MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 811d169ec93c76795798353e6fdf509271d61d3424acb7d709c34cc83511b0f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 811d169ec93c76795798353e6fdf509271d61d3424acb7d709c34cc83511b0f9
SHA3-384 hash: 028c9e6a116f732c94eeffe56fc3ccb0deb344ec127252a4e4bff6243d8befeb56273871902b2c622179c51c7ddaead9
SHA1 hash: 0a230168bac70aac3b43523fcd4bc4b14ed53e47
MD5 hash: a9fe1629c98954b6af37d55141373d25
humanhash: video-queen-iowa-cat
File name:TT-INVI000000000.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:936'390 bytes
First seen:2021-03-09 16:20:39 UTC
Last seen:2021-03-09 23:47:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 12288:c8r6hfLy5UQUM+RnpGCEhytrTFx38l1lYh/TkJbbGu+aC6BMFBdeYC:VSm5dUPp/EIRX33wbTEFde3
Threatray 3'359 similar samples on MalwareBazaar
TLSH 16155CD1F190C8DAED6B49F1AD2BA53024D7AE9C94A4410C569DBB1B76F3342309FE0E
Reporter GovCERT_CH
Tags:RemcosRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TT-INVI000000000.exe
Verdict:
Malicious activity
Analysis date:
2021-03-09 16:28:07 UTC
Tags:
trojan rat remcos agenttesla
Link:
https://app.any.run/tasks/7e2a675d-2b01-4c86-ab1e-ec75f2890e27

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/123326/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36472869.14678.20446.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
DNS request
Launching a process
Creating a window
Creating a file
Creating a process from a recently created file
Setting a keyboard event handler
Deleting a recently created file
Sending a custom TCP request
Creating a file in the Windows directory
Modifying an executable file
Creating a file in the Program Files subdirectories
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Sending a UDP request
Forced shutdown of a system process
Enabling autorun with the shell\open\command registry branches
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Infecting executable files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos AgentTesla Neshta
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/633192
Signature
.NET source code contains very large array initializations
Antivirus detection for dropped file
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Creates an undocumented autostart registry key
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Found malware configuration
Infects executable files (exe, dll, sys, html)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sigma detected: Remcos
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Neshta
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 365563 Sample: TT-INVI000000000.exe Startdate: 09/03/2021 Architecture: WINDOWS Score: 100 72 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->72 74 Found malware configuration 2->74 76 Antivirus detection for dropped file 2->76 78 20 other signatures 2->78 9 TT-INVI000000000.exe 11 2->9         started        process3 file4 50 C:\Users\user\AppData\...\zc698qb97cas.dll, PE32 9->50 dropped 80 Writes to foreign memory regions 9->80 82 Maps a DLL or memory area into another process 9->82 13 MSBuild.exe 4 9->13         started        signatures5 process6 file7 54 C:\Users\...\miguel.chiliguano n SS 4.0.exe, PE32 13->54 dropped 56 C:\Users\...\miguel.chiliguano n SS 2.0.exe, PE32 13->56 dropped 58 C:\Users\user\AppData\...\REM 157 GD2.exe, MS-DOS 13->58 dropped 16 miguel.chiliguano n SS 4.0.exe 3 2 13->16         started        20 miguel.chiliguano n SS 2.0.exe 4 13->20         started        22 REM 157 GD2.exe 1 2 13->22         started        process8 dnsIp9 32 C:\Users\...\miguel.chiliguano n SS 4.0.exe, PE32 16->32 dropped 34 C:\...\protocolhandler.exe, PE32 16->34 dropped 36 C:\Program Files (x86)\...\misc.exe, PE32 16->36 dropped 46 76 other malicious files 16->46 dropped 62 Drops executables to the windows directory (C:\Windows) and starts them 16->62 64 Drops executable to a common third party application directory 16->64 66 Infects executable files (exe, dll, sys, html) 16->66 25 svchost.com 1 16->25         started        38 C:\Windows\svchost.com, PE32 20->38 dropped 40 C:\Users\user\Desktop\TT-INVI000000000.exe, PE32 20->40 dropped 42 C:\Users\user\AppData\Local\...\setup.exe, PE32 20->42 dropped 48 33 other malicious files 20->48 dropped 68 Creates an undocumented autostart registry key 20->68 60 162.218.211.157, 49705, 8780 ASN-QUADRANET-GLOBALUS United States 22->60 44 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 22->44 dropped 70 Installs a global keyboard hook 22->70 file10 signatures11 process12 file13 52 C:\Windows\directx.sys, ASCII 25->52 dropped 84 Sample is not signed and drops a device driver 25->84 29 miguel.chiliguano n SS 4.0.exe 2 25->29         started        signatures14 process15 signatures16 86 Tries to steal Mail credentials (via file access) 29->86 88 Tries to harvest and steal ftp login credentials 29->88 90 Tries to harvest and steal browser information (history, passwords, etc) 29->90
Gathering data
Threat name:
Win32.Trojan.Spynoon
Create hunting rule
Status:
Malicious
First seen:
2021-03-08 15:28:27 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qeornhwjhr3hsv4ygu7g7x2qsjy5mhjueswlpvyjyngmqnirwd4q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
181929c58e5ce4833a2847c9ff077dd87e8c0128793217d7e690311087ecc80a
RemcosRAT
22c6a5976ce7b78c9fc9be80c53945344670b5df128629f0d1e99d48b2e65121
RemcosRAT
4ee357dd7681ca5f80acaeb7d55df4432de5d370c73e6bb887e3461b6ed537f8
RemcosRAT
5a522a09a839c118c67c9ff08e9c0a00f8ef0b34ed0f3404496e43f36b78839d
RemcosRAT
611a2dfac3989c66b10815fe8d6a81d92554e0ce47ec3d5b6bdd7c91c4163a7e
RemcosRAT
68abea90e0a89bb507eaa79fdd8df2e0ba0ad79e6f117cccbd4a860cda4e389e
RemcosRAT
94cea10956f43a889c8714c742cb10e57b44919a05c2c4703d3111acc5d6aafc
RemcosRAT
a3cc80048c1f95c663ef838ccfa3effa8043b16ca227b4bda377d0da91144619
RemcosRAT
e769369f1fd04a2fdb3976c69cbaaefee66cee1f54f523d7eab4712ce764f73f
RemcosRAT
eb9de162cbe1af46b276cebd9141ece2b6bd02847d906e4078b2dc8ded5c2a06
RemcosRAT
+ 3'349 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:remcos keylogger persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/210309-qgml61nc6n/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
AgentTesla
Modifies system executable filetype association
Remcos
Unpacked files
SH256 hash:
2a57265d2180285f67b9404c84b336be0950b064217bbd2702eb38f379740fa8
MD5 hash:
30098e175633b3a0389c742fb316017d
SHA1 hash:
3aa6f91e11c119153a41dad957908a9e74099f86
Link:
https://www.unpac.me/results/1706ed2a-29e7-4d0c-bde6-f20f76ef35d1/
SH256 hash:
d5ece52a71f0de749b31eb99c506c8b9147f2b690b1f85a88c1ad0357540a6a9
MD5 hash:
b01db2780c5a1bbeb3b76e97eb5ea754
SHA1 hash:
c75b2d4e0c81fb42ccf8b6d7da6e3134b480c7dc
Detections:
win_neshta_auto
Create hunting rule
Link:
https://www.unpac.me/results/1706ed2a-29e7-4d0c-bde6-f20f76ef35d1/
Parent samples :
811d169ec93c76795798353e6fdf509271d61d3424acb7d709c34cc83511b0f9
cb15585aac621fef5710d7c2b6cc714d7d3283576717cd7738a0898d5b63a470
4dcd84003dc7b4d627193ce18034c71a3ee35980495d755d9bcf80a672eb544e
2e5b9ebfb2b81c5e512248e2e9224d1054defc4b027c0108fc10d268312ce290
68652defc71770065997b7d60a64a3959446a114a2ee17a443a15ae8b767f150
640315d3ee04d383d4b8702b0d29a11846139cb9505078440f2e67b2d9bc3cce
4608c3c211744ce283dac6c36cb7a2c0fd584ee440fa4f671bc270f1bc737ff0
c8bb8271adc398661a408fc99b14a7d3797bd546b0b836f68a059c2f72948937
cd23680ab97a8fa8c459690061e90ea0d48d19975900f1a0ee41ffcd76bbb311
313cabf464e7edf69744f94c3ea234fbb5d7b99daf2aff5492131a4ca9d08e00
60292e6be9d0d5e5f82a3382e4b69fcd19362b4c30a1829787dfc6ea5462a117
ec2ec99d719ccde3972abb4db0ef83eae6462f4697861529ead23d304c527d29
a8df709495ab9ea938880b1ebe744b33bc163b2fe576ce7e585caef7c846b718
a6077288d1353daaab0bf9092c357cd7f0712537def3ff3be60fa68da4e436ac
SH256 hash:
fed2601791591caf269eab538aaa28b4005bfeb6132716e72437a4ce7cedb86f
MD5 hash:
14d6d776e7055f652a0d8c26eba1b362
SHA1 hash:
baebee80599f3a353e4f9baf5f6440a841c65a9b
Link:
https://www.unpac.me/results/1706ed2a-29e7-4d0c-bde6-f20f76ef35d1/
SH256 hash:
998c7151ff315f71356c90aa3a4c8ca70b400ab4ecd1f37471392c1eb75329a4
MD5 hash:
506e5b6c940f416a5497df599e2a7f41
SHA1 hash:
0ec9ca702683071e7d34d5d438e431cb003a2353
Link:
https://www.unpac.me/results/1706ed2a-29e7-4d0c-bde6-f20f76ef35d1/
SH256 hash:
fcd424ae78f0acff911cb6746e14e545cbe45f03af3c1adce24ec3f23da44aeb
MD5 hash:
d0b02c893f68474adaaed58810ed5397
SHA1 hash:
a7dc1035c4f31aa87e3d422af46ea7191cd76ffa
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/1706ed2a-29e7-4d0c-bde6-f20f76ef35d1/
SH256 hash:
990749071637d758c49f273363518b8f891c6e8c219655535870110ad705daf7
MD5 hash:
6eb69b0549e950f35f03d601e8de4517
SHA1 hash:
c309c2479db00f05aaec2f1fbd65e4c211dd0b0c
Link:
https://www.unpac.me/results/1706ed2a-29e7-4d0c-bde6-f20f76ef35d1/
SH256 hash:
811d169ec93c76795798353e6fdf509271d61d3424acb7d709c34cc83511b0f9
MD5 hash:
a9fe1629c98954b6af37d55141373d25
SHA1 hash:
0a230168bac70aac3b43523fcd4bc4b14ed53e47
Link:
https://www.unpac.me/results/1706ed2a-29e7-4d0c-bde6-f20f76ef35d1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/811d169ec93c76795798353e6fdf509271d61d3424acb7d709c34cc83511b0f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_remcos_g0
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann<at>fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip 597c4b4f5a047a75c9498ca9887cf7fc745861318d5814d6a1e77a72a55d2cfb

RemcosRAT

Executable exe 811d169ec93c76795798353e6fdf509271d61d3424acb7d709c34cc83511b0f9

(this sample)

  
Dropped by
MD5 6c92ad97157e96a3f3c482432f4dabeb
  
Dropped by
SHA256 597c4b4f5a047a75c9498ca9887cf7fc745861318d5814d6a1e77a72a55d2cfb
  
Dropped by
RemcosRAT
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/123326/

Comments