MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 981cf7b6cc1fc96b0ff9581f42bdbbe2ca39ce1a945377d9a35d490b712d3c1a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 981cf7b6cc1fc96b0ff9581f42bdbbe2ca39ce1a945377d9a35d490b712d3c1a
SHA3-384 hash: 29cbc73cbc02af2df4321d285447651486d30954a4c18b2da6c3479df0e55f090e2a03831825bd9d92be4cee6574404b
SHA1 hash: 62aa4fc9896e357949277c406c7f8de500012f95
MD5 hash: 671c5fa2f01e03e1e5c3a47e48a904b0
humanhash: purple-blossom-foxtrot-single
File name:671c5fa2f01e03e1e5c3a47e48a904b0.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:2'435'072 bytes
First seen:2022-11-17 15:19:51 UTC
Last seen:2022-11-17 16:53:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:qLSbHdTItH5vTLz9IEK+vxaV4wECPevUU/yY24Zx8xA3R4iBfJXA:PbHlItZv9/vg4FCPevUD5xAXBfK
Threatray 2'225 similar samples on MalwareBazaar
TLSH T1FCB5D00E7BED85B6D3A859FD3018228C59D8AAE5A2EFC7C2C7D23734815B7640376C64
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon b3b3b371716b93b3 (25 x CryptOne, 12 x RemcosRAT, 6 x RedLineStealer)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
SHIPMENT DOCS ETA 8-12-22.xls
Verdict:
Malicious activity
Analysis date:
2022-11-17 14:51:40 UTC
Tags:
macros trojan opendir exploit cve-2017-11882 loader rat remcos keylogger
Link:
https://app.any.run/tasks/599faed6-ec22-404b-b206-d8b69ce5c37c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/335408/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.5599.18979.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6376512b4dc24c6f80b84f00/reports/f9d2f159-92a6-4de9-8781-09aa4d0f1d61/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9fac0089-291b-4f41-98ad-333bf9fcfdeb
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1115920
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Uses ping.exe to check the status of other devices and networks
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 748628 Sample: PGFVVEeQoO.exe Startdate: 17/11/2022 Architecture: WINDOWS Score: 100 71 Malicious sample detected (through community Yara rule) 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 Yara detected Remcos RAT 2->75 77 5 other signatures 2->77 7 PGFVVEeQoO.exe 1 7 2->7         started        11 Piaqp.exe 4 2->11         started        13 Piaqp.exe 3 2->13         started        process3 file4 55 C:\Users\user\AppData\Roaming\...\Piaqp.exe, PE32 7->55 dropped 57 C:\Users\user\...\Piaqp.exe:Zone.Identifier, ASCII 7->57 dropped 59 C:\Users\user\AppData\...\PGFVVEeQoO.exe.log, ASCII 7->59 dropped 79 Encrypted powershell cmdline option found 7->79 81 Injects a PE file into a foreign processes 7->81 15 PGFVVEeQoO.exe 2 17 7->15         started        20 cmd.exe 1 7->20         started        22 powershell.exe 16 7->22         started        83 Multi AV Scanner detection for dropped file 11->83 85 Machine Learning detection for dropped file 11->85 24 cmd.exe 1 11->24         started        26 powershell.exe 11->26         started        28 Piaqp.exe 11->28         started        30 cmd.exe 13->30         started        32 powershell.exe 13->32         started        signatures5 process6 dnsIp7 63 107.174.202.148, 14207, 49714 AS-COLOCROSSINGUS United States 15->63 65 geoplugin.net 178.237.33.50, 49715, 80 ATOM86-ASATOM86NL Netherlands 15->65 53 C:\ProgramData\remcos\logs.dat, data 15->53 dropped 67 Installs a global keyboard hook 15->67 69 Uses ping.exe to check the status of other devices and networks 20->69 34 PING.EXE 1 20->34         started        37 conhost.exe 20->37         started        39 conhost.exe 22->39         started        41 PING.EXE 1 24->41         started        43 conhost.exe 24->43         started        45 conhost.exe 26->45         started        47 PING.EXE 30->47         started        49 conhost.exe 30->49         started        51 conhost.exe 32->51         started        file8 signatures9 process10 dnsIp11 61 google.com 142.250.186.142 GOOGLEUS United States 34->61
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/981cf7b6cc1fc96b0ff9581f42bdbbe2ca39ce1a945377d9a35d490b712d3c1a/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2022-11-17 15:20:21 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=taoppnwmd7ewwd7zlapufpn34lfdttq2srjxpwndlveqw4jnhqna._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
masslogger
Create hunting rule
Similar samples:
4bd1f385e71c2b0c8bb27ce271cfd26c696e3049e3e92cd150ba62666bc6221f
RemcosRAT
4c26268e01117b5cf41d2f14689452912d708e64af0040ed75a40c94b0a943ea
RemcosRAT
592f15fec50eda79baadcb6bc5c4cb79de60e5bb285f20fb8e8927477495f065
RemcosRAT
7f89f38c1c2a3e42e7fe2d1c286816361fe77aa49d1d474de200df6eb2dbda81
RemcosRAT
9d724226a2a3c8676d4a58b64b636d9dcc178c1d40fcf321309afa14505cf285
RemcosRAT
ad87f3ad6fb14d2b79d7b7aac1b38bc04fd20757460da0f02cac139408df9969
RemcosRAT
e1eb708f47303b831f6eb0ddc846e21782e8f727dcb0088fcb997c3bf0d4dbd3
RemcosRAT
e68ebc948356b0560fee06f52939504005fd848a93ccc41b4840c1db318a5409
RemcosRAT
+ 2'215 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:must!! persistence rat
Link:
https://tria.ge/reports/221117-sqrtdaeg52/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
107.174.202.148:14207
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d48606b4-1f25-4bd6-ba39-e07114ad0156
Unpacked files
SH256 hash:
e86cbed52d678dfac33a9fafeba4ca184c6bb1f52e1c2b369c3da44d455b661a
MD5 hash:
a2fd403be42def7ee3ab7bd74fefe261
SHA1 hash:
fa8ce2c6b1086c860e2384a3d24834c680ca99d9
Link:
https://www.unpac.me/results/4e18c144-c6bf-4dae-a37b-453c1beeae57/
SH256 hash:
d190d2a9d831e4074d07a0056b8fb12c472a154fd8d6febe620c23bf8e805c1b
MD5 hash:
cfc012a85edbf6554e6874020d8e59b5
SHA1 hash:
4c347a542867e721bae5de8ea392748dab45bf60
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/4e18c144-c6bf-4dae-a37b-453c1beeae57/
SH256 hash:
6d2b3d72a4327b7698fed70c79ff3f76600f55861ef3ea078883db659a86a355
MD5 hash:
2badf59b2f760639e2c910ef49267f22
SHA1 hash:
aa4e794d44304e0984aa8bf5a587e72885d624fb
Link:
https://www.unpac.me/results/4e18c144-c6bf-4dae-a37b-453c1beeae57/
SH256 hash:
981cf7b6cc1fc96b0ff9581f42bdbbe2ca39ce1a945377d9a35d490b712d3c1a
MD5 hash:
671c5fa2f01e03e1e5c3a47e48a904b0
SHA1 hash:
62aa4fc9896e357949277c406c7f8de500012f95
Link:
https://www.unpac.me/results/4e18c144-c6bf-4dae-a37b-453c1beeae57/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/981cf7b6cc1f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 981cf7b6cc1fc96b0ff9581f42bdbbe2ca39ce1a945377d9a35d490b712d3c1a

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/335408/
  
URLhaus
https://urlhaus.abuse.ch/url/2422654/
  
Delivery method
Distributed via web download

Comments