MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75d92595eacd434de03308b953df7cb12ae082d15093378a9d66814a41c92622. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 75d92595eacd434de03308b953df7cb12ae082d15093378a9d66814a41c92622
SHA3-384 hash: a23b6dde43d5e32c3ef6485246fdff4d3ebd6941adf6ad3868a8059f6285e0592b93e21b743a7710db80facbd3ab5484
SHA1 hash: 80fada7517e94d4f8035344abe42f3a728f85067
MD5 hash: 31e6b247ed09dd570a66dd7e75174c9b
humanhash: double-cat-uniform-romeo
File name:31e6b247ed09dd570a66dd7e75174c9b
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:451'208 bytes
First seen:2021-10-12 11:13:03 UTC
Last seen:2021-10-12 12:10:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 12288:CeTX0L/YXVOvUzol3/CFEb8aVhQ2i8qnP15EU6yeCPs:JT6YAMoEFETVhQZ8qnP1cyeUs
Threatray 729 similar samples on MalwareBazaar
TLSH T11CA42343B6C05577C8D28A312E78571CCAB7C29A41115A6757348F9F3A335E2C68B2CF
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
216
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
31e6b247ed09dd570a66dd7e75174c9b
Verdict:
Malicious activity
Analysis date:
2021-10-12 11:33:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b487559e-8fbe-4386-9c03-71f1b7c58f23

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/196913/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.13709.23896.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
60%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61656dc51c2d58ba740310a1/reports/07d755e1-3969-4cfb-955e-da86f0d2a8bf/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/22c6f1a5-3675-4f94-bef1-bbf01e6af0a2
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/868572
Signature
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates an undocumented autostart registry key
Delayed program exit found
Deletes itself after installation
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 500996 Sample: D8oUzPUNCR Startdate: 12/10/2021 Architecture: WINDOWS Score: 100 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 8 other signatures 2->54 8 D8oUzPUNCR.exe 17 2->8         started        12 Dlls.exe 16 2->12         started        14 Dlls.exe 16 2->14         started        process3 file4 36 C:\Users\user\AppData\Local\...\nckkt.dll, PE32 8->36 dropped 56 Contains functionality to steal Chrome passwords or cookies 8->56 58 Contains functionality to inject code into remote processes 8->58 60 Contains functionality to steal Firefox passwords or cookies 8->60 62 Delayed program exit found 8->62 16 D8oUzPUNCR.exe 6 5 8->16         started        38 C:\Users\user\AppData\Local\...\nckkt.dll, PE32 12->38 dropped 64 Multi AV Scanner detection for dropped file 12->64 66 Machine Learning detection for dropped file 12->66 68 Injects a PE file into a foreign processes 12->68 20 Dlls.exe 2 3 12->20         started        40 C:\Users\user\AppData\Local\...\nckkt.dll, PE32 14->40 dropped 23 Dlls.exe 14->23         started        signatures5 process6 dnsIp7 30 C:\Users\user\AppData\Roaming\...\Dlls.exe, PE32 16->30 dropped 32 C:\Users\user\...\Dlls.exe:Zone.Identifier, ASCII 16->32 dropped 34 C:\Users\user\AppData\Local\...\install.vbs, data 16->34 dropped 44 Creates an undocumented autostart registry key 16->44 25 wscript.exe 1 16->25         started        42 Venonletmonitprradministratioran.loseyourip.com 8.6.8.23, 24091, 49754 AS-CHOOPAUS United States 20->42 46 Installs a global keyboard hook 20->46 file8 signatures9 process10 signatures11 70 Deletes itself after installation 25->70 28 cmd.exe 25->28         started        process12
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/75d92595eacd434de03308b953df7cb12ae082d15093378a9d66814a41c92622/
Threat name:
Win32.Trojan.RemcosRAT
Create hunting rule
Status:
Malicious
First seen:
2021-10-12 11:07:51 UTC
AV detection:
17 of 45 (37.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=oxmslfpkzvbu3ybtbc4vhx34wevobawrkcjtpcu5m2auuqojeyra._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0bb25dccd5ee69b35f2c03c04b50ec23573929d193739becb1c623d32db64e4a
RemcosRAT
1730338ca0fbfe0985bed5638fc8599a6dd38761ab8b89e3d8a076947a320028
RemcosRAT
1c49b4e3b554aeac842b8dc4daf0c5cf24015f96b68e935ddb4adb168b35a696
RemcosRAT
5e1473cb44990bf7a1d8da8ad410642430bc6c5663859bc4e4c738e22b3cc71e
RemcosRAT
772a319b31a1922eadd022f30aa60680e911f758d4c81c4dbf16614cf7791f0a
RemcosRAT
96a78dc8ece8e56802dc93e396df810fa6673a344b81d4c5c3cac82809733865
RemcosRAT
9a50c056a96999f841ea1ef7bb6674da47579f5cafe02e295c75e980b36219a9
RemcosRAT
a7f4245d63e1dd21c5af3e0ddf682ac517eda484bf6650f3e0d5d856f4cc68fa
RemcosRAT
b9c5a6059ee5150b5837e446196c4349571d80336b438056f687d7044cd246b9
RemcosRAT
d23f3b04b3aabbd4c086e042b29103658b44f34f7fc1ce0181fec75cdfbc4737
RemcosRAT
+ 719 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:netgeneration persistence rat
Link:
https://tria.ge/reports/211012-nbgbwaccc2/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Program crash
Adds Run key to start application
Deletes itself
Loads dropped DLL
Adds policy Run key to start application
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
Venonletmonitprradministratioran.loseyourip.com:24091
Unpacked files
SH256 hash:
073df85e835cff4a39aa33f409d78e7e4e10b7ca3e1f4a691d42d5480ddbb293
MD5 hash:
620f475749503fb1f26d90e9b79e5260
SHA1 hash:
bde4284e5a823efec136b64a8cf314dbfaf23791
Link:
https://www.unpac.me/results/ce36e529-bea2-47f0-94ec-433d8f09c9ca/
SH256 hash:
b34b235c671de1e9e71e4cd99c35f6a2b04b78d0ee6c41d6c4139f3a5bd37886
MD5 hash:
2e5464e17b9ad0de743a75f9514f0549
SHA1 hash:
7ecc27716a69c131c7d816042ded8408b4217ab3
Detections:
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/ce36e529-bea2-47f0-94ec-433d8f09c9ca/
SH256 hash:
c667d6dcbb64621ac3073f83e79b22185b6ae22a8d62e1c61a2fe450588ccbe6
MD5 hash:
01c7a566e94781116b266f20b9227aff
SHA1 hash:
a81521f36ace761f48ac93d9983b043c5b7fb9d2
Link:
https://www.unpac.me/results/ce36e529-bea2-47f0-94ec-433d8f09c9ca/
SH256 hash:
75d92595eacd434de03308b953df7cb12ae082d15093378a9d66814a41c92622
MD5 hash:
31e6b247ed09dd570a66dd7e75174c9b
SHA1 hash:
80fada7517e94d4f8035344abe42f3a728f85067
Link:
https://www.unpac.me/results/ce36e529-bea2-47f0-94ec-433d8f09c9ca/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/75d92595eacd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.37
Link:
https://yomi.yoroi.company/submissions/75d92595eacd434de03308b953df7cb12ae082d15093378a9d66814a41c92622

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 75d92595eacd434de03308b953df7cb12ae082d15093378a9d66814a41c92622

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1670342/
Cape
Cape
https://www.capesandbox.com/analysis/196913/

Comments


Avatar
zbet commented on 2021-10-12 11:13:04 UTC

url : hxxp://107.172.73.191/00002/vbc.exe