MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ae17db9aa6d38297397c2f165275107674c25bcf88dc90720ba87d37cb000c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ae17db9aa6d38297397c2f165275107674c25bcf88dc90720ba87d37cb000c3
SHA3-384 hash: c06fa54966173518749479421f6133c7234733dbae0761c5d7114096af0ff8c6d6ec82d92b5bb0d8597ed9dbbd8955a7
SHA1 hash: 4aa6843b34ecc3d25c641435c76c52e4bbd66f04
MD5 hash: 5ab0d1bf626ec6aa09802e5c0f4c0324
humanhash: michigan-seventeen-arkansas-september
File name:5ab0d1bf626ec6aa09802e5c0f4c0324
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:999'424 bytes
First seen:2022-05-20 13:29:16 UTC
Last seen:2022-05-20 14:47:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:ZdmD6lwyswG1GRIGHVj3lPwEsp14FrswgT6qo0pPMm:ZdmD637G1sIGHVj1PwEsp6rsP9o0pPM
Threatray 1'484 similar samples on MalwareBazaar
TLSH T1AA25121837D48B22D47D4BB5A03294901B7ABD1AB893F72FBED475C918B37A04152BB3
TrID 54.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
23.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
7.8% (.EXE) Win64 Executable (generic) (10523/12/4)
4.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.3% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon ecccd4dcd4e4d4d4 (1 x RemcosRAT)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
278
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
5ab0d1bf626ec6aa09802e5c0f4c0324
Verdict:
Malicious activity
Analysis date:
2022-05-20 13:29:58 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/5512c3a4-470b-407e-9507-bf8ea6208a39

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/273059/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed update.exe wacatac
Link:
https://www.filescan.io/uploads/628797ed370bb1455cb7d865/reports/52e86026-b64f-4793-be5f-9dc264fa3c81/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2f432c22-a486-4436-a246-f2835c99d0e7
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/998634
Signature
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 631131 Sample: JRCWCfahHi Startdate: 20/05/2022 Architecture: WINDOWS Score: 100 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for dropped file 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 8 other signatures 2->50 7 JRCWCfahHi.exe 7 2->7         started        process3 file4 30 C:\Users\user\AppData\...\cEaafOxbKtOB.exe, PE32 7->30 dropped 32 C:\Users\...\cEaafOxbKtOB.exe:Zone.Identifier, ASCII 7->32 dropped 34 C:\Users\user\AppData\Local\...\tmp2141.tmp, XML 7->34 dropped 36 C:\Users\user\AppData\...\JRCWCfahHi.exe.log, ASCII 7->36 dropped 56 Uses schtasks.exe or at.exe to add and modify task schedules 7->56 58 Adds a directory exclusion to Windows Defender 7->58 60 Injects a PE file into a foreign processes 7->60 11 JRCWCfahHi.exe 2 15 7->11         started        15 powershell.exe 25 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 38 salesumishcn.ddns.net 31.42.186.188, 49764, 49770, 49771 YURTEH-ASUA Ukraine 11->38 40 geoplugin.net 178.237.33.50, 49769, 80 ATOM86-ASATOM86NL Netherlands 11->40 42 192.168.2.1 unknown unknown 11->42 62 Installs a global keyboard hook 11->62 64 Injects a PE file into a foreign processes 11->64 19 JRCWCfahHi.exe 2 11->19         started        22 JRCWCfahHi.exe 1 11->22         started        24 JRCWCfahHi.exe 11->24         started        26 conhost.exe 15->26         started        28 conhost.exe 17->28         started        signatures8 process9 signatures10 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Tries to steal Instant Messenger accounts or passwords 22->54
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7ae17db9aa6d38297397c2f165275107674c25bcf88dc90720ba87d37cb000c3/
Threat name:
ByteCode-MSIL.Trojan.RealProtectPENG
Create hunting rule
Status:
Malicious
First seen:
2022-05-20 10:15:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
18 of 40 (45.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=plqx3onknu4cs44xylywkj2ra5tuyjn47cg4sbzaxkd5g7fqadbq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
22fef69204d216970d72ecfcbf27fd0634ed03271bbe5c486c02fda6daeb51df
RemcosRAT
2873e1ab0b1bf260f4d8bfeb50a6305036bfb9b8aed7c1e4f227484a8fdd4862
RemcosRAT
354a9becf30c58e1bf9bc4756fd08efc296c6f3009352b84e8073bb638533f3f
RemcosRAT
451ab9846f3c63a6b5f2e25ab5f58bb4180cf414062f52e280bd98eafea81963
RemcosRAT
4f64dc73847516de20d77365ca59b1877bd56e899cca6d2e56338ff462de2ec1
RemcosRAT
c32a878240bdd4de7b8ccb5a013e97fec1ddf804ab1e6481592971eddb5033f1
RemcosRAT
+ 1'474 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:new dayys collection rat spyware stealer
Link:
https://tria.ge/reports/220520-qrsqysghaq/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Checks computer location settings
Reads user/profile data of web browsers
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
salesumishcn.ddns.net:9764
Unpacked files
SH256 hash:
2e0746e9106600d278afaf031f522fa0b0db7046d575936e31fddcfa4c163918
MD5 hash:
4eadf8bd0649af71447c50623a7f8b54
SHA1 hash:
75d0f916b87f441208376968cc6abf02de3320bb
Link:
https://www.unpac.me/results/2cb525fd-7e47-493a-8ce9-91cd2aae9943/
SH256 hash:
9fb2e62b058447be9f04efff777038958cd3d4e3cae9e5f27fb6a2772c33f1f6
MD5 hash:
c9c1a8db7394fcaac909decd42e02955
SHA1 hash:
8083660396f55cb36b1b81a18295fb117c0e04a9
Link:
https://www.unpac.me/results/2cb525fd-7e47-493a-8ce9-91cd2aae9943/
SH256 hash:
4228fb9b4af549d4216c7ba8a4acb847925e12a063fe88a08a4fdd129d90a9af
MD5 hash:
6f9690a8c95a44733397ab3c14319a0c
SHA1 hash:
e240c56d02a97a07bbb238a2b5833c70d5ee7e32
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/2cb525fd-7e47-493a-8ce9-91cd2aae9943/
Parent samples :
7ae17db9aa6d38297397c2f165275107674c25bcf88dc90720ba87d37cb000c3
7d86068523fe035aec83fcb57be4edc0bdca3000fa6046fb66ef246b20e15601
SH256 hash:
187700e1704dbfc438d8e0e47ed6d15b4d4e0bffa638216eddfcc51ec0a2d617
MD5 hash:
3a0fe46229da323fff01b7e23b6c484b
SHA1 hash:
f795f8ad1a08e3ab98bc3db2b51683fdfba99f66
Link:
https://www.unpac.me/results/2cb525fd-7e47-493a-8ce9-91cd2aae9943/
SH256 hash:
7ae17db9aa6d38297397c2f165275107674c25bcf88dc90720ba87d37cb000c3
MD5 hash:
5ab0d1bf626ec6aa09802e5c0f4c0324
SHA1 hash:
4aa6843b34ecc3d25c641435c76c52e4bbd66f04
Link:
https://www.unpac.me/results/2cb525fd-7e47-493a-8ce9-91cd2aae9943/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7ae17db9aa6d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7ae17db9aa6d38297397c2f165275107674c25bcf88dc90720ba87d37cb000c3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 7ae17db9aa6d38297397c2f165275107674c25bcf88dc90720ba87d37cb000c3

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/273059/
  
URLhaus
https://urlhaus.abuse.ch/url/2204012/

Comments


Avatar
zbet commented on 2022-05-20 13:29:29 UTC

url : hxxp://172.245.120.39/400/vbc.exe