MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 78b009999d967e2d3eeb4a10ce91c84048dc566d2a74d8e223a6a5b15db5839b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 78b009999d967e2d3eeb4a10ce91c84048dc566d2a74d8e223a6a5b15db5839b
SHA3-384 hash: 1b2d2c87bc905d522e3131eae52d3a2ca56e99f1c118912f196c16ada64e6444de51f6d4321634760499fe003f96c6f1
SHA1 hash: b5bc1f2425bfb466e7dc3cf3897c2c1215bce0d7
MD5 hash: dbb4bec60247615c36273e53492885e1
humanhash: ack-hamper-snake-idaho
File name:file
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:3'198'976 bytes
First seen:2023-03-09 21:47:09 UTC
Last seen:2023-03-09 23:28:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 49152:EXLiKLjmmJ5vbG1k8KIGxQF2jDlQDN0XG:EXLiz
Threatray 1'471 similar samples on MalwareBazaar
TLSH T1B7E59E72AD66EED1C78F1F35C2DD04604F989B43526AD60DBCC82215B482BB5EEC8673
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter jstrosch
Tags:.NET exe MSIL RemcosRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
244
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
New Order Match 2023SI33490.xls
Verdict:
Malicious activity
Analysis date:
2023-03-09 13:07:33 UTC
Tags:
opendir exploit cve-2017-11882 loader rat remcos keylogger
Link:
https://app.any.run/tasks/1778388c-347e-455b-8771-0c1ff47e452f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/373163/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.30942.23011.17739.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
71%
Link:
https://www.filescan.io/uploads/640a5415449b92860ca7cfed/reports/5cdb6da4-98c6-406d-a739-81996703cda9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/78b009999d967e2d3eeb4a10ce91c84048dc566d2a74d8e223a6a5b15db5839b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4479a0f7-3397-4991-9a6b-64cda8e0b7fa
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1190803
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Delayed program exit found
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses dynamic DNS services
Yara detected Generic Downloader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 823678 Sample: file.exe Startdate: 09/03/2023 Architecture: WINDOWS Score: 100 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus detection for URL or domain 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 8 other signatures 2->66 8 file.exe 1 7 2->8         started        12 Cewfjhjcvxu.exe 2->12         started        14 Cewfjhjcvxu.exe 2->14         started        process3 file4 48 C:\Users\user\AppData\...\Cewfjhjcvxu.exe, PE32 8->48 dropped 50 C:\Users\...\Cewfjhjcvxu.exe:Zone.Identifier, ASCII 8->50 dropped 52 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 8->52 dropped 74 Contains functionality to bypass UAC (CMSTPLUA) 8->74 76 Encrypted powershell cmdline option found 8->76 78 Contains functionality to steal Chrome passwords or cookies 8->78 86 2 other signatures 8->86 16 file.exe 2 18 8->16         started        21 powershell.exe 16 8->21         started        23 file.exe 8->23         started        25 file.exe 8->25         started        80 Multi AV Scanner detection for dropped file 12->80 82 Machine Learning detection for dropped file 12->82 84 Injects a PE file into a foreign processes 12->84 signatures5 process6 dnsIp7 54 yasinkayites.ddns.net 91.192.100.17, 2049, 49697, 49698 AS-SOFTPLUSCH Switzerland 16->54 56 geoplugin.net 178.237.33.50, 49701, 80 ATOM86-ASATOM86NL Netherlands 16->56 58 192.168.2.1 unknown unknown 16->58 46 C:\ProgramData\remcos\logs.dat, data 16->46 dropped 68 Tries to harvest and steal browser information (history, passwords, etc) 16->68 70 Maps a DLL or memory area into another process 16->70 72 Installs a global keyboard hook 16->72 27 file.exe 1 16->27         started        30 file.exe 1 16->30         started        32 file.exe 16->32         started        36 14 other processes 16->36 34 conhost.exe 21->34         started        file8 signatures9 process10 signatures11 88 Tries to steal Instant Messenger accounts or passwords 27->88 90 Tries to steal Mail credentials (via file / registry access) 27->90 92 Tries to harvest and steal browser information (history, passwords, etc) 36->92 38 WerFault.exe 22 11 36->38         started        40 conhost.exe 36->40         started        42 WerFault.exe 36->42         started        44 2 other processes 36->44 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/78b009999d967e2d3eeb4a10ce91c84048dc566d2a74d8e223a6a5b15db5839b/
Threat name:
ByteCode-MSIL.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-03-09 14:06:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pcyatgm5sz7c2pxljiim5eoiibenyvtnfj2nryrdu2s3cxnvqonq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
03541b2cf3bf022eda584b9ead6b6edeb7a47e8ccaa99b2415ee56694c9868cb
RemcosRAT
153f00cfcabb3fc9bf6ca01da20de1702cae1957d4b0fb998db99ad502896f76
RemcosRAT
15fde337ddfb3d5665b441b1c2b6391a1584dcf04b28b5316300b52ae63673e8
RemcosRAT
221784974f49f2b54c90c63ce6cf9550d94b15c3442c29c959300dbbf5b91f61
RemcosRAT
5ca676b334d8a3f4542877a696a7092b29dbdeddabcd70af2a80e5c8384a75b6
RemcosRAT
79544f55395a00102be1fadae62f95c595a8c285e53ba278f49e1a55b20fa063
RemcosRAT
9172e039e1e9412067ba121f93ec85c4883992eefe71438b6b02e0635152732d
RemcosRAT
c8092ae8e5c2fcb2f4ed5be1dac0723ef951a8b445c45aa68376d093fa3a5623
RemcosRAT
e876ad440761c60b772b110b7e6f08c4e156ebdb17d78c55aa4594edc65ff78a
RemcosRAT
+ 1'461 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:test1host collection persistence rat spyware stealer
Link:
https://tria.ge/reports/230309-1nrplacb3t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Checks computer location settings
Reads user/profile data of web browsers
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
yasinkayites.ddns.net:2049
Unpacked files
SH256 hash:
a1359ce084f5222f86b5af1e1bf8d6396bb27584f35da89d4220c1cf41d01b4d
MD5 hash:
db1628f1cfc7153c19a43782ae28a297
SHA1 hash:
fcf3934a98c117dd9c222ba9414f7a6bb5aa9b73
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/3d550c8a-260c-488b-a5cc-994944a91014/
Parent samples :
cf6de5f333dea0ffbc94ef944a23c99db28e66e7d51757d01a9a017a21fb8837
78b009999d967e2d3eeb4a10ce91c84048dc566d2a74d8e223a6a5b15db5839b
SH256 hash:
fe0c140b1dced1cf8bb01611c727cef63ebd38ffc4b35615a8333700aabea98f
MD5 hash:
3487b7d1917c36388fea201020ff585e
SHA1 hash:
b9970da1aeccc577a9ea1da81cf1bba10eb077c1
Link:
https://www.unpac.me/results/3d550c8a-260c-488b-a5cc-994944a91014/
SH256 hash:
68a6b9973cf1845be3df2421f45ea8dd0ff247c6cfd0bc553e35f084a11828e7
MD5 hash:
8a18021a1b0231500d054fc35a30f196
SHA1 hash:
8fba28af36bb92509e8fc0c66535fb53cb1727cb
Link:
https://www.unpac.me/results/3d550c8a-260c-488b-a5cc-994944a91014/
SH256 hash:
cbde17d42cd034c29f779ab754f67e373bfd5f371982a7ac62d7ba1d9b38bd7f
MD5 hash:
a48ae4780e5b112c33f9002a2657c7c2
SHA1 hash:
34bee4aef47eb8c5fb768664c3abb12b0decf4c6
Link:
https://www.unpac.me/results/3d550c8a-260c-488b-a5cc-994944a91014/
SH256 hash:
78b009999d967e2d3eeb4a10ce91c84048dc566d2a74d8e223a6a5b15db5839b
MD5 hash:
dbb4bec60247615c36273e53492885e1
SHA1 hash:
b5bc1f2425bfb466e7dc3cf3897c2c1215bce0d7
Link:
https://www.unpac.me/results/3d550c8a-260c-488b-a5cc-994944a91014/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/78b009999d96/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/78b009999d967e2d3eeb4a10ce91c84048dc566d2a74d8e223a6a5b15db5839b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:detect_bitcoin
Create hunting rule
Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:pe_imphash
Create hunting rule
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 78b009999d967e2d3eeb4a10ce91c84048dc566d2a74d8e223a6a5b15db5839b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2563450/
Cape
Cape
https://www.capesandbox.com/analysis/373163/

Comments