MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99
SHA3-384 hash: 2fdd42a5c3c87a51e295f211469d770178810c31d410aef804c7976ff41b4f8ba4137de8b383cf37ccd48d0837353230
SHA1 hash: c9a85499d49606fbc9244b1f36464692a5e8d5b9
MD5 hash: fa2cbbd8f8f8752294d9ece90f43d916
humanhash: delaware-sixteen-don-jig
File name:R0O765456009000K.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:944'128 bytes
First seen:2024-07-18 02:45:44 UTC
Last seen:2024-07-24 16:28:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:M4ndmoiGkOcTXipV/O/zArnSDWE0V65S0jOMS2o9PADoGvSkwVgd:ZngIfW/zArSDo05SAOjpjGv/wV
Threatray 862 similar samples on MalwareBazaar
TLSH T15815D11836A40C79D53FC6BBA8F780295B327E1725D2D92921CA1EEC7DCBB40494729F
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon d2e8ecb2b2a2b282 (106 x AgentTesla, 106 x Formbook, 24 x RedLineStealer)
Reporter threatcat_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
462
Origin country :
CH CH
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2944.16683.9514.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=669881eb936dc865ddc76911
Tags:
Execution Generic Infostealer Network Stealth Remcos
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Сreating synchronization primitives
Setting a keyboard event handler
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Creating a file in the %temp% directory
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin packed remcos shell32
Link:
https://www.filescan.io/uploads/669881edc01cae9c72560b8f/reports/a49eed71-6cb4-40df-bd0e-60e6ee190ad3/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e5ea81a3-6a43-4a79-86a6-284f5ed1c8bd
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.spre.phis.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1475613
Signature
.NET source code references suspicious native API functions
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates executable files without a name
Delayed program exit found
Detected Remcos RAT
Drops PE files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Copy file to startup via Powershell
Sigma detected: Remcos
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1475613 Sample: R0O765456009000K.exe Startdate: 18/07/2024 Architecture: WINDOWS Score: 100 50 geoplugin.net 2->50 58 Snort IDS alert for network traffic 2->58 60 Multi AV Scanner detection for domain / URL 2->60 62 Found malware configuration 2->62 64 22 other signatures 2->64 9 R0O765456009000K.exe 3 2->9         started        13 .exe 3 2->13         started        15 svchost.exe 1 1 2->15         started        signatures3 process4 dnsIp5 48 C:\Users\user\...\R0O765456009000K.exe.log, ASCII 9->48 dropped 78 Bypasses PowerShell execution policy 9->78 80 Injects a PE file into a foreign processes 9->80 18 R0O765456009000K.exe 3 16 9->18         started        23 powershell.exe 13 9->23         started        25 .exe 13->25         started        27 powershell.exe 11 13->27         started        56 127.0.0.1 unknown unknown 15->56 file6 signatures7 process8 dnsIp9 52 107.175.229.139, 49730, 49733, 8823 AS-COLOCROSSINGUS United States 18->52 54 geoplugin.net 178.237.33.50, 49734, 80 ATOM86-ASATOM86NL Netherlands 18->54 42 C:\ProgramData\remcos\logs.dat, data 18->42 dropped 66 Detected Remcos RAT 18->66 68 Maps a DLL or memory area into another process 18->68 70 Installs a global keyboard hook 18->70 29 R0O765456009000K.exe 1 18->29         started        32 R0O765456009000K.exe 2 18->32         started        34 R0O765456009000K.exe 18->34         started        44 C:\Users\user\AppData\Roaming\...\.exe, PE32 23->44 dropped 46 C:\Users\user\...\.exe:Zone.Identifier, ASCII 23->46 dropped 72 Creates executable files without a name 23->72 74 Drops PE files to the startup folder 23->74 76 Powershell drops PE file 23->76 36 conhost.exe 23->36         started        38 conhost.exe 27->38         started        file10 signatures11 process12 signatures13 82 Tries to steal Instant Messenger accounts or passwords 29->82 84 Tries to harvest and steal browser information (history, passwords, etc) 29->84 40 WerFault.exe 21 18 34->40         started        process14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2024-07-17 13:51:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
22 of 36 (61.11%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=phdtlcu2zaxu2vd6aj7mms4ktbko6rc767i6qwrlhhaomc6absmq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
11bd38092d7eda3842cd5a5dc3fed362d5a5146ae6228a66b8ac2693e9a81279
RemcosRAT
2e368631139e75aa6cce30aef3ccdfe59dc2131a7f5166fa5b0e36c969eb5ada
RemcosRAT
4c92e0337b78ef707dd9a448bdb2c52b803af673a5628154ea7bc6492e182342
RemcosRAT
6279a538c09f5f4f61fa7700bda79af1358518aec2656743d19e46d478dd1ea2
RemcosRAT
77180ce5b8bfe11c2eca650ea6692fc882d97f9279f72b6f01936984ec706808
RemcosRAT
de8a9c273adc8bd2c615a7e09c87cb8b9cfc38ef6317bfa435b4a3474f1b670f
RemcosRAT
e337ee0ef010a860e11b9161de97a5511ff04381b6767b7d5ace60adff7d6249
RemcosRAT
e9572c9f7e9e395025837bce834ffa5694f39e7c7646b7a309bad4efe31aedaf
RemcosRAT
f3050a3a335d79e31e55dcc7da2da1a672593433058cbb3e325dde599cc11b1c
RemcosRAT
f49fc0151c871c2e0544b32f7c238c810988e9bd63cd2d691adb8f3a34ec02fb
RemcosRAT
+ 852 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost collection execution rat spyware stealer
Link:
https://tria.ge/reports/240718-c9aq7svdpg/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Drops startup file
Reads user/profile data of web browsers
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Remcos
Malware Config
C2 Extraction:
107.175.229.139:8823
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fbaf5a81-155e-432e-8e88-1dcf53ef9a57
Unpacked files
SH256 hash:
45c7b64a55dca23ee1239649e03a7c361813dbcfc2a0817b0d8e94c907d6ed4b
MD5 hash:
fb1bc19121c4e190d83672bc71b493f0
SHA1 hash:
c3488b969ba578e28ee360be24b6416425a224a0
Link:
https://www.unpac.me/results/30841cd9-29c0-47de-ae70-abae2007bfd2/
SH256 hash:
b9f2813189125c26c1e309f12292d02b9251174ab4f778f4474577159405d8a2
MD5 hash:
35c9c4e3f24ccc63c00ea31a0fed7aeb
SHA1 hash:
ae72612c61b06a301975a9e03ba184bfb05af209
Link:
https://www.unpac.me/results/30841cd9-29c0-47de-ae70-abae2007bfd2/
SH256 hash:
93c8b381f044e1ac1d133f49114b5777da366de1f67956feb00ae8f21e80122d
MD5 hash:
f818296d5fd7df66b36f2e6148365dd0
SHA1 hash:
690d6ca628b859f51775bd59834cca167001fe46
Detections:
malware_windows_remcos_rat
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Link:
https://www.unpac.me/results/30841cd9-29c0-47de-ae70-abae2007bfd2/
Parent samples :
b274b2b65f5ec3256ee9676fac8380af1c47457507e93d5b745156f29f386601
e6643fb9224f9a2ce99cf20b5714e5322645fae8046ef9d439ca17d7ac6abd45
79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99
74eff35aee68f271e0a9882e41d44abf8f82d058ee4755ddd0832bdc674c520b
497a59ce5e1c1e2bdd5e708f21aecd446d9047d17024c73abaeab9d8bfa8c4aa
1f75782173ef3b1b68650a95b7846bb35faa400d53b52fc1ad8b65a86bc72c88
66c50343775c162862ac27a735c66927a9b3fda4a05cd0eaa21fecbca3f6c490
SH256 hash:
79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99
MD5 hash:
fa2cbbd8f8f8752294d9ece90f43d916
SHA1 hash:
c9a85499d49606fbc9244b1f36464692a5e8d5b9
Link:
https://www.unpac.me/results/30841cd9-29c0-47de-ae70-abae2007bfd2/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/79c7358a9ac8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 79c7358a9ac82f4d547e027ec64b8a9854ef445ff7d1e85a2b39c0e60bc00c99

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments