ce3d491814d2e36d1f10e2deafca89470c738f3aabd8c6a4757e75bef7c01
90ef44111017156274f220ddb1372dd3269bdf3e6c50a82fe94bfdb533186130
73ae45663ab13f813d5cbb751847c03c0dfd23cfa76df3c25e5aca2ff53b75dc

SH256 hash:

4822b9b0461be0d670fbd58d9891807e4840983df104a0e1491c02b1e3859628

MD5 hash:

182e9da936da90267ddc3716ceac4666

SHA1 hash:

b6e0ab6554257c439404c6dd18aee8d89d21c508

Link:

https://www.unpac.me/results/25cfe27b-77bc-4a22-82b2-610366ddecee/

SH256 hash:

2ad346778d329a70e73cf2df0eba2f2d7c2acea8724d0060cf28ec3d06925b17

MD5 hash:

7f264c81235a00d85de873077120ca10

SHA1 hash:

afb5b0d786316da8e40ecaadc77f397d71ab06e7

Link:

https://www.unpac.me/results/25cfe27b-77bc-4a22-82b2-610366ddecee/

SH256 hash:

6915e2779e2b823b5d34abd593a0e9e0b3779a64e5de5fbaa870d7b13bf8f3e1

MD5 hash:

83909b569a882af29d369d8d65530996

SHA1 hash:

19701fab84ce0ca87add8d3e2bb95a564c67d996

Link:

https://www.unpac.me/results/25cfe27b-77bc-4a22-82b2-610366ddecee/

SH256 hash:

73ae45663ab13f813d5cbb751847c03c0dfd23cfa76df3c25e5aca2ff53b75dc

MD5 hash:

05e285c9c4a5ea58269eef27c460708e

SHA1 hash:

8b1ae49c7038ea640ec6cf4cb71bb402bd7ff359

Link:

https://www.unpac.me/results/25cfe27b-77bc-4a22-82b2-610366ddecee/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/73ae45663ab1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/73ae45663ab13f813d5cbb751847c03c0dfd23cfa76df3c25e5aca2ff53b75dc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/275440/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample