MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 821be9512b6cfcb9a82986924e896084be0dcfac185efaa0c4e9fe999272edc3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 821be9512b6cfcb9a82986924e896084be0dcfac185efaa0c4e9fe999272edc3
SHA3-384 hash: a28306a9ba68f05ee62ec9c1ce2c271e7c14c7ccd4d9fa8fc6cdc03063f44f5b64224e786b31c4892e49d2da8154756d
SHA1 hash: a2bfcb696e146e0bb3b2ec6c60916eaed389ef6c
MD5 hash: 50abda236e90598eceb5413670e4e79b
humanhash: cat-queen-social-mars
File name:50abda236e90598eceb5413670e4e79b
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:538'112 bytes
First seen:2022-05-12 19:25:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 596d37d4204a892e1beaf308978c4c2d (1 x RemcosRAT)
ssdeep 12288:KfbvH+vO4q7NAoy2jyniR8E6fYTn0MlwMoHPne:KDf/J7NAKjy3HYT0Z1ne
Threatray 1'214 similar samples on MalwareBazaar
TLSH T177B4C000BB90C035F5B726F449BA9368B63EBEE15B2051CB53E52AED56356E0EC3131B
TrID 35.0% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
26.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.0% (.SCR) Windows screen saver (13101/52/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon b2dacabecee6baa6 (148 x RedLineStealer, 145 x Stop, 100 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
514
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
http://85.202.169.85/600/vbc.exe
Verdict:
Malicious activity
Analysis date:
2022-05-12 13:23:04 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/32d6ef58-683e-468b-b602-0679f6168950

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/270212/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
DNS request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/17391/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Gathering data
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/889697a2-63ff-44ac-9484-80d9112548e1
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/993125
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 625619 Sample: VrAx7KJ8Hd Startdate: 12/05/2022 Architecture: WINDOWS Score: 100 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Antivirus detection for dropped file 2->64 66 4 other signatures 2->66 9 VrAx7KJ8Hd.exe 4 4 2->9         started        13 ios.exe 2->13         started        15 ios.exe 2->15         started        process3 file4 50 C:\Users\user\AppData\Roaming\ios.exe, PE32 9->50 dropped 52 C:\Users\user\...\ios.exe:Zone.Identifier, ASCII 9->52 dropped 54 C:\Users\user\AppData\Local\...\install.vbs, data 9->54 dropped 68 Contains functionality to steal Chrome passwords or cookies 9->68 70 Contains functionality to steal Firefox passwords or cookies 9->70 72 Delayed program exit found 9->72 17 wscript.exe 9->17         started        19 WerFault.exe 9 9->19         started        22 WerFault.exe 9 9->22         started        24 5 other processes 9->24 74 Multi AV Scanner detection for dropped file 13->74 76 Detected unpacking (changes PE section rights) 13->76 78 Detected unpacking (overwrites its own PE header) 13->78 80 3 other signatures 13->80 signatures5 process6 file7 26 cmd.exe 17->26         started        38 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->38 dropped 40 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 22->40 dropped 42 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 24->42 dropped 44 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 24->44 dropped 46 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 24->46 dropped 48 2 other malicious files 24->48 dropped process8 process9 28 ios.exe 26->28         started        32 conhost.exe 26->32         started        dnsIp10 56 skygroupt6.zapto.org 62.197.136.97, 2080, 49798 SPRINTLINKUS Netherlands 28->56 58 geoplugin.net 178.237.33.50, 49800, 80 ATOM86-ASATOM86NL Netherlands 28->58 82 Installs a global keyboard hook 28->82 34 WerFault.exe 28->34         started        36 WerFault.exe 28->36         started        signatures11 process12
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/821be9512b6cfcb9a82986924e896084be0dcfac185efaa0c4e9fe999272edc3/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2022-05-12 16:26:16 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qin6sujlnt6ltkbjq2je5claqs7a3t5mdbppvige5h7jtets5xbq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
576183a33f5247a852bc65a4dc4cbca5762bfbad1291a82572681f7075dc6123
RemcosRAT
6debeb4cbf5037ee3b4d23e3a005dc58ebb0f26ac5f5266e910187a66760a4a0
RemcosRAT
81b648fca4135b631044dd68aee71ee704dcc930ae635658b9438585c5dc6b90
RemcosRAT
ba8d32d0c7844fdd2e5c4311fc6dc7a400d7c1ff97bebd9760d62308c669fb8f
RemcosRAT
e6a1d0c6cdb62e541492740eeabafe7f88f242d6a442fa0e2d2b4e8b1a2b1617
RemcosRAT
fafd7463254353a7e4ea4900b93f412fb84bbbddae730fc145c54331eb2533f8
RemcosRAT
+ 1'204 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:gremotehost persistence rat
Link:
https://tria.ge/reports/220512-x5hapshdc9/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
skygroupt6.zapto.org:2080
Unpacked files
SH256 hash:
1447443f093893bace211c3520c62fe1973b9539dbf27844925bdd65c722c707
MD5 hash:
f26823dcfcf3b7e6bac951f71f933302
SHA1 hash:
88b24745b6179940a28bd1a950c7076385d2dbb2
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/f51fa57d-9c7d-4557-8531-1f197e94ecde/
SH256 hash:
821be9512b6cfcb9a82986924e896084be0dcfac185efaa0c4e9fe999272edc3
MD5 hash:
50abda236e90598eceb5413670e4e79b
SHA1 hash:
a2bfcb696e146e0bb3b2ec6c60916eaed389ef6c
Link:
https://www.unpac.me/results/f51fa57d-9c7d-4557-8531-1f197e94ecde/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/821be9512b6cfcb9a82986924e896084be0dcfac185efaa0c4e9fe999272edc3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 821be9512b6cfcb9a82986924e896084be0dcfac185efaa0c4e9fe999272edc3

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2191969/
Cape
Cape
https://www.capesandbox.com/analysis/270212/

Comments


Avatar
zbet commented on 2022-05-12 19:25:07 UTC

url : hxxp://85.202.169.85/600/vbc.exe