MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79591c17fbca50b3698fd0176958e394dd500e7afdd75b5b33cd31095665caa2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79591c17fbca50b3698fd0176958e394dd500e7afdd75b5b33cd31095665caa2
SHA3-384 hash: b836fde5c28abd83c911685b5cfe2018239aede828a9191cf880d7f1d1c4a9bd9d0a8073bbd9114cca000b58f109abff
SHA1 hash: 37788a6afc0fc35d0ce11acbb3b5311d2410e7a7
MD5 hash: f6ef50ff10d1cce8e511d3f9482d2762
humanhash: wolfram-island-stairway-nitrogen
File name:BkRCY.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'989'120 bytes
First seen:2022-08-24 12:55:26 UTC
Last seen:2022-08-24 13:40:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 24576:FtSn+o+PCKhc4MtlhZYRaqMaLSx6NiPFeJogx6SMfaLE:m+JfcxThiRaV8iNWpwSMCLE
Threatray 692 similar samples on MalwareBazaar
TLSH T1799509807B98EA27D1BF2F7594F301501BBAE445AFE2DB4A5A9032B91C017457C293BF
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13101/52/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter 0xToxin
Tags:exe remcos RemcosRAT


Avatar
0xToxin
Payload URL:
http://20.7.43.70/BkRCY.exe

downloaded by:
https://bazaar.abuse.ch/sample/f575b254b8d3b01056e06c8d16246617e503bb95cad99f7b011978055e306b99/

Intelligence

File Origin
# of uploads :
2
# of downloads :
338
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FACTURE_.LNK
Verdict:
Malicious activity
Analysis date:
2022-08-24 12:27:39 UTC
Tags:
opendir loader
Link:
https://app.any.run/tasks/18db3808-e5d9-4e9d-bce3-953d46d6c8ac

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/300853/
Detection(s):
SecuriteInfo.com.Variant.Tedy.192395.5725.31603.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Sending an HTTP GET request
Creating a file in the %AppData% directory
Launching a process
Creating a file
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Running batch commands
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
cmd.exe eventvwr.exe greyware greyware hacktool keylogger shell32.dll
Link:
https://www.filescan.io/uploads/6306205d393b1c8c470caa74/reports/d3eff5ba-9223-4295-b843-1b54f2292867/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a9e3c905-49bd-49fd-820c-51307805391d
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1056986
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/79591c17fbca50b3698fd0176958e394dd500e7afdd75b5b33cd31095665caa2/
Threat name:
ByteCode-MSIL.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2022-08-24 12:53:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
15 of 26 (57.69%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pfmryf73zjilg2mp2alwswhdstovadt27xlvwwztzuyqsvtfzkra._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
146e9314dabcad733e15ab5e796c53fda2be2b34ea00a0bc03efda9ea674202f
RemcosRAT
1eb85ede00f809ba0f2ae9ea64c78615705f7314f31934887849c60f86b6505e
RemcosRAT
61a98c70ef7a47d6f99891a598b234753c976c4cf9650e12d37b52d2b1923d6b
RemcosRAT
8aa5bd6c413e609cebd3bf6a00bab7df51cac1487d9d4fa41ce6b0f167f9ce82
RemcosRAT
9f3cf62dfd7a9077007273843165de38564bdb3b0229b1f0c71184b75cb2b788
RemcosRAT
a5f6b5b6909b3b40d933857cc42d284b743ce9a69ca2baaa5e75dcc4e1c15a19
RemcosRAT
e1db9a1008368b341ee4cbf519c859e65d16e5fb5ac5f45fa63a58aec07532b8
RemcosRAT
e256faba4e899b8a32127eb13767da9c2c5e7e544b3c63171887dca01a4612c4
RemcosRAT
f493302e1ea4bece2e801b8509aa51d1c13d5c9a741c06a048bcececfedd120e
RemcosRAT
+ 682 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:svchost persistence rat
Link:
https://tria.ge/reports/220824-p6b63sdfak/
Behaviour
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
184.75.221.195:22614
securewebareaxxx.ddns.net:22614
safetysystemarea.duckdns.org:35749
Unpacked files
SH256 hash:
79591c17fbca50b3698fd0176958e394dd500e7afdd75b5b33cd31095665caa2
MD5 hash:
f6ef50ff10d1cce8e511d3f9482d2762
SHA1 hash:
37788a6afc0fc35d0ce11acbb3b5311d2410e7a7
Link:
https://www.unpac.me/results/1cf45b92-171f-49b8-95b4-6779640b245f/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/79591c17fbca/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/79591c17fbca50b3698fd0176958e394dd500e7afdd75b5b33cd31095665caa2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/300853/
  
URLhaus
https://urlhaus.abuse.ch/url/2276482/

Comments