MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 9686ee888ddba0ac64a6fa9bb95d4802d0c4c904b1dad3e47e5881f23c9a1e90. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
RemcosRAT
Vendor detections: 15
| SHA256 hash: | 9686ee888ddba0ac64a6fa9bb95d4802d0c4c904b1dad3e47e5881f23c9a1e90 |
|---|---|
| SHA3-384 hash: | cbb64397b61848d22074d519f194b24ede09d0eaff454bb185f13451490fa5a2649cdfc2a44ff02fe8edb8399ecd1edd |
| SHA1 hash: | 0ac11f7e089a904361367c1357adcafe1aa9c6ae |
| MD5 hash: | d814988cd770ba0249e0f78c9e8fcef1 |
| humanhash: | connecticut-august-maryland-louisiana |
| File name: | SecuriteInfo.com.Trojan.PackedNET.1480.4842.24557 |
| Download: | download sample |
| Signature | RemcosRAT |
| File size: | 1'127'424 bytes |
| First seen: | 2022-08-09 13:34:14 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger) |
| ssdeep | 24576:eLAzW2cJA9wyZgVRBGZ9RyM91tO/WjR63QWa3XfV6Je9IbUDHDlByKZ:hzW2cJA9wyZgVR89Uy7J60XfVc7UjyK |
| Threatray | 1'995 similar samples on MalwareBazaar |
| TLSH | T1DB35BD47AF107655C46717F4EE0FF9B12BF3189D7071C2782E91596BAAFA302A04682F |
| TrID | 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1) |
| Reporter |  SecuriteInfoCom |
| Tags: | exe RemcosRAT |
Intelligence
File Origin
# of uploads :
1
# of downloads :
301
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
ID:
1
File name:
SecuriteInfo.com.Trojan.PackedNET.1480.4842.24557
Verdict:
Malicious activity
Analysis date:
2022-08-09 13:36:34 UTC
Tags:
trojan rat remcos
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
5/10
Confidence:
100%
Tags:
packed
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Verdict:
Malicious
Result
Threat name:
Remcos
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Detection:
remcos
Threat name:
Win32.Backdoor.Remcos
Status:
Malicious
First seen:
2022-08-09 13:35:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
22 of 26 (84.62%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
remcos
Similar samples:
+ 1'985 additional samples on MalwareBazaar
Result
Malware family:
remcos
Score:
10/10
Tags:
family:remcos botnet:1ehefeb rat
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
microsoft-update-tool.duckdns.org:49155
Unpacked files
SH256 hash:
ef89d7805f60cf502ec73ada72e2928a7f366056743353b3016cf40373205f54
MD5 hash:
cb182498b4d15bc8056430f6c1f7be43
SHA1 hash:
805d8c4a13a691ea067aedd645a7263a14d49a09
SH256 hash:
6f7d575e37ce699f66afcba0dbf44a9a0dd02f59b0002b9e31a6581ce6dd2cbb
MD5 hash:
92ba80692bca6e23842eec60f86d6a53
SHA1 hash:
3b2aad569a3943c5cd5bb415892262195d5f5d72
SH256 hash:
f5db2871820cac7aa9d9f1475638c3ca8cd44e0730a0678e914c0c3d91450316
MD5 hash:
9404889d6922225a43842090bc9bd0e6
SHA1 hash:
2712d898842a5e19dc879ca437cb886494ec3e4a
SH256 hash:
9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034
MD5 hash:
93c6391d23c1aa1ed66fb13f82f2ee31
SHA1 hash:
220098c3047c32b51ae13a5cc1e9beeef3da6e18
SH256 hash:
87727079a547aa580250744ea649b0b0a1d7e2b68b69b67b31e43f9447d677c5
MD5 hash:
d97c48892d2c7ae6e6a2507b55313d74
SHA1 hash:
157133025d10c02f7129508220286113e4c84047
Detections:
win_remcos_auto
SH256 hash:
9686ee888ddba0ac64a6fa9bb95d4802d0c4c904b1dad3e47e5881f23c9a1e90
MD5 hash:
d814988cd770ba0249e0f78c9e8fcef1
SHA1 hash:
0ac11f7e089a904361367c1357adcafe1aa9c6ae
Malware family:
Remcos
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | pe_imphash |
|---|
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.