MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96a78dc8ece8e56802dc93e396df810fa6673a344b81d4c5c3cac82809733865. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 96a78dc8ece8e56802dc93e396df810fa6673a344b81d4c5c3cac82809733865
SHA3-384 hash: c17e45e60515bda4212421ba655d292af1a7c5e36bebe58e4d98b77f0bbf5fe6ba7881e01bd8e17d963955a77a2c6690
SHA1 hash: bb0fcf95db2f7f1121d8925acafbdd98a9ad8717
MD5 hash: 26349f3a31f9a7bcc9d0db1ceb5ef0ed
humanhash: yellow-jersey-berlin-solar
File name:26349f3a31f9a7bcc9d0db1ceb5ef0ed.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:487'358 bytes
First seen:2021-10-11 18:42:56 UTC
Last seen:2021-10-11 20:17:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:F8LxBs/pW+1Jkj+2G0l+MetrqC3nrFoF9a33Lz3LJK2K8cCZcGkOzVw1SO0ASOw4://P1JYhVgrqC2c3bUCcGk3ZtbRdTD3
Threatray 726 similar samples on MalwareBazaar
TLSH T136A423023990896BED42F8F844F6C76AE3EF2646E6B5C8078B581F4D7C641CAF36C465
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
302
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Removal of the suspension listed destinations.xlsx
Verdict:
Malicious activity
Analysis date:
2021-10-11 17:06:50 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/4f91347b-4802-44f4-b94c-9a61e94877db

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/196719/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.23014.9092.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/616485b9fd35fe780c38a686/reports/9aaa0fe1-90e3-4247-9cf9-93b1e3cda0e6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8e140b57-bd66-43f2-95f5-0d50b7070b2a
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/867817
Signature
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates an undocumented autostart registry key
Delayed program exit found
Deletes itself after installation
Detected Remcos RAT
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 500244 Sample: 4KGPfYWyyJ.exe Startdate: 11/10/2021 Architecture: WINDOWS Score: 100 65 Malicious sample detected (through community Yara rule) 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 Detected Remcos RAT 2->69 71 6 other signatures 2->71 10 4KGPfYWyyJ.exe 17 2->10         started        14 Dlls.exe 16 2->14         started        16 Dlls.exe 16 2->16         started        process3 file4 47 C:\Users\user\AppData\Local\...\gkrmiaoiv.dll, PE32 10->47 dropped 79 Contains functionality to steal Chrome passwords or cookies 10->79 81 Contains functionality to inject code into remote processes 10->81 83 Contains functionality to steal Firefox passwords or cookies 10->83 85 Delayed program exit found 10->85 18 4KGPfYWyyJ.exe 6 5 10->18         started        49 C:\Users\user\AppData\Local\...\gkrmiaoiv.dll, PE32 14->49 dropped 87 Injects a PE file into a foreign processes 14->87 22 Dlls.exe 14->22         started        51 C:\Users\user\AppData\Local\...\gkrmiaoiv.dll, PE32 16->51 dropped 24 Dlls.exe 16->24         started        signatures5 process6 file7 41 C:\Users\user\AppData\Roaming\...\Dlls.exe, PE32 18->41 dropped 43 C:\Users\user\...\Dlls.exe:Zone.Identifier, ASCII 18->43 dropped 45 C:\Users\user\AppData\Local\...\install.vbs, data 18->45 dropped 73 Creates an undocumented autostart registry key 18->73 26 wscript.exe 1 18->26         started        signatures8 process9 signatures10 77 Deletes itself after installation 26->77 29 cmd.exe 1 26->29         started        process11 process12 31 Dlls.exe 16 29->31         started        35 conhost.exe 29->35         started        file13 53 C:\Users\user\AppData\Local\...\gkrmiaoiv.dll, PE32 31->53 dropped 57 Multi AV Scanner detection for dropped file 31->57 59 Machine Learning detection for dropped file 31->59 61 Contains functionality to steal Chrome passwords or cookies 31->61 63 3 other signatures 31->63 37 Dlls.exe 2 3 31->37         started        signatures14 process15 dnsIp16 55 Venonletmonitprradministratioran.loseyourip.com 8.6.8.23, 24091, 49747 AS-CHOOPAUS United States 37->55 75 Installs a global keyboard hook 37->75 signatures17
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/96a78dc8ece8e56802dc93e396df810fa6673a344b81d4c5c3cac82809733865/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-10-11 15:47:49 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=s2ty3shm5dswqaw4sprznx4bb6tgoorujoa5jrodzlecqclthbsq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0bb25dccd5ee69b35f2c03c04b50ec23573929d193739becb1c623d32db64e4a
RemcosRAT
1730338ca0fbfe0985bed5638fc8599a6dd38761ab8b89e3d8a076947a320028
RemcosRAT
4c60bb36a8789392f4d2c953f08dac0a0056e0c493a0584481ed3fd4a946cad7
RemcosRAT
5e1473cb44990bf7a1d8da8ad410642430bc6c5663859bc4e4c738e22b3cc71e
RemcosRAT
772a319b31a1922eadd022f30aa60680e911f758d4c81c4dbf16614cf7791f0a
RemcosRAT
9a50c056a96999f841ea1ef7bb6674da47579f5cafe02e295c75e980b36219a9
RemcosRAT
a7f4245d63e1dd21c5af3e0ddf682ac517eda484bf6650f3e0d5d856f4cc68fa
RemcosRAT
b3e18d1026779e01b6bc834a8da488eeb669e5e366ef8d495c109c0f1424d3c1
RemcosRAT
b9c5a6059ee5150b5837e446196c4349571d80336b438056f687d7044cd246b9
RemcosRAT
f4177fb3986e1f8c74df732b13752ece8d3dbb2e2ea6969b0cf328fc71ebd400
RemcosRAT
+ 716 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:netgeneration persistence rat
Link:
https://tria.ge/reports/211011-xcw86ahhbj/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Program crash
Adds Run key to start application
Deletes itself
Loads dropped DLL
Adds policy Run key to start application
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
Venonletmonitprradministratioran.loseyourip.com:24091
Unpacked files
SH256 hash:
96a78dc8ece8e56802dc93e396df810fa6673a344b81d4c5c3cac82809733865
MD5 hash:
26349f3a31f9a7bcc9d0db1ceb5ef0ed
SHA1 hash:
bb0fcf95db2f7f1121d8925acafbdd98a9ad8717
Link:
https://www.unpac.me/results/cf80e4b8-eff2-4cac-ad12-430f26652c08/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/96a78dc8ece8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.37
Link:
https://yomi.yoroi.company/submissions/96a78dc8ece8e56802dc93e396df810fa6673a344b81d4c5c3cac82809733865

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 96a78dc8ece8e56802dc93e396df810fa6673a344b81d4c5c3cac82809733865

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1667231/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/196719/

Comments