MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f489b9b28f01f795eef5bd0e43a1e2e900dbd9e459c3b20e53aacb8c3691506. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 8

Intelligence 8 IOCs YARA 3 File information Comments

SHA256 hash:	8f489b9b28f01f795eef5bd0e43a1e2e900dbd9e459c3b20e53aacb8c3691506
SHA3-384 hash:	c3b6c5c002507d9388f791e6ff297a895d4123f48195acc257b4da978e5b97c7a4e342141b2b72b0c63dd8219d4bfb3f
SHA1 hash:	1f2bd99b6cb20173c49470abc6f15c8bb0b2f626
MD5 hash:	2cc308cf9f9ab4a826e87a17b3c6c930
humanhash:	lima-steak-london-king
File name:	SecuriteInfo.com.W32.AIDetectNet.01.17291.7025
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	17'408 bytes
First seen:	2022-07-16 18:38:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	384:vOFr4PSSXzwQgtMNbzA90NLmSIISSSSSISSSpvKACPO4:2r46SeMBmVCG4
Threatray	1'886 similar samples on MalwareBazaar
TLSH	T10F72C8CB93F20E27FAA1C37D882A56874F35D9ADB8A5B65B35C155CD3812B808BCC714
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	0096cc714d86aa00 (18 x RemcosRAT, 14 x Formbook, 7 x AgentTesla)
Reporter	SecuriteInfoCom
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

352

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/291248/

Detection(s):

SecuriteInfo.com.W32.AIDetectNet.01.17291.7025.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Sending an HTTP GET request

Launching a process

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Gathering data

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5caaef99-73d2-4cf0-b644-c9ae0e0b85f0

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1033978

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8f489b9b28f01f795eef5bd0e43a1e2e900dbd9e459c3b20e53aacb8c3691506/

Threat name:

ByteCode-MSIL.Trojan.Generic

Status:

Suspicious

First seen:

2022-07-16 18:39:05 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

15 of 26 (57.69%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=r5ejxgzi6apxsxxplpioioq6f2ia3pm6iwodwihfhkwlrq3jcuda._file

Verdict:

malicious

RemcosRAT

5065463a0daee4097021b36718a9a74eda255d717e2135c9715ac0781d60b7c2

RemcosRAT

5761fb497a1d9409420b7df9729dd6be44daa1f0823ea5dc613ffe8c69812980

RemcosRAT

61126f74e12b1f13c1f000a90bbcb919979d5d53ac8b20114077986a2fb01495

RemcosRAT

95007799c202176dc96cc1c41c43f8d7ff89d4f4bdfad6fc82cf4d7b4f1ff8d3

RemcosRAT

9c069b3043b757ab5e67889b9f2820758ddb92823bf91678182d6386a16fd5ea

RemcosRAT

af6b1e2eb748f48a5e7b6a68301b0616a8a4e79845e17df2c9712caec453359a

RemcosRAT

b7e2d2bd3c82baadf1eb87f332377a23ce5c8b87ece4a7d58699157c5a470f59

RemcosRAT

cd99bf443858cc86ff01771eac6c76af45446b0082bfb9545006857ab04e3af5

RemcosRAT

ef5cc12819146a67c29bb28776868909815dcb9d41bac73afd68df8a8653028a

RemcosRAT

+ 1'876 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost persistence rat

Link:

https://tria.ge/reports/220716-xam8gadeb9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Checks computer location settings

Remcos

Malware Config

C2 Extraction:

172.111.234.100:5888

Unpacked files

SH256 hash:

8f489b9b28f01f795eef5bd0e43a1e2e900dbd9e459c3b20e53aacb8c3691506

MD5 hash:

2cc308cf9f9ab4a826e87a17b3c6c930

SHA1 hash:

1f2bd99b6cb20173c49470abc6f15c8bb0b2f626

Link:

https://www.unpac.me/results/1eda5ba4-5845-4f62-810f-4d25a82912c6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/8f489b9b28f01f795eef5bd0e43a1e2e900dbd9e459c3b20e53aacb8c3691506

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_SmartAssembly Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with SmartAssembly

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/291248/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample