MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7484e671f44dff5800c656985f8dc0540913622989a3d799bd012cb9dfb23762. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7484e671f44dff5800c656985f8dc0540913622989a3d799bd012cb9dfb23762
SHA3-384 hash: 8d682cd34762743b8122c62ed32f12348c63f190045dab50e63de7b70ff23c300cc526bd520276109d51103f6db0552b
SHA1 hash: 70e6c30b5e0abd86044037527518503551976582
MD5 hash: deff4a156bb1fb7354bc8768511ba951
humanhash: lima-foxtrot-double-bakerloo
File name:deff4a156bb1fb7354bc8768511ba951.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'135'616 bytes
First seen:2022-07-13 07:12:40 UTC
Last seen:2022-07-13 12:10:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 24576:/keoFufk+X4gaoHpryMyCF+6iIFPMOFmqtx7BmixI+GQOs:8RFmI0pryMNDNHG
Threatray 2'723 similar samples on MalwareBazaar
TLSH T1DE3512003BEA5B5AEDBAE7F65E70A01203B239162611F74E5CC675CE1873F408A96F17
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
262
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
deff4a156bb1fb7354bc8768511ba951.exe
Verdict:
Malicious activity
Analysis date:
2022-07-13 07:14:15 UTC
Tags:
keylogger remcos
Link:
https://app.any.run/tasks/e4b6fcdd-bdea-40e4-85a2-bc81c77a56c5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/286816/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.27132.29912.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit packed
Link:
https://www.filescan.io/uploads/62ce70c33ec0b068997656ff/reports/337a3a86-4f2e-40fa-bdb3-998e52acde1e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cf8db13e-3bcf-41a1-85e2-173e0a796905
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7484e671f44dff5800c656985f8dc0540913622989a3d799bd012cb9dfb23762/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-07-13 08:31:12 UTC
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oscom4pujx7vqaggk2mf7doakqergyrjrgr5pgn5aewltx5sg5ra._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
082525150d7aace7e21b3bfb469f86c2e7239593c50cebc143d7f8a66b898b83
RemcosRAT
0a7baae0933a14082beb95b1c5484dd958e333f7fc499f645c1d550d8ad124a1
RemcosRAT
21323faa5f74ccc103e64f30bc31b36e0cfc971a601b59502713151ad4f465db
RemcosRAT
5482c9775362ce202cf44b082ce747f7e69f522a903ccc031c975cc714c82a8c
RemcosRAT
62671da23d0acb718d487ed7e7ad280f615915d3551e0a65b0ac82966a6610d9
RemcosRAT
91dfebe2d0d1f9ac3e495529066a6cd987ad302d33be7fb7fc744f5905daf832
RemcosRAT
b6d46263696ceeab50c8a9088bf3cedecad1bf4f8d8f452c1b1773f877d8e4a0
RemcosRAT
db8a8a4bf1e1e63ef1bd27f8131dfeb14bca74e9d68605cf71e9eac5126baa48
RemcosRAT
dfa6c38c1b3b33a94e1e884e47e0864808c8af196c260b6b8045cb4ed37d300e
RemcosRAT
+ 2'713 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/220713-h13nhsedh3/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
185.140.53.242:2977
Unpacked files
SH256 hash:
b04b625d6539fdea5eb7c30d821f6653ccb892961afeaf731fef41346f60036e
MD5 hash:
2664080e1218ebb8540007689b643b9b
SHA1 hash:
e3c74bcc50ea7e2eeaddaaa1b13363766c89f9ee
Link:
https://www.unpac.me/results/620a3d6c-408a-44fe-889e-187f39fb67b6/
SH256 hash:
883b63ef84c6b1cc09687962beca56e4f4b7960df7c5459e29998befaa3ccf15
MD5 hash:
ecb3f27eb8279c51608c8ea8f8050655
SHA1 hash:
82385d75444ab5fccacf37e2746c7dce73faa7f3
Link:
https://www.unpac.me/results/620a3d6c-408a-44fe-889e-187f39fb67b6/
SH256 hash:
14721d90994ead5c67a65002118f6bd5919134eff2ffa8ec46d68e81ec5b0c4a
MD5 hash:
7fe0c30f58ef4c668e0be7ab4a5e1e4f
SHA1 hash:
7e3c463dbd5feb5dea04bb9bd90bd50e479c2787
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/620a3d6c-408a-44fe-889e-187f39fb67b6/
SH256 hash:
ffa7d4061dffcf8874f41998c5bebc0988cd091b5ffabcee2087a336205f2834
MD5 hash:
54f6664406fd68b25ac99e135e973dbd
SHA1 hash:
41f039af02adec28d5595eec41a94f74bc0b42ef
Link:
https://www.unpac.me/results/620a3d6c-408a-44fe-889e-187f39fb67b6/
SH256 hash:
ea801ddd1ea57f52ae69533038861744365d8d9c05c3a9c1190dba32d07dc6b6
MD5 hash:
4d0e9bfe94004ceb16e9b63c7c03067d
SHA1 hash:
05e3fb4119f85cc6b6543d8624191a7000d856cd
Link:
https://www.unpac.me/results/620a3d6c-408a-44fe-889e-187f39fb67b6/
SH256 hash:
7484e671f44dff5800c656985f8dc0540913622989a3d799bd012cb9dfb23762
MD5 hash:
deff4a156bb1fb7354bc8768511ba951
SHA1 hash:
70e6c30b5e0abd86044037527518503551976582
Link:
https://www.unpac.me/results/620a3d6c-408a-44fe-889e-187f39fb67b6/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7484e671f44d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7484e671f44dff5800c656985f8dc0540913622989a3d799bd012cb9dfb23762

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 7484e671f44dff5800c656985f8dc0540913622989a3d799bd012cb9dfb23762

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2256899/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/286816/

Comments