MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 788a6a0d67e10a4235043d0f12cc5841ab77bac0518842aea964e720318f674d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 2 File information Comments

SHA256 hash:	788a6a0d67e10a4235043d0f12cc5841ab77bac0518842aea964e720318f674d
SHA3-384 hash:	ddbeea7f522c76b6efe6e786260f89f83c1aaeb1df8310c4d50ca7676eecacf4107041e819a70ca61def2090e5a53702
SHA1 hash:	18fc67728a7151c38d1b3c754a73444c1c9089f5
MD5 hash:	785014113a10b77c79af5d6cc0eb4c0e
humanhash:	hawaii-shade-moon-north
File name:	NEW INQUIRY DATA.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'022'976 bytes
First seen:	2022-09-15 16:35:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:chZ2L+SDNjt8C9sdGfgth88mUbeMhqcfC8QPztJ/Pd6bG5zUWlP4NBu0rpEZpa1D:IsrB9CwgtAUSMTkJ/8bGANrD6Q5Ew
Threatray	2'181 similar samples on MalwareBazaar
TLSH	T14425014BBBEAC912D6A89777C5E5452453729EC3E922D71B388433D50E33767CC02A8E
TrID	61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.0% (.SCR) Windows screen saver (13101/52/3) 8.8% (.EXE) Win64 Executable (generic) (10523/12/4) 5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	0096360e1a062400 (1 x RemcosRAT)
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

abuse_ch

RemcosRAT C2:
81.161.229.148:5050

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
81.161.229.148:5050	https://threatfox.abuse.ch/ioc/849891/

Intelligence

File Origin

# of uploads :

# of downloads :

359

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

NEW INQUIRY DATA.exe

Verdict:

Malicious activity

Analysis date:

2022-09-16 06:59:40 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a07d79c9-a469-42ce-927c-cdd0602ef756

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/310310/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.32488.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Сreating synchronization primitives

Unauthorized injection to a recently created process

Creating a file

Setting a keyboard event handler

Sending a custom TCP request

Sending an HTTP GET request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

67%

Tags:

packed

Link:

https://www.filescan.io/uploads/6323547e7d0be8881fbcfe2c/reports/916f6ae7-4247-43e0-9709-b2d40956a908/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/16ad6f11-8d88-47e9-9293-9e7bd5988704

Result

Threat name:

Remcos

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1071105

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Uses dynamic DNS services

Yara detected AntiVM3

Yara detected Remcos RAT

Yara detected WebBrowserPassView password recovery tool

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/788a6a0d67e10a4235043d0f12cc5841ab77bac0518842aea964e720318f674d/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2022-09-15 16:36:11 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

6 of 39 (15.38%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=pcfgudlh4efeeniehuhrftcyigvxpowakgeeflvjmttsammpm5gq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

0717daa265162ca602b432ef694dfc9d3fd6126854f80d4aab2175830a420781

RemcosRAT

1eb85ede00f809ba0f2ae9ea64c78615705f7314f31934887849c60f86b6505e

RemcosRAT

2cf1525cdb58ec9e5d47e5c66619b9cf2966155ece68a66e9bf935369971ccdc

RemcosRAT

3ab2ca682019279e28525a8ff1a72e08badba1c0f3012f926bad1528b2b0944a

RemcosRAT

3e0bcdfffded9aaede7644824841490767cf472e2dafebdc04b090870853d8ac

RemcosRAT

ae5e7a411b4e6dcc818f5f8ab9aa345b0203c834545e188f1518bdc3ba846235

RemcosRAT

cd5f1820af33d2e6f034ca088a5fd83592835c722aca63d9f4912ea2e7996d00

RemcosRAT

f171eba23f65f99cd49caa4d84e1adc3429100573de5405534922bc784dd0d23

RemcosRAT

+ 2'171 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:new rem stub collection rat spyware stealer

Link:

https://tria.ge/reports/220915-t38s4ahcgj/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Drops file in System32 directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook accounts

Reads user/profile data of web browsers

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Remcos

Malware Config

C2 Extraction:

valvesco.duckdns.org:5050

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/85601e2a-ad58-49d3-80c5-316e69a543e4

Unpacked files

SH256 hash:

1f3d25b1266cc6afcc04ff2f9fa3f0a29947df9f98e26f20b8ac10f3c9ac7020

MD5 hash:

03e2a6c9cf3f87be324cce98b31707ab

SHA1 hash:

c7d43b50e4b8848ef8a2f43b47066d6a82d4111d

Link:

https://www.unpac.me/results/4d0782bf-95c7-4284-8e77-e2cc1a46e32c/

SH256 hash:

c289ec2f57b341220c33145c8b6474d1011d387ab39dacb7b17d69c359548448

MD5 hash:

bd2adeed00397e7545a539d761458af9

SHA1 hash:

b5a1cbca39c6923308f914accf611771996f7097

Detections:

win_remcos_auto

Link:

https://www.unpac.me/results/4d0782bf-95c7-4284-8e77-e2cc1a46e32c/

Parent samples :

b6ebe092221b9cb70949480fbc97133fa1e408c657150bb50c41171321b2fb73
788a6a0d67e10a4235043d0f12cc5841ab77bac0518842aea964e720318f674d
dbdfdfd7484f894b17543d60c28c96c570e5f4fb61fc26a7fa6d87b68b3d2831
383f6ffeb727943af4e96cc93ab2615b14fd8b09c7e376aebc455ef82913f07f
d4bee566c89c0e8c89f0539d2d49279f844317c54ee3216c049f038b773de8dc
2fd70cf5a6097502fb9123e63b6674666134a56927943bc8b7d79dc00bb7c02d
f851ccd89ef8f8e28648ff600789364e9caf5c522a5e7238cee619a229cc821d
5542dd26db06cbc6b03f1323db7ff6792a69bcf3dcd6a6c978b91018c7f0a0ee
2068d6dc1ef76f480e3fefd9fb239555d5f136c6c94d35232c273414ef4531f6
d99b0d328a7e19981cc4e1dcfbdeb336c84577a020bd4a84d72d28a7930282ea
84eedf1c6f0b09177547e350d6bb53ee3b84aa48878f8f9d9135fdc69faa3535
0ac5715dbbb22286a1cc79fe33377cd2dcb71ac6ad5d876da8e938684e7d7cf8
8791b0b7f4a499d66dbbc5b41ea20cb13af614bdc62e62392bf041065e9ddb0f
d6ee6bb4bf80fe883da0a277b1f1f12fb40c00d4893cfff05060b1ebf4a5ca96
aeb68306ca8e87ec5421349055053758fe1dcb293f75aac568b6b1752c1ab631
72333871ff2e5b9a7ae7e7c11af0c2ccbac7ac53bb60976cf0bcdfabceb5059f
869b27dcb4475a95c0af50db49fad8c40730df5464a5c5482032ce5ffc578feb
7666415f1d2f03e6a14e4f058b012ec6ed4a77cd3ecd1398817b2ac97b25cbc5
8e2730f5984afe0586003190249b7c9e5c51a3ef2ba0c2194db5dcd21242c20b
1e48f5be58b577bc76423894dadf647800f1da1afab2f3c1c82c08f3b66b4981

SH256 hash:

7f7c98957990eaaf8d0b21141d4116553571e8c87aad958af464658ea4377e53

MD5 hash:

a2d8c24e7059f1de2abf50b0fd60f420

SHA1 hash:

acc1bf44ceaf4dc28d6d5e7785690afce2f0ef26

Link:

https://www.unpac.me/results/4d0782bf-95c7-4284-8e77-e2cc1a46e32c/

SH256 hash:

5d6da7c1e6479460ac449f54fc352976dcfa4da90de5730557c1095daa014b9d

MD5 hash:

fdef51877a745d240bfd2fb37cecd82a

SHA1 hash:

3f655da173b983798288d46500a724474bc2f919

Link:

https://www.unpac.me/results/4d0782bf-95c7-4284-8e77-e2cc1a46e32c/

SH256 hash:

92537b24ea7165613995480a7a34784241a2d228c6e0227b3e28449a7a5ef422

MD5 hash:

16b5945c66a15c41b4351260faa4aef0

SHA1 hash:

1518496dac2ec23bce4734bc5f05631dd156d1d5

Link:

https://www.unpac.me/results/4d0782bf-95c7-4284-8e77-e2cc1a46e32c/

SH256 hash:

e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee

MD5 hash:

35cb29046968faca7f3f3b4463449b6c

SHA1 hash:

088c8c30ec1bece0a4b5bbfe3982b073f8b95598

Link:

https://www.unpac.me/results/4d0782bf-95c7-4284-8e77-e2cc1a46e32c/

SH256 hash:

788a6a0d67e10a4235043d0f12cc5841ab77bac0518842aea964e720318f674d

MD5 hash:

785014113a10b77c79af5d6cc0eb4c0e

SHA1 hash:

18fc67728a7151c38d1b3c754a73444c1c9089f5

Link:

https://www.unpac.me/results/4d0782bf-95c7-4284-8e77-e2cc1a46e32c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Remcos

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/788a6a0d67e10a4235043d0f12cc5841ab77bac0518842aea964e720318f674d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/310310/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample