MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 95b3f7188841699215c7044eadc8ac6beaa37b03aa08eef6bd6ae9e2af19481d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 95b3f7188841699215c7044eadc8ac6beaa37b03aa08eef6bd6ae9e2af19481d
SHA3-384 hash: 3b785719a1997d47ef4bd520911b20b969021288cfe792682bd6de553430174d224746fcb83a0f8acd2147490694b9dd
SHA1 hash: 7562dfc84014b6f2b22f3f2dc6591c036fb9fe35
MD5 hash: aba382a7f9d71fd38c45d66ec07714c7
humanhash: xray-edward-minnesota-enemy
File name:aba382a7f9d71fd38c45d66ec07714c7.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:2'169'160 bytes
First seen:2022-08-29 07:52:20 UTC
Last seen:2022-08-29 08:49:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:IYyLWRv988NO1a0WVIZpeBw9aVHDiQ6HECdg24L1X+rE:uLW19b70C2QV+Q6HpO24L1X+
Threatray 201 similar samples on MalwareBazaar
TLSH T1CFA5D02A22402C71E46F4A12A70E63C545DA6786536BB0D934E94A0D4BFB3334E7F5BF
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
302
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
aba382a7f9d71fd38c45d66ec07714c7.exe
Verdict:
Suspicious activity
Analysis date:
2022-08-29 07:53:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ea84542a-57b7-4109-85ac-f3db5de416d5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/302089/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.39542.12005.8556.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/630c706cab0be91dfea1f81a/reports/1ba5c83f-d1aa-40de-8901-fc259749995e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c420e9eb-38db-4092-8b6d-027c26bd58ab
Result
Threat name:
AsyncRAT, PrivateLoader, Remcos, Xmrig
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1059694
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to many ports of the same IP (likely port scanning)
Detected Stratum mining protocol
Found hidden mapped module (file has been removed from disk)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses powercfg.exe to modify the power settings
Writes many files with high entropy
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected Generic Downloader
Yara detected PrivateLoader
Yara detected Remcos RAT
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 692216 Sample: cifI80XiC4.exe Startdate: 29/08/2022 Architecture: WINDOWS Score: 100 79 Snort IDS alert for network traffic 2->79 81 Multi AV Scanner detection for domain / URL 2->81 83 Malicious sample detected (through community Yara rule) 2->83 85 17 other signatures 2->85 9 cifI80XiC4.exe 3 2->9         started        13 svchost.exe 2->13         started        15 svchost.exe 1 2->15         started        17 7 other processes 2->17 process3 dnsIp4 55 C:\Users\user\AppData\...\cifI80XiC4.exe.log, ASCII 9->55 dropped 91 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 9->91 93 Writes to foreign memory regions 9->93 95 Injects a PE file into a foreign processes 9->95 20 InstallUtil.exe 2 65 9->20         started        97 Changes security center settings (notifications, updates, antivirus, firewall) 13->97 25 MpCmdRun.exe 1 13->25         started        99 System process connects to network (likely due to code injection or exploit) 15->99 61 127.0.0.1 unknown unknown 17->61 file5 signatures6 process7 dnsIp8 63 cothdesigns.com 37.139.129.221, 3456, 443, 49721 LVLT-10753US Germany 20->63 65 geoplugin.net 178.237.33.50, 49723, 80 ATOM86-ASATOM86NL Netherlands 20->65 47 C:\Users\user\AppData\Local\...\jjxpiezf.exe, PE32+ 20->47 dropped 49 C:\Users\user\...\time_20220831_094501.dat, data 20->49 dropped 51 C:\Users\user\...\time_20220831_084500.dat, data 20->51 dropped 53 45 other malicious files 20->53 dropped 87 Writes many files with high entropy 20->87 89 Installs a global keyboard hook 20->89 27 jjxpiezf.exe 7 20->27         started        31 conhost.exe 25->31         started        file9 signatures10 process11 file12 57 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 27->57 dropped 59 C:\Users\user\AppData\Roaming\B31F.tmp, PE32+ 27->59 dropped 101 Antivirus detection for dropped file 27->101 103 Machine Learning detection for dropped file 27->103 105 Writes to foreign memory regions 27->105 107 4 other signatures 27->107 33 cmd.exe 1 27->33         started        36 svchost.exe 27->36         started        signatures13 process14 dnsIp15 71 Uses powercfg.exe to modify the power settings 33->71 73 Modifies power options to not sleep / hibernate 33->73 39 conhost.exe 33->39         started        41 powercfg.exe 1 33->41         started        43 powercfg.exe 1 33->43         started        45 2 other processes 33->45 67 xmr.2miners.com 51.89.96.41, 2222, 49743 OVHFR France 36->67 69 cothdesigns.com 36->69 75 Query firmware table information (likely to detect VMs) 36->75 signatures16 77 Detected Stratum mining protocol 67->77 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/95b3f7188841699215c7044eadc8ac6beaa37b03aa08eef6bd6ae9e2af19481d/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2022-08-28 17:43:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
17 of 41 (41.46%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=swz7ogeiifuzefoharhk3sfmnpvkg6ydvieo55v5nlu6flyzjaoq._file
Verdict:
malicious
Similar samples:
03ea60a4f8df4d94d2f60eb4c1210d5148a1839e63d2c6f7b3a5a1e7e84cafc7
RemcosRAT
1c0d0b7350789ac3cd3aaac71175646d9f06f9240689be3b62293e94ffc12658
RemcosRAT
21717cdfec5b3e14e7493537a9ca67045929faa591dc041350bc29070ca65681
RemcosRAT
326920546c2f54782c27ab6c8b53948b8b2cbb1efe709d322c84d4d7a0806911
RemcosRAT
3f4a92916d3f26c17475017df9881acb7a6bb11f3e684e548d166e46f6363bbd
RemcosRAT
59da950a2dd3a562e305d2b810d169fb9abe9a11928ad014cbdc87d657b32ca3
RemcosRAT
82ceaad56c8928f9d0bd09357499847ef059640db0689760b5bbab95f3068287
RemcosRAT
9e9384a14b3cb6360a27e6f5b5d772332054c47ca8258f541d2095a815fd825a
RemcosRAT
b6838c7c0ee74c331e1c7ef8e0fa34bad89943e607b927ff4d0ddd0415758670
RemcosRAT
ef8351385a327e1883639d1fc36d8e806f4d9f601e4630912763611b16213bb0
RemcosRAT
+ 191 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:220827 rat
Link:
https://tria.ge/reports/220829-jqy31sdhdp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Remcos
Malware Config
C2 Extraction:
cothdesigns.com:3456
Unpacked files
SH256 hash:
5da94504102b7f25448f520bf9d263e3ab575fb0dfa1a27fbc802494ccc01960
MD5 hash:
0de74c258f8d4c7bea8b24edbdf9b5b5
SHA1 hash:
d6576606dc928ef2e8c6010d9273689670acb565
Link:
https://www.unpac.me/results/ec34f58a-c9ed-4a88-bf52-a2ffb1661782/
SH256 hash:
95b3f7188841699215c7044eadc8ac6beaa37b03aa08eef6bd6ae9e2af19481d
MD5 hash:
aba382a7f9d71fd38c45d66ec07714c7
SHA1 hash:
7562dfc84014b6f2b22f3f2dc6591c036fb9fe35
Link:
https://www.unpac.me/results/ec34f58a-c9ed-4a88-bf52-a2ffb1661782/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/95b3f7188841699215c7044eadc8ac6beaa37b03aa08eef6bd6ae9e2af19481d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 95b3f7188841699215c7044eadc8ac6beaa37b03aa08eef6bd6ae9e2af19481d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2276782/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2276802/
Cape
Cape
https://www.capesandbox.com/analysis/302089/

Comments