MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9172e039e1e9412067ba121f93ec85c4883992eefe71438b6b02e0635152732d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9172e039e1e9412067ba121f93ec85c4883992eefe71438b6b02e0635152732d
SHA3-384 hash: e4286d954bf06510d0c10a8118b9f5c400a805618915407e28ca756433a5fe4d1713cd900e2e1226f747008091d18b59
SHA1 hash: c0d829beb198e8bee4be996ca82a05ccd275e847
MD5 hash: b6f9ea1de43b41616fe3729b5cf090c5
humanhash: georgia-video-mike-quiet
File name:img Swift Copy.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'294'848 bytes
First seen:2023-02-12 14:27:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:T1bgzPGhgzfY1r3OIc99RORYpnOOH6WRwbeXWJ0+DwMYeP:TZyPyywYIcXRQmnvHXGiy0EwMYeP
Threatray 4'708 similar samples on MalwareBazaar
TLSH T1DD5522652214DE50D06407BEC8B69AF017382E79F960EEDB6EC67DCF7A31B616044AC3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
216
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
img Swift Copy.exe
Verdict:
Malicious activity
Analysis date:
2023-02-12 14:29:19 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/0ca12076-f29e-4de2-aa21-f852f4887a30

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/364451/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed remcos
Link:
https://www.filescan.io/uploads/63e8f775f94334e00853cd54/reports/39e33a83-e29b-4c0d-8f77-795669fcf140/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/9172e039e1e9412067ba121f93ec85c4883992eefe71438b6b02e0635152732d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f783b7a3-6a0a-4414-88b4-0c05f74b3d16
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1172606
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 805396 Sample: img Swift Copy.exe Startdate: 12/02/2023 Architecture: WINDOWS Score: 100 51 Malicious sample detected (through community Yara rule) 2->51 53 Sigma detected: Scheduled temp file as task from temp location 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 8 other signatures 2->57 7 img Swift Copy.exe 7 2->7         started        11 ITXZdjdXYKowJ.exe 5 2->11         started        process3 dnsIp4 33 C:\Users\user\AppData\...\ITXZdjdXYKowJ.exe, PE32 7->33 dropped 35 C:\...\ITXZdjdXYKowJ.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmp2CCB.tmp, XML 7->37 dropped 39 C:\Users\user\...\img Swift Copy.exe.log, ASCII 7->39 dropped 59 Adds a directory exclusion to Windows Defender 7->59 61 Injects a PE file into a foreign processes 7->61 14 img Swift Copy.exe 2 15 7->14         started        19 powershell.exe 21 7->19         started        21 schtasks.exe 1 7->21         started        43 192.168.2.1 unknown unknown 11->43 63 Machine Learning detection for dropped file 11->63 23 ITXZdjdXYKowJ.exe 14 11->23         started        25 schtasks.exe 1 11->25         started        file5 signatures6 process7 dnsIp8 45 149.202.24.70, 1960, 49692, 49697 OVHFR France 14->45 47 geoplugin.net 178.237.33.50, 49693, 49698, 80 ATOM86-ASATOM86NL Netherlands 14->47 41 C:\ProgramData\remcos\logs.dat, data 14->41 dropped 49 Installs a global keyboard hook 14->49 27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        31 conhost.exe 25->31         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9172e039e1e9412067ba121f93ec85c4883992eefe71438b6b02e0635152732d/
Threat name:
ByteCode-MSIL.Trojan.DarkCloudStealer
Create hunting rule
Status:
Malicious
First seen:
2023-02-12 14:28:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
21 of 36 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sfzoaopb5fasaz52cipzh3efysedtexo7zyuhc3lalqgguksomwq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0bcb9bf4516773558cd8464a3b7795d3752f8eb27840e848db87a55df9393d25
RemcosRAT
0ead3606ff3625f1daa4c3e9a592f18f0f136d0373be4db5f1500c861cc791df
RemcosRAT
0f135167ad20ceeb27e618a78f01481b172308a359869077aaedf81e2a8fd7b3
RemcosRAT
200100b843cccd6b1fc8f2455de2d6069aa6272b3b2d94e805ee72d08bbfd665
RemcosRAT
294729ec196ae05dac756fc559dd4acbbb9368486901157424a0d71354018b60
RemcosRAT
348b029e61cf6f2e09cbf867cabe0f4bb9377b913acffeb8d9b264784a3828e1
RemcosRAT
414bce03673c25a9c6839078df0dec4b4d45ad18987203700823034772ed7ed3
RemcosRAT
635aff002f09930542b741c8e5ae7e6ed57b4cacf793dabb96a2df3397a8a945
RemcosRAT
65fc6dce29c76aa98c946748b40ef8dae7278002fb6edea0c82c4fc94e03b41a
RemcosRAT
a3fa0b613f3ca741143ba2929305aa8269f6e3fd7954186e71d554a440ae2041
RemcosRAT
+ 4'698 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost server 2 rat
Link:
https://tria.ge/reports/230212-rs1cvsee84/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
149.202.24.70:1960
Unpacked files
SH256 hash:
880f79bdfdd188e27b42a79455ec8e906a4bd807e3075033b473bcfb2a457ad8
MD5 hash:
43d38d73dafd1f88d2d9264438c3f3eb
SHA1 hash:
dd3c6eebc8be611ab418301cbfb5baf7008fb616
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/17b0a1df-cb82-4345-9798-bfde17076ea8/
Parent samples :
aecb74252f3ae4e3d912c1983de70c06ac29c69b287b31e45d29fbee0ccb5772
9172e039e1e9412067ba121f93ec85c4883992eefe71438b6b02e0635152732d
SH256 hash:
fa4eb7b46de0973d1e00725d191f323ab00c0a57a1cce4e116b1612cc23ba3de
MD5 hash:
8abb564143f73ae34a2bb2c543b3744e
SHA1 hash:
b1e004ce9ee7e503376870b021aaf9d206697a83
Link:
https://www.unpac.me/results/17b0a1df-cb82-4345-9798-bfde17076ea8/
SH256 hash:
46cb32256dba295b72212185d3bf29e54de9f78fe32a8e43c82288285c3bf721
MD5 hash:
453d8d23d417dacecac4ad0235d2b420
SHA1 hash:
6aaffef79f32f151aef9d5c548ac9055ea6c2f35
Link:
https://www.unpac.me/results/17b0a1df-cb82-4345-9798-bfde17076ea8/
SH256 hash:
83c01175152a5b84011a01f1dd3aa7452afe11b0a1977f5ab25352d07fdd7dde
MD5 hash:
1ab64d750fca75fe4a73064ad75c4c70
SHA1 hash:
52a0cf2ed6d7cce461fa5fd4b416d7193d40e2c1
Link:
https://www.unpac.me/results/17b0a1df-cb82-4345-9798-bfde17076ea8/
SH256 hash:
8617cea503c2a3961120a9c503d853bc21d38d1fca7143d6b1ef4f388bc5cec7
MD5 hash:
7f225c69df031bf0560aed3847a1221a
SHA1 hash:
4d5f3ccdb2c6015d2b2a73326c0f32b173af2819
Link:
https://www.unpac.me/results/17b0a1df-cb82-4345-9798-bfde17076ea8/
SH256 hash:
9172e039e1e9412067ba121f93ec85c4883992eefe71438b6b02e0635152732d
MD5 hash:
b6f9ea1de43b41616fe3729b5cf090c5
SHA1 hash:
c0d829beb198e8bee4be996ca82a05ccd275e847
Link:
https://www.unpac.me/results/17b0a1df-cb82-4345-9798-bfde17076ea8/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9172e039e1e9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9172e039e1e9412067ba121f93ec85c4883992eefe71438b6b02e0635152732d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/364451/

Comments