MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81bc33ce9bf2c1eaec168f5a5a4c2da715a2fcbc8972daa23834e22e3d27c547. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 81bc33ce9bf2c1eaec168f5a5a4c2da715a2fcbc8972daa23834e22e3d27c547
SHA3-384 hash: c1ba8aaa62aa23e9121f43179ad3760666527ee84697e3333a6a60ae60cbd9696df44a70033db04d4529309484c5f1ab
SHA1 hash: 7e957166a5a73c6e7ddf9af391fd1837f4339a99
MD5 hash: 46c7424bbc974b8071f30e2c6494612b
humanhash: mango-princess-lactose-hamper
File name:Kzckpxc.exe.vir
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:36'352 bytes
First seen:2022-06-21 10:11:36 UTC
Last seen:2022-06-21 10:49:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 384:smXunBkNPYTnTg2nEky83Gj66JatXhuH4hEEF193PmaBVjVBNf+RukFO3CyN:zX6FEiXhw4y219f71VBN+QJ3h
Threatray 16 similar samples on MalwareBazaar
TLSH T1FDF21A477E407665E98619732453330E523DEE3CBCE59A2B1DCC308EDA739821D14AE6
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 4c33d8d4d4d8334c (2 x NetWire, 2 x AgentTesla, 2 x SnakeKeylogger)
Reporter KdssSupport
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
201
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/281899/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.30763.11140.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.W32.AIDetectNet.01.10126.8995.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a file
Setting a keyboard event handler
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62b199b146804683cbba3c88/reports/a20655c1-71f3-4ba1-a075-ce8b93de9a3d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0cf0c4f1-ceda-4ad6-9696-647b957ac2f6
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1016977
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/81bc33ce9bf2c1eaec168f5a5a4c2da715a2fcbc8972daa23834e22e3d27c547/
Threat name:
ByteCode-MSIL.Trojan.Miner
Create hunting rule
Status:
Malicious
First seen:
2022-06-21 06:03:51 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qg6dhtu36la6v3awr5nfutbnu4k2f7f4rfznvirygtrc4pjhyvdq._file
Verdict:
unknown
Similar samples:
0365280eb3842ba84e01d192e38be3e5b6357a6c8e178955928e7639f2b8f442
RemcosRAT
2fd76f5bd73eeec44ca3ef9a2783e496f66b07f0b6b814f0046ec3aaeac6f911
RemcosRAT
375e3b9aca92cb15f9e872d6d8495b40bef87ebce8fb10a67d7e6e816da3c40f
RemcosRAT
660050048d88242c77c278463c5c5d727582ebdd08f702ad387507ce54b3e761
RemcosRAT
964777409c799bfcdc5d6b5bb96a1213387bdf613ea0921de32df37434ee7fd6
RemcosRAT
ac64348c4bd4596613d633157c3cc758283166e5ccccf6685b22a202b85bf8bb
RemcosRAT
beae6f9716a4543dfa1a0ed79ddc4ae62215a9637082c61419a15b4a066324b8
RemcosRAT
f072f7896731668ac389aa1d7da8c1d12a858bcf58b6ef8d023ffa78ef3f4023
RemcosRAT
+ 6 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat spyware stealer
Link:
https://tria.ge/reports/220621-l8gykachcr/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Reads user/profile data of web browsers
Remcos
Malware Config
C2 Extraction:
vivald21.hopto.org:9955
Unpacked files
SH256 hash:
81bc33ce9bf2c1eaec168f5a5a4c2da715a2fcbc8972daa23834e22e3d27c547
MD5 hash:
46c7424bbc974b8071f30e2c6494612b
SHA1 hash:
7e957166a5a73c6e7ddf9af391fd1837f4339a99
Link:
https://www.unpac.me/results/481afaf9-ec63-40cf-bb53-26a282430c22/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/81bc33ce9bf2c1eaec168f5a5a4c2da715a2fcbc8972daa23834e22e3d27c547

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 81bc33ce9bf2c1eaec168f5a5a4c2da715a2fcbc8972daa23834e22e3d27c547

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2246305/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/281899/

Comments