MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 95c80a6add91050a965c4d38e3db1736c7cfc8c286e87c9d1c3aeb46ee3a95de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 95c80a6add91050a965c4d38e3db1736c7cfc8c286e87c9d1c3aeb46ee3a95de
SHA3-384 hash: cc84e1c470a792e02d56174d5d6cec8208fc6c18692084a53790e3797e67c550ade49e7b9ea54b46be672d31cdbde9b2
SHA1 hash: d5f559097a703f155bad6b8610a48ea2dbd68b27
MD5 hash: 3b4a0b66d0415af1e216224497c59b4b
humanhash: low-oranges-mississippi-berlin
File name:IMG-ZIRAATI03102022.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:6'656 bytes
First seen:2022-10-03 13:32:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 96:xMrTz+Z0v+epSnRb0u8+NvsfV12aArBpybvTFnU:xMlv+rRbj8+NEfVYaGC+
Threatray 2'197 similar samples on MalwareBazaar
TLSH T14CD1D816E3D88673DDAA0B3698F3238103BCBB53A893D7AF4ED0110B5D56B444B61BB5
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe geo RemcosRAT TUR ZiraatBank

Intelligence

File Origin
# of uploads :
1
# of downloads :
276
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316130/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/633ae49990cb824e9da007ba/reports/c1fa5ef3-29e8-497b-8704-0557d5d7aaf3/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/7545c4a2-b562-48e2-8260-62fe691c0642
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1082521
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses dynamic DNS services
Uses the Telegram API (likely for C&C communication)
Yara detected Costura Assembly Loader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 715079 Sample: IMG-ZIRAATI03102022.exe Startdate: 03/10/2022 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic 2->53 55 Multi AV Scanner detection for domain / URL 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 12 other signatures 2->59 7 IMG-ZIRAATI03102022.exe 16 6 2->7         started        12 FILE.exe 14 4 2->12         started        process3 dnsIp4 47 api.telegram.org 149.154.167.220, 443, 49701 TELEGRAMRU United Kingdom 7->47 49 www.uplooder.net 144.76.120.25, 443, 49698, 49702 HETZNER-ASDE Germany 7->49 31 C:\Users\user\AppData\Roaming\FILE.exe, PE32 7->31 dropped 33 C:\Users\user\...\FILE.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\...\IMG-ZIRAATI03102022.exe.log, ASCII 7->35 dropped 61 Encrypted powershell cmdline option found 7->61 63 Injects a PE file into a foreign processes 7->63 14 IMG-ZIRAATI03102022.exe 4 5 7->14         started        18 powershell.exe 16 7->18         started        51 192.168.2.1 unknown unknown 12->51 65 Multi AV Scanner detection for dropped file 12->65 67 Machine Learning detection for dropped file 12->67 20 FILE.exe 2 17 12->20         started        23 powershell.exe 12 12->23         started        file5 signatures6 process7 dnsIp8 37 C:\ProgramData\work\FILE.EXE, PE32 14->37 dropped 39 C:\Users\user\AppData\Local\...\install.vbs, data 14->39 dropped 41 C:\ProgramData\...\FILE.EXE:Zone.Identifier, ASCII 14->41 dropped 69 Creates an undocumented autostart registry key 14->69 25 wscript.exe 14->25         started        27 conhost.exe 18->27         started        43 remcapi.duckdns.org 79.134.225.75, 2028, 49703 FINK-TELECOM-SERVICESCH Switzerland 20->43 45 geoplugin.net 178.237.33.50, 49704, 80 ATOM86-ASATOM86NL Netherlands 20->45 71 Installs a global keyboard hook 20->71 29 conhost.exe 23->29         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/95c80a6add91050a965c4d38e3db1736c7cfc8c286e87c9d1c3aeb46ee3a95de/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-10-03 11:56:35 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sxeau2w5secqvfs4ju4ohwyxg3d47sgcq3uhzhi4hlvun3r2sxpa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
2f53875cb56cc1a1f69655fcfca71ac0f952b8d582bda33e101d8b262e38d0f9
RemcosRAT
31edb5c9a0590d100f941cfcb0c142abf141fba4a90c6bddb6c7fc59b4475f28
RemcosRAT
39c927965e14fb38c14b82c66c398f9cac1343d450db26e43c763b08a764b04b
RemcosRAT
8e7d1931cfe215a12acad3beb975cd78099a295a721069b35c05b469e2f703f9
RemcosRAT
9d724226a2a3c8676d4a58b64b636d9dcc178c1d40fcf321309afa14505cf285
RemcosRAT
b45dbf75dd0de5a62cb362bcc26b59cdd6a7adae8a74c71c30e7db9c36b20265
RemcosRAT
e7a7431b7c5f7d73f80f8474e5d62a3620a639c762ea78b0266ff867c048a153
RemcosRAT
edd76f4398cd937c508d229a8482add54c2ec8efe84a6881af90bbd40d8b8601
RemcosRAT
+ 2'187 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:new persistence rat
Link:
https://tria.ge/reports/221003-qtpgbahdfr/
Behaviour
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Deletes itself
Loads dropped DLL
Adds policy Run key to start application
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
remcapi.duckdns.org:2028
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/73401204-b51d-4d89-982c-10c7ec2f7b43
Unpacked files
SH256 hash:
95c80a6add91050a965c4d38e3db1736c7cfc8c286e87c9d1c3aeb46ee3a95de
MD5 hash:
3b4a0b66d0415af1e216224497c59b4b
SHA1 hash:
d5f559097a703f155bad6b8610a48ea2dbd68b27
Link:
https://www.unpac.me/results/32cb7936-a589-4be1-a34a-c9b771a0d244/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/95c80a6add91/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/95c80a6add91050a965c4d38e3db1736c7cfc8c286e87c9d1c3aeb46ee3a95de

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/316130/

Comments