MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74cc5dad093534293d0e58ddd6cf21a95c0b9b3443740712e75430b298d1e4ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 74cc5dad093534293d0e58ddd6cf21a95c0b9b3443740712e75430b298d1e4ea
SHA3-384 hash: 7deaa733720d1ce317291fc495690eeb8ea0f6e960cc49f5b367f45fe28835f233908001e01aa94ff81a99e20f1947b7
SHA1 hash: a927c3e27232bfb58b373db2710b087a7e7aef9e
MD5 hash: 7656b6794ea705e28b5db2a02c02d0f2
humanhash: jersey-coffee-ten-lamp
File name:7656b6794ea705e28b5db2a02c02d0f2
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'129'984 bytes
First seen:2022-08-04 07:18:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 24576:ZOsLlpxCnWml4ncJ81Pc2kShmmZC8mvcxZvZbXei902H:4AF84ncJPSQaC8xDbf0
Threatray 1'871 similar samples on MalwareBazaar
TLSH T10335F180B797DD33F2686637E0C190181770468E91E2E31A6ACCB9AE2D533571DF978E
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f8e0e886c6eea480 (1 x Formbook, 1 x RemcosRAT)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
315
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
7656b6794ea705e28b5db2a02c02d0f2
Verdict:
Malicious activity
Analysis date:
2022-08-04 07:21:22 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/32c32168-17cd-45ef-8015-8ef99e8e9995

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/296386/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.13665.9038.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed wacatac
Link:
https://www.filescan.io/uploads/62eb7361bcf76fcb6ce353b5/reports/b4b9d7f4-43f8-407b-98d3-f88c21e36856/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d0eac434-4294-4c0e-b477-6b0d0cbd8794
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1046104
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/74cc5dad093534293d0e58ddd6cf21a95c0b9b3443740712e75430b298d1e4ea/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-08-04 05:16:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
27
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=otgf3lijgu2cspioldo5ntzbvfoaxgzuin2aoexhkqylfggr4tva._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
21323faa5f74ccc103e64f30bc31b36e0cfc971a601b59502713151ad4f465db
RemcosRAT
2b305f1f4fa4f5ebe3b32ba17036b1b28febbcfecda7266a39c8d0aa21c12313
RemcosRAT
36ee4cc36b92868bf1c674cacd2cf48eaf5b0fc29fba0e1e9dc13aa920b7ee32
RemcosRAT
43ee9abd28c74e30fb9f976a611937d082ac0c1772f620e90087f038a406c89c
RemcosRAT
703b4d505cd05c228e0cf681a542262dc98211cf2e4eb26102283b5b7efa29ee
RemcosRAT
7484e671f44dff5800c656985f8dc0540913622989a3d799bd012cb9dfb23762
RemcosRAT
b7deac676ee163bb88faedd6e4a460b1fd0a0154823a4dfcda9b4804e05a4ba8
RemcosRAT
f9d08335a32ecefc895aacd51ffbf87e242e681b96b4515b4e3a6627b538f229
RemcosRAT
fd01d960ca2725e756f9e852045ab8a1d971c8b5881c0883d87f73a8278f79d4
RemcosRAT
+ 1'861 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:gm rat
Link:
https://tria.ge/reports/220804-h5hh5sdcgq/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
power22.myftp.org:3027
Unpacked files
SH256 hash:
39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807
MD5 hash:
db51fe170a9e5d6ec5429a2fbd9d0353
SHA1 hash:
e30a58125fc41322db6cf2ccb6a6d414ed379016
Link:
https://www.unpac.me/results/943a1efb-5de0-4b72-94bb-1424a9d793f0/
SH256 hash:
5a093e30fa628b1fb747f5ddda933039bf235c47a7f9b71531fc90d3d9c9289c
MD5 hash:
67b56d739bef9ad16dc7a69b564c2e25
SHA1 hash:
ad496dc3244921c4ebe3c6210712af0d67a734ec
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/943a1efb-5de0-4b72-94bb-1424a9d793f0/
SH256 hash:
99aaa0cd6836a6f0d86d1726eb7ad7eda7f02e678c6327c7143f69721e10d357
MD5 hash:
e8842884e2ba3d52ce1505a53b282ab4
SHA1 hash:
84c7c7374f4f09636f42b060be4fbf8ad4d69857
Link:
https://www.unpac.me/results/943a1efb-5de0-4b72-94bb-1424a9d793f0/
SH256 hash:
a9c5b2c628a47247402ff05d399855caf6f6a22146d44cd0fd9d7fc05a65ba66
MD5 hash:
228ff1006be83039e4de2b5e0475a5b0
SHA1 hash:
3adef5cc343067fa6b9d5e712114dc619c867a72
Link:
https://www.unpac.me/results/943a1efb-5de0-4b72-94bb-1424a9d793f0/
SH256 hash:
12522a52df6d78ed4f3bb048a4a4d26f6ea0094c3da5843173e44a81794a3e6c
MD5 hash:
4d32c57a1ae9be0cfeed0e30e10bb6f7
SHA1 hash:
37a4d8cb064014eb4bf69344d7e6f48a4287c604
Link:
https://www.unpac.me/results/943a1efb-5de0-4b72-94bb-1424a9d793f0/
SH256 hash:
74cc5dad093534293d0e58ddd6cf21a95c0b9b3443740712e75430b298d1e4ea
MD5 hash:
7656b6794ea705e28b5db2a02c02d0f2
SHA1 hash:
a927c3e27232bfb58b373db2710b087a7e7aef9e
Link:
https://www.unpac.me/results/943a1efb-5de0-4b72-94bb-1424a9d793f0/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/74cc5dad0935/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/74cc5dad093534293d0e58ddd6cf21a95c0b9b3443740712e75430b298d1e4ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:pe_imphash
Create hunting rule
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:RemcosRat
Create hunting rule
Author:Mohamed Ashraf
Description:Detects Remcos Rat
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 74cc5dad093534293d0e58ddd6cf21a95c0b9b3443740712e75430b298d1e4ea

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2264651/
Cape
Cape
https://www.capesandbox.com/analysis/296386/

Comments


Avatar
zbet commented on 2022-08-04 07:18:42 UTC

url : hxxp://193.169.253.204/oga/v9iqDJsnyUbsA72.exe