MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9271b609db698f886795f121d1d110acf0a4959eaf5d94a93ade96b6a6cf0a95. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9271b609db698f886795f121d1d110acf0a4959eaf5d94a93ade96b6a6cf0a95
SHA3-384 hash: b79dc782ec6c7ae85ae7f75dfcc8b1109c95694c41280ffa0513cd30777637e036d1a7480085943669fdf0fa090a56d8
SHA1 hash: ab477c9b7cee0d06fe383fae792f56bd2af16d11
MD5 hash: a473bb1d81b62d15e4cfdca1ddd76261
humanhash: utah-north-mockingbird-delta
File name:a473bb1d81b62d15e4cfdca1ddd76261
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:943'616 bytes
First seen:2023-06-17 11:02:26 UTC
Last seen:2023-06-17 12:30:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 24576:/5LA9vxw0DWCF5tmunPob8raYezHzTooN:/5LApppJm0Pob8eLHvpN
TLSH T179152354223BCB36D4A20BF44D55AAB003FB52EE3C5AEA636C53B1D56B92B7100E4DC7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
419
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
NEW ORDER PO FMO23-00946.doc
Verdict:
Malicious activity
Analysis date:
2023-06-17 09:59:23 UTC
Tags:
exploit cve-2017-11882 loader remcos
Link:
https://app.any.run/tasks/c89a9bc1-09c2-4179-b454-18cc547a8e1d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/399783/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67551389.18882.10053.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo jigsaw packed remcos
Link:
https://www.filescan.io/uploads/648d92e8b6e20443a695b00f/reports/b6995ffb-d95e-4c9f-a4e9-910088af5c02/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/9271b609db698f886795f121d1d110acf0a4959eaf5d94a93ade96b6a6cf0a95
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2c65c354-9708-4528-a209-e0e18e121a1f
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1256474
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9271b609db698f886795f121d1d110acf0a4959eaf5d94a93ade96b6a6cf0a95/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-06-16 11:24:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
23 of 37 (62.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sjy3mco3nghyqz4v6eq5duiqvtykjfm6v5ozjkj232llnjwpbkkq._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:oli rat
Link:
https://tria.ge/reports/230617-m5pdxabe44/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Remcos
Malware Config
C2 Extraction:
103.212.81.159:3422
Unpacked files
SH256 hash:
53cc862949e0195c457b431afd94835194faaa64d9dd475da6325d55fbc34a28
MD5 hash:
12d6ca99938351b6f7c8c751ff4f73bd
SHA1 hash:
f450a52f4f647e003956ddb49133bb566743036b
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/37cc06f6-ab30-4f63-9493-fb09415dbd1d/
Parent samples :
9271b609db698f886795f121d1d110acf0a4959eaf5d94a93ade96b6a6cf0a95
61dd5ffe6eae5f4bfa7299b37a7c0dea469d76b698200126cafc14a45acc1ba2
dc091920175bd059d2925977e1806df9930c40db5292a73158bac390fca03d75
SH256 hash:
52f358d201e81d3a0391cedd3042e2f957555b77aa49559f7fb810bbb7673ba1
MD5 hash:
c785ddc46141af772c75101d17c46a41
SHA1 hash:
e248723b6f60cc7607980d07172b64c33b2b2f15
Link:
https://www.unpac.me/results/37cc06f6-ab30-4f63-9493-fb09415dbd1d/
SH256 hash:
bbd7d3e128bb0e2c23ebe711135d98b332303c022f22c041b9ab869bcc53fae7
MD5 hash:
6c299d35f36e3f4cf9e0e5991ace4526
SHA1 hash:
84b73952ed20bd9040ac6afa84727dd9a90bf1fe
Link:
https://www.unpac.me/results/37cc06f6-ab30-4f63-9493-fb09415dbd1d/
SH256 hash:
6d1d99cbbc37bf1099b56bb7cfd015777557fc513b32afb2d7f454b647d40111
MD5 hash:
9d5f50673e77b20b2a0870be3ab79991
SHA1 hash:
4d4fe2b94b27d009ffae76c918c8d07652e8bb5e
Link:
https://www.unpac.me/results/37cc06f6-ab30-4f63-9493-fb09415dbd1d/
SH256 hash:
b86193f0f5eeadf451f23596dffb4d015245311c67bc15244c2b1c81293d3679
MD5 hash:
be09d1a9fbdc7fe4ad47e49a0ccf2a0e
SHA1 hash:
3eea7d856de59fefd670110c2edda63c319a5a1b
Link:
https://www.unpac.me/results/37cc06f6-ab30-4f63-9493-fb09415dbd1d/
SH256 hash:
9271b609db698f886795f121d1d110acf0a4959eaf5d94a93ade96b6a6cf0a95
MD5 hash:
a473bb1d81b62d15e4cfdca1ddd76261
SHA1 hash:
ab477c9b7cee0d06fe383fae792f56bd2af16d11
Link:
https://www.unpac.me/results/37cc06f6-ab30-4f63-9493-fb09415dbd1d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9271b609db698f886795f121d1d110acf0a4959eaf5d94a93ade96b6a6cf0a95

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 9271b609db698f886795f121d1d110acf0a4959eaf5d94a93ade96b6a6cf0a95

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2664675/
Cape
Cape
https://www.capesandbox.com/analysis/399783/

Comments


Avatar
zbet commented on 2023-06-17 11:02:27 UTC

url : hxxp://194.180.48.59/blessedzx.exe