MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c67e9754246bec65af380abf8daf397d6ab4a0ae2e57143622fdf6e8dc37b50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c67e9754246bec65af380abf8daf397d6ab4a0ae2e57143622fdf6e8dc37b50
SHA3-384 hash: 30071f2319867ca1b527e54ef7b85ca02d31842a27b55008e39cbed5e58bd917d776653506880464441be08395250571
SHA1 hash: f7f67df408917cb07d859e5824b23ce9294df553
MD5 hash: 99e02b3af1103480aab300080db7ceda
humanhash: asparagus-shade-arizona-network
File name:8c67e9754246bec65af380abf8daf397d6ab4a0ae2e57143622fdf6e8dc37b50
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'208'836 bytes
First seen:2021-09-06 06:38:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:hAHnh+eWsN3skA4RV1Hom2KXMmHaBoolrCqFPo1sJNQ55:4h+ZkldoPK8YaBXl2qFgKzi
Threatray 2'106 similar samples on MalwareBazaar
TLSH T14045BE0273D1C036FFAB92739B6AF24556BD79250133852F13982DB9BD701B2267E263
dhash icon aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter JAMESWT_WT
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8c67e9754246bec65af380abf8daf397d6ab4a0ae2e57143622fdf6e8dc37b50
Verdict:
Malicious activity
Analysis date:
2021-09-06 06:42:06 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/5e8e22bf-3214-4d14-9332-80bc66293cdd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/185537/
Detection(s):
Win.Malware.Autoit-7060866-0
Create hunting rule

Win.Malware.Autoit-7061326-0
Create hunting rule

SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Launching a process
Sending a UDP request
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Setting a global event handler for the keyboard
Unauthorized injection to a system process
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5bb62f2b-2c77-4919-8c3c-bfec48f7b984
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/845893
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates autostart registry keys with suspicious values (likely registry only malware)
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 478325 Sample: 8IWJ5BH4PD Startdate: 06/09/2021 Architecture: WINDOWS Score: 100 48 lachy212.ddnsfree.com 2->48 64 Multi AV Scanner detection for domain / URL 2->64 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 7 other signatures 2->70 8 8IWJ5BH4PD.exe 1 3 2->8         started        12 wscript.exe 1 2->12         started        14 wscript.exe 1 2->14         started        signatures3 process4 file5 40 C:\Users\user\APHostClient\DXCap.bat, PE32 8->40 dropped 42 C:\Users\PublicbehaviorgraphqkIVRbWpJ.vbs, ASCII 8->42 dropped 72 Binary is likely a compiled AutoIt script file 8->72 74 Creates autostart registry keys with suspicious values (likely registry only malware) 8->74 76 Contains functionality to inject code into remote processes 8->76 78 3 other signatures 8->78 16 RegSvcs.exe 2 3 8->16         started        20 DXCap.bat 12->20         started        22 DXCap.bat 14->22         started        signatures6 process7 dnsIp8 44 192.168.2.1 unknown unknown 16->44 46 lachy212.ddnsfree.com 16->46 50 Contains functionality to steal Chrome passwords or cookies 16->50 52 Contains functionality to capture and log keystrokes 16->52 54 Contains functionality to steal Firefox passwords or cookies 16->54 56 Antivirus detection for dropped file 20->56 58 Multi AV Scanner detection for dropped file 20->58 60 Writes to foreign memory regions 20->60 62 2 other signatures 20->62 24 RegSvcs.exe 20->24         started        26 RegSvcs.exe 20->26         started        28 RegSvcs.exe 20->28         started        36 7 other processes 20->36 30 RegSvcs.exe 22->30         started        32 RegSvcs.exe 22->32         started        34 RegSvcs.exe 22->34         started        38 6 other processes 22->38 signatures9 process10
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8c67e9754246bec65af380abf8daf397d6ab4a0ae2e57143622fdf6e8dc37b50/
Threat name:
Win32.Trojan.AutoitInject
Create hunting rule
Status:
Malicious
First seen:
2021-09-04 01:28:18 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
36 of 43 (83.72%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rrt6s5kci27mmwxtqcv7rwxts7lkwsqk4lsxcq3cf7pw5dodpnia._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0846f11a89ffa91fb4e519d10e65a260032870e77d0a37d9bd3c9c4404337c83
RemcosRAT
1dc9c08803cc564e3d16d52d6df79534fe167c40674e87093bae452799e9e665
RemcosRAT
388a7968ce64a2834be388b83ead8011a8f3ab4c40bfd5588beedb89d9409b4d
RemcosRAT
4a7b9d57d98b3a41796c905dae1bb7e3ffc077e0607c39181693e91b220904b4
RemcosRAT
61ca76f870979b256a19ef6bd2be6e54fafcbb5af20401e2811e16966f915b23
RemcosRAT
63740d7b3addf0f30f355423d35734d95a58bcd459272c26529f148f245c4c24
RemcosRAT
7b33267a200d3c6e07be475321fe92421b28ca6c3ebcd31c744bf71ca24d45b4
RemcosRAT
8fb5cb9ec69e224e86773558512719157f3428b879f1c6fe5f07595b06d1bca5
RemcosRAT
a3476a145b528bff0519f4816509a99ee7c5bcf26ae6d5c14e97dbdc8dca2e8e
RemcosRAT
+ 2'096 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:fucknoip persistence rat
Link:
https://tria.ge/reports/210906-hemp6sdfgm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
lachy212.ddnsfree.com:1985
Unpacked files
SH256 hash:
d6f8e3923d5b243fce99a1f73057f68fb406ffae0c119af2372f280ff4e2afe7
MD5 hash:
5516872e29586b9bcf8e634bcef80828
SHA1 hash:
eddc781a0719edc0ab82092b63588663de27d05c
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/454abc8a-baa5-4428-99f4-27c83d6bb597/
SH256 hash:
8c67e9754246bec65af380abf8daf397d6ab4a0ae2e57143622fdf6e8dc37b50
MD5 hash:
99e02b3af1103480aab300080db7ceda
SHA1 hash:
f7f67df408917cb07d859e5824b23ce9294df553
Link:
https://www.unpac.me/results/454abc8a-baa5-4428-99f4-27c83d6bb597/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8c67e9754246/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8c67e9754246bec65af380abf8daf397d6ab4a0ae2e57143622fdf6e8dc37b50

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/185537/

Comments