MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c9ba9842e3e17a820085d913d34d20414ab7acee8106142ce04b5b2bf2581b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c9ba9842e3e17a820085d913d34d20414ab7acee8106142ce04b5b2bf2581b7
SHA3-384 hash: bf263adab1b8224e8c7c515ff644e048bd33410f7bd5e01b26fcadf8482e57cded23aede6a232ee88c48d78fbe1aec48
SHA1 hash: 29e654316c4397945d729ab6c0d8be543af6b70c
MD5 hash: 6c7ed035722165abe2e58da3fc6a024f
humanhash: muppet-eight-spaghetti-idaho
File name:6c7ed035722165abe2e58da3fc6a024f
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:524'800 bytes
First seen:2021-07-08 07:05:17 UTC
Last seen:2021-07-08 07:42:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:BwrPg7WqSymjtgI6NRJpdcEjR9D2kS9Yep3jLKj:BtXmZYNRJYEjR96d9DpzLK
Threatray 303 similar samples on MalwareBazaar
TLSH T104B423327359D3B2E5D203F409ABEAC4439139835E66D5CE949F631F587232B02ABF25
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6c7ed035722165abe2e58da3fc6a024f
Verdict:
Suspicious activity
Analysis date:
2021-07-08 07:08:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dec7adc5-f934-4982-9736-00cec62fe78d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/170363/
Detection(s):
SecuriteInfo.com.Artemis6C7ED0357221.1342.17870.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c36afc96-75bd-493d-9732-9ac586db73e1
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813302
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 445713 Sample: ZT6Ww7MCD2 Startdate: 08/07/2021 Architecture: WINDOWS Score: 100 43 freightmgmt.duckdns.org 2->43 45 clientconfig.passport.net 2->45 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 7 other signatures 2->63 9 ZT6Ww7MCD2.exe 4 9 2->9         started        13 notapad.exe 5 2->13         started        15 notapad.exe 2->15         started        signatures3 process4 file5 29 C:\Users\user\AppData\Roaming\notapad.exe, PE32 9->29 dropped 31 C:\Users\user\AppData\...\ZT6Ww7MCD2.exe, PE32 9->31 dropped 33 C:\Users\user\...\notapad.exe:Zone.Identifier, ASCII 9->33 dropped 39 3 other malicious files 9->39 dropped 65 Writes to foreign memory regions 9->65 67 Injects a PE file into a foreign processes 9->67 17 ZT6Ww7MCD2.exe 2 3 9->17         started        21 wscript.exe 1 9->21         started        35 C:\Users\user\AppData\Local\...\notapad.exe, PE32 13->35 dropped 37 C:\Users\user\...\notapad.exe:Zone.Identifier, ASCII 13->37 dropped 69 Multi AV Scanner detection for dropped file 13->69 71 Machine Learning detection for dropped file 13->71 23 notapad.exe 13->23         started        signatures6 process7 dnsIp8 41 freightmgmt.duckdns.org 194.5.98.207, 49797, 49818, 49821 DANILENKODE Netherlands 17->41 47 Multi AV Scanner detection for dropped file 17->47 49 Machine Learning detection for dropped file 17->49 51 Contains functionality to steal Chrome passwords or cookies 17->51 55 4 other signatures 17->55 53 Wscript starts Powershell (via cmd or directly) 21->53 25 powershell.exe 26 21->25         started        signatures9 process10 process11 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8c9ba9842e3e17a820085d913d34d20414ab7acee8106142ce04b5b2bf2581b7/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-07-08 07:06:03 UTC
AV detection:
16 of 46 (34.78%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rsn2tbbohyl2qiailwit2ngsaqkkw6wo5aigcqwoas23fpzfqg3q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
051bfc878cbfc9748f59edcb04b8d8cfdc75b566e403236385c51374b7afd393
RemcosRAT
22634cbaf1a60ca499a9b692aae881cffdaf205a4755ee34915e5512ea87cab4
RemcosRAT
3c0df5607ab1e7bf906ce2be36ee0bb970c26baf19710f0c195ca9356a2d918f
RemcosRAT
4687822138634f2bc1f49fb34cb97e37a37c397c0f76d2acd88b70672e321405
RemcosRAT
5f06da67169389577ec237bfb0c3e0e9203833048f48081deed7b6201ad18c27
RemcosRAT
67ad9e8efba0a4c87098f6dfa675de65232d3458c98157642d7301b795771ece
RemcosRAT
6eed5350c18b26f6aadaf28e5ceb48ca742db7fbee28fbe9aa7f3c552651e048
RemcosRAT
a0fd8f81cda85af9221734e97a18c29c25a53020517d507ada3e3a1681036e54
RemcosRAT
a5ae2e0f9a8f1c50e21ea93f4a195097753cd16436ffa4e946add38da873c8cb
RemcosRAT
ba4b51ae64c68b32d126322b51b41dce7c300c01faed97aca35ff142e121a914
RemcosRAT
+ 293 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:ach persistence rat
Link:
https://tria.ge/reports/210708-7n5em2hq2j/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
freightmgmt.duckdns.org:691
Unpacked files
SH256 hash:
093cbf1890ccfb94b75b0991bd60fc30f276941790ece21a370f41ac757c2c79
MD5 hash:
f6a51bf7f8250493236a267c66003ba1
SHA1 hash:
604f4a09135b74a5213f72ee8e2c08bbd0a8bf46
Link:
https://www.unpac.me/results/1c073973-fb82-430f-8880-def9c4c88523/
SH256 hash:
db60b4bf7139ec9f5a64e96335bd3f1444b5f4935641b7d21092a4326d7e877b
MD5 hash:
cc6af373be7f3bb77ec19afede3467f8
SHA1 hash:
23e5dc6709e89ef322027f931645b98ecf507ea0
Link:
https://www.unpac.me/results/1c073973-fb82-430f-8880-def9c4c88523/
SH256 hash:
c07f2ba2c8a6a69283dcbde7d009fe78663a88e9f12000f9571af86c98475f5e
MD5 hash:
6e27333d44a472783cdb488cd8dfb721
SHA1 hash:
226fa3d19c6316f47b1379d06bbb190c7fff4151
Detections:
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/1c073973-fb82-430f-8880-def9c4c88523/
Parent samples :
2dd7a0f3a8c01338b500b88c023560f468c8d3c61e13fb5a6e55eab69087e7bc
129b7cf64e3afecabb3a0c27fedc69cbade9c81ce3c0a5da367717bdef49f7c9
5c85d31e96aa84a80c123af889f960bbf39a7c13a2ed9e2d9644ad2e3fa366de
8c9ba9842e3e17a820085d913d34d20414ab7acee8106142ce04b5b2bf2581b7
4418451ac62d0ded7768617f213598565700604cc9856cb6b2709f1e5304c2a1
7f03d6f5a38d18082c3dd60b773921aecd203a839446a4aca4908309a004b4a4
ac0afc6e6de1b0682478fe38c23f21578acc6e6f1f43f8bf56d2bd400b69237a
SH256 hash:
8c9ba9842e3e17a820085d913d34d20414ab7acee8106142ce04b5b2bf2581b7
MD5 hash:
6c7ed035722165abe2e58da3fc6a024f
SHA1 hash:
29e654316c4397945d729ab6c0d8be543af6b70c
Link:
https://www.unpac.me/results/1c073973-fb82-430f-8880-def9c4c88523/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8c9ba9842e3e17a820085d913d34d20414ab7acee8106142ce04b5b2bf2581b7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 8c9ba9842e3e17a820085d913d34d20414ab7acee8106142ce04b5b2bf2581b7

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1435414/
Cape
Cape
https://www.capesandbox.com/analysis/170363/

Comments


Avatar
zbet commented on 2021-07-08 07:05:18 UTC

url : hxxp://greenpayindia.com/ConsoleApp15.exe