MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88a52cb96bc7ae6d6788e1c3f4bca7c4bd379037cba08c6a86f28694f767d9d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88a52cb96bc7ae6d6788e1c3f4bca7c4bd379037cba08c6a86f28694f767d9d9
SHA3-384 hash: b54638f6da7d217b5fdabedc9c00bb5b5df43d81031f646fec6508cbbb6ed8c5a2a6f2eefa6c48a19307f5e8d48756e4
SHA1 hash: 26cda697f985f7a8417fa2410e2b21b9edc37190
MD5 hash: 452698a7d37c840f7b651d816e29b12b
humanhash: sweet-undress-nuts-winner
File name:March order list xls.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'320'448 bytes
First seen:2022-03-09 02:45:31 UTC
Last seen:2022-03-09 04:34:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:6D5kVSsc1XpuGZAU3E2kNjyUxRNfdih6hIVJ+kF:6D5k0sc1EC3iokRfHIHrF
Threatray 2'436 similar samples on MalwareBazaar
TLSH T12F559EE229EA481DE336BB732F98F88E545AEE23351E219B1D713B764533D808D61731
File icon (PE):PE icon
dhash icon 000f270b0b278c00 (2 x RemcosRAT)
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
194.31.98.58:2404

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.31.98.58:2404 https://threatfox.abuse.ch/ioc/392934/

Intelligence

File Origin
# of uploads :
2
# of downloads :
302
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/248528/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.21963.8212.15730.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Launching cmd.exe command interpreter
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/622814edb94fb38cb443449c/reports/b452693c-0a49-4689-8172-f30640efc746/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aa46d405-32ce-4387-934d-e754e783cbc5
Result
Threat name:
Remcos gzRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/953074
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected unpacking (creates a PE file in dynamic memory)
Disables UAC (registry)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Sigma detected: Suspicious Svchost Process
Sigma detected: Suspicius Schtasks From Env Var Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected gzRat
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 585555 Sample: March order list xls.exe Startdate: 09/03/2022 Architecture: WINDOWS Score: 100 74 mdec.nelreports.net 2->74 76 part-0032.t-0009.t-msedge.net 2->76 78 5 other IPs or domains 2->78 100 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->100 102 Found malware configuration 2->102 104 Malicious sample detected (through community Yara rule) 2->104 106 22 other signatures 2->106 10 March order list xls.exe 7 2->10         started        signatures3 process4 dnsIp5 88 192.168.2.1 unknown unknown 10->88 68 C:\Users\user\AppData\Roaming\BrgFOchlL.exe, PE32 10->68 dropped 70 C:\Users\user\AppData\Local\...\tmp2E32.tmp, XML 10->70 dropped 72 C:\Users\...\March order list xls.exe.log, ASCII 10->72 dropped 110 Adds a directory exclusion to Windows Defender 10->110 112 Injects a PE file into a foreign processes 10->112 15 March order list xls.exe 3 3 10->15         started        19 powershell.exe 25 10->19         started        21 schtasks.exe 1 10->21         started        file6 signatures7 process8 dnsIp9 90 primetoolz.duckdns.org 194.31.98.58, 2401, 2404, 49762 BURSABILTR Netherlands 15->90 92 Writes to foreign memory regions 15->92 94 Allocates memory in foreign processes 15->94 96 Installs a global keyboard hook 15->96 98 Injects a PE file into a foreign processes 15->98 23 cmd.exe 1 15->23         started        25 svchost.exe 12 15->25         started        27 svchost.exe 15->27         started        33 6 other processes 15->33 29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        signatures10 process11 process12 35 reg.exe 1 23->35         started        38 conhost.exe 23->38         started        40 chrome.exe 25->40         started        43 chrome.exe 25->43         started        45 chrome.exe 27->45         started        47 chrome.exe 27->47         started        49 chrome.exe 33->49         started        51 chrome.exe 33->51         started        53 chrome.exe 33->53         started        dnsIp13 108 Disables UAC (registry) 35->108 86 239.255.255.250 unknown Reserved 40->86 55 chrome.exe 40->55         started        58 chrome.exe 43->58         started        60 chrome.exe 45->60         started        62 chrome.exe 47->62         started        64 chrome.exe 49->64         started        66 chrome.exe 51->66         started        signatures14 process15 dnsIp16 80 mdec.nelreports.net 55->80 82 part-0032.t-0009.t-msedge.net 13.107.246.60, 443, 49780, 49781 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 55->82 84 9 other IPs or domains 55->84
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/88a52cb96bc7ae6d6788e1c3f4bca7c4bd379037cba08c6a86f28694f767d9d9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-09 02:46:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
18 of 27 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rcsszolly6xg2z4i4hb7jpfhys6tpebxzoqiy2ug6kdjj53h3hmq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
09b75cdc3edcad3cc8b1729683a1132506e851c9d7a1d864fc842284822d1ba5
RemcosRAT
1201a0c89e08bb6bad16c0a265ed660dd8473a16bf74980f372ed0a49190c39f
RemcosRAT
361ea662d75ba904bd3f0fbba782ef03eeab294f6dd736b79090fcfc2dd25166
RemcosRAT
b2b62a37a18c2eeaffe26fb8f15af6964efa41f0bcdda7550a03c58a02653b3e
RemcosRAT
bd250e1cb4f8d322a5464549dc067ac7bcbecfc2d4fca46c40af8d23173011d3
RemcosRAT
cc93c7587dba9e4af2265a77a349230cb8ab0a0d8c524f4cfad4886fad7a34ab
RemcosRAT
d1000588f8a0fb8debc8ca3133fcbc32806b9dc5d7844157f171790cf5d86946
RemcosRAT
ec8915aa703260e0b1f1aa7d221c89cf5da6a330b0944d8f32e4159020617edb
RemcosRAT
+ 2'426 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:built evasion rat suricata trojan
Link:
https://tria.ge/reports/220309-c9bcqsfcgj/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
.NET Reactor proctector
Remcos
UAC bypass
suricata: ET MALWARE Remocs 3.x Unencrypted Checkin
Malware Config
C2 Extraction:
primetoolz.duckdns.org:2404
primetoolz.duckdns.org:2401
primetoolz.duckdns.org:2402
primetoolz.duckdns.org:2403
Unpacked files
SH256 hash:
eea9da5eca7a4f24443cc1f7592238c1f81ed7b1de2d62c6ff1f361f6ccf8185
MD5 hash:
a07fa664ccf68517f1d6ea4f808bd391
SHA1 hash:
efe222704aebdb3b96480be08262a10661e102ed
Link:
https://www.unpac.me/results/91cc0f50-b8bd-4f28-9e04-30d7d9f620cf/
SH256 hash:
9b00e2fa33ad72dec22a5e107ab6886da72bbe0bed89a721e877c1dc3ce6a662
MD5 hash:
b4c9c16228f0ee1de70ffc6264fb720c
SHA1 hash:
437049e452a511e220abdb32df695cdf07f5a7d0
Link:
https://www.unpac.me/results/91cc0f50-b8bd-4f28-9e04-30d7d9f620cf/
SH256 hash:
b5c4d796293ac6245d5b187d105595c563f99a4523684144ddb6538620273cb6
MD5 hash:
0be21dafa1e0e5f59ccd166b10d1afa0
SHA1 hash:
24e7be7740c2fbacfc8e53f21d4f219b92da3096
Link:
https://www.unpac.me/results/91cc0f50-b8bd-4f28-9e04-30d7d9f620cf/
SH256 hash:
3514911baf12c10137b9676db240a3bb2fd024b06a71bfbc86f00916da6d8c7e
MD5 hash:
9e093e08dddeb4013228e13d4069f4a6
SHA1 hash:
11f068443317f15eac8a69b25f7d72b8b985b1f5
Link:
https://www.unpac.me/results/91cc0f50-b8bd-4f28-9e04-30d7d9f620cf/
SH256 hash:
88a52cb96bc7ae6d6788e1c3f4bca7c4bd379037cba08c6a86f28694f767d9d9
MD5 hash:
452698a7d37c840f7b651d816e29b12b
SHA1 hash:
26cda697f985f7a8417fa2410e2b21b9edc37190
Link:
https://www.unpac.me/results/91cc0f50-b8bd-4f28-9e04-30d7d9f620cf/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/88a52cb96bc7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/88a52cb96bc7ae6d6788e1c3f4bca7c4bd379037cba08c6a86f28694f767d9d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:pe_imphash
Create hunting rule
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/248528/

Comments