MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 790bd41c440c93b452252c24c58f359af46ea8c71e59d01bd4f42f6610048217. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 790bd41c440c93b452252c24c58f359af46ea8c71e59d01bd4f42f6610048217
SHA3-384 hash: f49876d462793a84c572f14656340425c3c274c552ee80f9fe88fdd369894595b138efecac35b9440a482a4788caaffa
SHA1 hash: 5513a63a31891c3647e4419ac1e6771fa092ab9e
MD5 hash: 950c6706714067198d286209369e158c
humanhash: stream-nevada-lima-uranus
File name:triage_dropped_file
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'176'576 bytes
First seen:2022-02-09 12:50:21 UTC
Last seen:2022-02-09 15:11:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:5rrpHZvyD9JH3s2q6pM3AFiLARXuJABVdISCZbfea9:h9HZa9JX9MbuXintbp
Threatray 1'148 similar samples on MalwareBazaar
TLSH T17645DF2F097E113AC5BCD7718985CE2FB992CD963633981D29963AD945327F230D222F
Reporter malwarelabnet
Tags:exe remcos RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/239524/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.25375.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Running batch commands
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/6203b8bb4077c8b9a0269e16/reports/feca9078-dcfe-449d-9619-e69320900c56/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8412c383-08bd-432e-8a8a-d1ac6b53350c
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/936890
Behaviour
Behavior Graph:
n/a
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/790bd41c440c93b452252c24c58f359af46ea8c71e59d01bd4f42f6610048217/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-09 10:20:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pef5ihcebsj3iurffqsmldzvtl2g5kghdzm5ag6u6qxwmeaeqilq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
069e33991bd7de11fd8defd71166ec16592380f263c3c71cd657abfba072cb60
RemcosRAT
1647393d7971b61b15821198c9acb29501e0698e785d69d8d4de46b0c98952ec
RemcosRAT
18f51c19c22914e634d9cfcd86018e676e91d1c4a9293c247a3c9da84dce3f60
RemcosRAT
4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81
RemcosRAT
79c8dbde0daf0d7e3a17b2722b5c7ee103a059c241659913671c2e3d9c85bf2d
RemcosRAT
7a25e7868a967540a3dc4c8fa89f07444c4b714c4d2f3add235a7f0c33099c57
RemcosRAT
+ 1'138 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat
Link:
https://tria.ge/reports/220209-p3hvfsada6/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
79.134.225.17:2050
Unpacked files
SH256 hash:
0131dcb16abf653577ed21f1dad7592e673b8e450ee3b381431e37c37c0036cb
MD5 hash:
10fe693bd7e5f05cabb9d0d26152b6ec
SHA1 hash:
9a775749b0912687788f85289651f10631922a1b
Detections:
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/49605bab-0964-4fd9-b63a-8a6f3fcb4bd8/
Parent samples :
790bd41c440c93b452252c24c58f359af46ea8c71e59d01bd4f42f6610048217
e9986aa791f7fdb8d49bad9e9ee267ee9b765841dd4866c11c38128b18a3e49b
SH256 hash:
0cc119786b104cf0aa261a208bf38802b339774ff3d7a42afcd8329d2d7d21c9
MD5 hash:
263b5190f7ac42d83c756dcdf38147bb
SHA1 hash:
78f419fe3936ed7d603706c47230cd3e6ff79ffe
Link:
https://www.unpac.me/results/49605bab-0964-4fd9-b63a-8a6f3fcb4bd8/
SH256 hash:
0007aab95440e3b46d46c4d8d4d5877a91e5a761af522480b7a755227f342865
MD5 hash:
8b373d6cf57b33fbef06089cd91dc022
SHA1 hash:
4e028a77c278d9e2782a5964f47e4c4a852ecc9d
Link:
https://www.unpac.me/results/49605bab-0964-4fd9-b63a-8a6f3fcb4bd8/
SH256 hash:
790bd41c440c93b452252c24c58f359af46ea8c71e59d01bd4f42f6610048217
MD5 hash:
950c6706714067198d286209369e158c
SHA1 hash:
5513a63a31891c3647e4419ac1e6771fa092ab9e
Link:
https://www.unpac.me/results/49605bab-0964-4fd9-b63a-8a6f3fcb4bd8/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/239524/

Comments