MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77ce24c903d75a340e3d5664091c7b72a2529640931e662b80b8dc3fb9226929. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77ce24c903d75a340e3d5664091c7b72a2529640931e662b80b8dc3fb9226929
SHA3-384 hash: 9b9c7aaf09e16412b861ae675cba51b914f05f9815d2659967cd4c271d286f912d2c713ad20e4d96a215c98378d03ab7
SHA1 hash: 72a438a84143951a533b2b67650f8e718d381e49
MD5 hash: 8d9caf8ff3d1d8fdba895c0d91013eed
humanhash: video-butter-undress-ack
File name:8d9caf8ff3d1d8fdba895c0d91013eed.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:934'912 bytes
First seen:2021-08-23 18:08:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:zKRHSy4fm0PBSmFfwMgP+yNPT6IfnZBN9SAqpD2gLHMwv6zcKdkni9YhAs0kevY:ByiPo4YFP+01fP7S9ggLsw2fqqY
Threatray 459 similar samples on MalwareBazaar
TLSH T1C115125A3348F78FC51FDD7E98659C20A3E1A2311307E7867CC305EE698D79A8B112A7
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
163
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PURCHASE ORDER.doc
Verdict:
Malicious activity
Analysis date:
2021-08-23 15:09:48 UTC
Tags:
exploit CVE-2017-11882 loader rat remcos keylogger
Link:
https://app.any.run/tasks/aa110929-c6b2-42ea-a141-bb885615aee9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/181600/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.24829.420.29502.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a file
Creating a file in the %AppData% subdirectories
Connection attempt to an infection source
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/21c7f236-50fd-4a64-bc61-5277b71eac84
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/837752
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/77ce24c903d75a340e3d5664091c7b72a2529640931e662b80b8dc3fb9226929/
Threat name:
ByteCode-MSIL.Infostealer.Heracles
Create hunting rule
Status:
Malicious
First seen:
2021-08-23 16:17:16 UTC
AV detection:
17 of 45 (37.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=o7hcjsid25ndidr5kzsashd3okrfffsasmpgmk4axdod7ojcneuq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
38da1c4dabd3275256a93bc7321267979802c35ec2cbd1ecef7a5ad18a61afad
RemcosRAT
62960caf3d007638be89631e502733f30c42a9ba0269e8c00457c9dec10e9136
RemcosRAT
643d70b162fbca24123f8c5ad6bab6fb1aa6166fb66a414910a5b78bd68320cf
RemcosRAT
730cad1b268ed70bf04cd6b94439813a6483b69732420a6748a868376c08bea2
RemcosRAT
860e16c192167d5dd823b8e533858cdada7aa9b3173254f2f57031af68b84e0c
RemcosRAT
87284733f84447db5f12697e7ce2fb44671cbf404e040cf85085b223eab02b95
RemcosRAT
d4d30acde6fa4db431b90817911b44d21c65fc1fa72744625bccafe3899869bc
RemcosRAT
d660500c553676fcad1d6b2847022578ed20676190b5ed5687cd15d19e98e862
RemcosRAT
d7511047d6d0127108e1cf026c3a8c7d5dbb860d62722371d4c3f65c3c1dc920
RemcosRAT
+ 449 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/210823-w2m3agan9a/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Remcos
Malware Config
C2 Extraction:
79.134.225.21:1930
Unpacked files
SH256 hash:
44926c170809718a7876d59cead7d7e678a726ff447b15f62926aa301dc26cdb
MD5 hash:
7b2d794153062df9290805ec4010e704
SHA1 hash:
9c376708c3580257f283a41fa466d40303836b72
Detections:
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/714ac7fd-90d0-4de0-8464-1ee14a5b69f1/
Parent samples :
87284733f84447db5f12697e7ce2fb44671cbf404e040cf85085b223eab02b95
77ce24c903d75a340e3d5664091c7b72a2529640931e662b80b8dc3fb9226929
2bc1027b5031ad9e7bbd530124d422c0033be0f46b06e275fa640b03eeb2730e
0f69049e40ac6ad1a5df12b7e661ba9c1e120951c3f6b8489cf44c0273f5d533
SH256 hash:
1e2dac25524bc59e970963ef25d372714be3cf7eaa23cc2523076abbea22dcaf
MD5 hash:
99581d36ad58580f4172f1fceea8db1e
SHA1 hash:
cf3c659c87cc87e8bca8fc60323e748fccf6a9f3
Link:
https://www.unpac.me/results/714ac7fd-90d0-4de0-8464-1ee14a5b69f1/
SH256 hash:
6912e4bedd1288f116e968f0a79d9797f6d6bd24d45a5f10c52e20f9d33b8c61
MD5 hash:
03bde4a82ad64c0f314985232fbca3fa
SHA1 hash:
e8d0b6339e94192eaaca32c812f914e60576dca6
Link:
https://www.unpac.me/results/714ac7fd-90d0-4de0-8464-1ee14a5b69f1/
SH256 hash:
77ce24c903d75a340e3d5664091c7b72a2529640931e662b80b8dc3fb9226929
MD5 hash:
8d9caf8ff3d1d8fdba895c0d91013eed
SHA1 hash:
72a438a84143951a533b2b67650f8e718d381e49
Link:
https://www.unpac.me/results/714ac7fd-90d0-4de0-8464-1ee14a5b69f1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/77ce24c903d7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/77ce24c903d75a340e3d5664091c7b72a2529640931e662b80b8dc3fb9226929

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 77ce24c903d75a340e3d5664091c7b72a2529640931e662b80b8dc3fb9226929

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1557559/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/181600/

Comments