MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9bbad0b231f56f22855746de8883bb11d5cfc3b0888760ab47620d0538af8962. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9bbad0b231f56f22855746de8883bb11d5cfc3b0888760ab47620d0538af8962
SHA3-384 hash: 83ddf91ea52926fc4cc51222d374571576323d585afe4069f797219741dc0dbb719e2ee6531615ac061d042728ad032d
SHA1 hash: f08c5033d032f722f84bb0540306f3b525e80867
MD5 hash: cb1a16ee9daca73b36374f5c4753dc85
humanhash: skylark-venus-pasta-fruit
File name:cb1a16ee9daca73b36374f5c4753dc85
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:583'168 bytes
First seen:2022-12-07 11:57:33 UTC
Last seen:2022-12-07 13:38:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:ieSXybYOU6vxatsTnipvWPMfofz0O6J6vtPOKtrbU+spbaVAEbzb/vk1zLOk+nkB:3SXQYKaSTvMQfz0O5dOcbDshC/vk
TLSH T173C4F08C761431DFC95BC872CDA91CA4EA60787BA31B8203A45316DDAE8D997CF245F3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
187
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ-01.300.TRGVH.js
Verdict:
Malicious activity
Analysis date:
2022-12-07 10:26:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2e1c54bc-cd4c-4f9f-95ad-57f9b39e8f96

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/343874/
Detection(s):
SecuriteInfo.com.Trojan.TR.Dropper.Gen.23575.18083.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Launching a process
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Setting a keyboard event handler
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63907fcf0c6473d16719c993/reports/2428ce06-857c-4d49-b97e-60e9b5be3046/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/87a2c361-4b07-4f17-9408-14781993a9fc
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1130145
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Drops PE files to the startup folder
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Copy file to startup via Powershell
Sigma detected: Remcos
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 762871 Sample: 7Og6qyL90L.exe Startdate: 07/12/2022 Architecture: WINDOWS Score: 100 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus detection for URL or domain 2->42 44 Antivirus detection for dropped file 2->44 46 9 other signatures 2->46 7 7Og6qyL90L.exe 1 2->7         started        10 SyNBhstem.exe 1 2->10         started        process3 file4 28 C:\Users\user\AppData\...\7Og6qyL90L.exe.log, ASCII 7->28 dropped 13 powershell.exe 14 7->13         started        17 7Og6qyL90L.exe 2 17 7->17         started        48 Injects a PE file into a foreign processes 10->48 20 powershell.exe 3 10->20         started        22 SyNBhstem.exe 10->22         started        signatures5 process6 dnsIp7 30 C:\Users\user\AppData\...\SyNBhstem.exe, PE32 13->30 dropped 32 C:\Users\...\SyNBhstem.exe:Zone.Identifier, ASCII 13->32 dropped 50 Drops PE files to the startup folder 13->50 52 Powershell drops PE file 13->52 24 conhost.exe 13->24         started        36 51.75.209.245, 2404, 49699 OVHFR France 17->36 38 geoplugin.net 178.237.33.50, 49700, 80 ATOM86-ASATOM86NL Netherlands 17->38 34 C:\ProgramData\remcos\logs.dat, data 17->34 dropped 54 Installs a global keyboard hook 17->54 26 conhost.exe 20->26         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9bbad0b231f56f22855746de8883bb11d5cfc3b0888760ab47620d0538af8962/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2022-12-07 09:49:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
20 of 26 (76.92%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=to5nbmrr6vxsfbkxi3pira53chk47q5qrcdwbk2hmigqkofprfra._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/221207-n47pjaeb87/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Remcos
Malware Config
C2 Extraction:
51.75.209.245:2404
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/da0dbb41-da13-414e-96e8-fc453104085a
Unpacked files
SH256 hash:
1459ade80dd19b04b8d0037ce88f8f020b6c9d730e39fca181465355562f4b15
MD5 hash:
2c8b1b939947b35d647eb87373316fcb
SHA1 hash:
ec7b924e02076e3f6f1ba70d6990f7946c661d27
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/04caeea1-6221-4072-ae43-64743e0e2947/
Parent samples :
e68ebc948356b0560fee06f52939504005fd848a93ccc41b4840c1db318a5409
733ec6405b43d9ac4a266a3bfae9df34185cbd8147819f17851dd9d13c3b733b
b9a0c1222bea7c7a90eb111e5101dd2ca3355966af79dbd7a490498a8f3d6a58
bdb57463a45449889f971cc8f16abf66f695b00dabf917280ec6e7389916a0a2
f5758ccee5820f19251721999da1f927572f00bc472113638f2fb134d6599b68
8f6954e1834b49a24b8e937ff093f1e534f89691ce805ce2f14553315a18e651
8f2f7e3c4fdafd040879abd0e8fc0bcd7c4055217a4fac63e348ff391da62878
238e7b87bd6d152fce3ae3dbe8ea4a9f3b56c883944cb93695c58fdc20aad6e8
dfca7ce647ee8994cba9317516ce7f58b2b175f815fd5336dbfed34ccad5c4de
6af23878112166b4f2b99b4a7af53cf8c71ee4d0e27eead7eba335832e9449b4
d299c8e1864ae2089e28301ed127b86d92c3aeac935f35822479a018b025da59
f7ac248e39e55ccbf0b79fbfd3bbad23f00dd3e595d6f58166a70dfd82adb951
734e077ffd2beb5e2808ce5bf2d27f03757257d133794acad69bf80bee2e7348
c1cc5ad08f2796e777ab3006a88c3cfa5dc84b0d0bc5f95cb72cb73436220b4c
83d297c0de9846ebf9db06df45c0b09dd2751bbb2e487d9d6df1128a29da6d47
ff4eaf31a3a0f4f99fd9c71caa01388cd50a9917fc16625d549c470cf23cd68f
fff14d27cfcfd3a46729a41bd6dcbb09e667f894e2c85b4e7eb5098faccfa6ab
9bbad0b231f56f22855746de8883bb11d5cfc3b0888760ab47620d0538af8962
123b988cf46a721c113799db30e360848a05941032871f87d1ea6a12bd8e7f0f
f306fefee8114c023ad5056b16a490a82466e8bbf50296f2ecdac6a75123bd2d
fdc9196c194b31f7b221c487affe3d815775a436b1c26133fa6b1e8a9c252a51
4713512f84ba1fbb43666e1e0c5ef8f02d681c0fef3c469a13759d51018d1f0f
aa512df0ca1a0462046446c14ca5aaaa5255dc12b6aa06ea7662aff9d1b2eb41
a6655fefe6b0b32d5c94627d3b83a0d446fa329b162ac7f8409a1b8827b63abc
679f0dec60e8ac08f75b8e2731c1689544b9ae1d08a26e9c6607a7bad3941ebb
a84ffc6423f9efc057fcffadbf537056debc6b79d3d81a7dc4b16bd61a87b6ba
7001538a3316bf0f86e9730d0a38992357f4669d3a4a85e77f1ec42293499ff5
c8ce7d7a1b3511466f838f2b09f1a644ac2ceaa09f508a81a601cc5c576e18d4
df5e690e3853c11de2a42d9a958ed8ca923c704b3ccf320c3c6c154377b3bd38
5251517c9a5cc925e00988f3d9aa30706271cfd0bd6d33d3794e03a92b13b946
8758be9f226102217b3f28ffc1d6093dac1c9d5e8b3de32d85d150204169c10d
f34b65f828707e189c6197c3605e4b25bcd493e93bdb498bc91eeee6ac349d0b
da6d125701d41e2b9d6d9931b4747bbf6b3b4a6c0ca26311c7983fad94e22ef5
98479f2d5e3f5147ddd504bcc7bd1a2b0a3b06ff5525f313a55ce81efc67fc28
SH256 hash:
fd56a07f2da75c84337cbf94e0acafc09fb909cfb187a0ae214827ce2c4708bb
MD5 hash:
d93c5f59ddc41313bf36f106a2f1fe17
SHA1 hash:
97c5cd9d0689c1cd74685bc979122a13eba3fcc9
Link:
https://www.unpac.me/results/04caeea1-6221-4072-ae43-64743e0e2947/
SH256 hash:
3047e93f2ea62c157a398d369bd0130f0dec4bd256d1c5aa694d0a4e1d1bd5db
MD5 hash:
c194c6a93c74e174e82d2e46337b913f
SHA1 hash:
39d385002ec394951a00b6dd96117d6327717ca3
Link:
https://www.unpac.me/results/04caeea1-6221-4072-ae43-64743e0e2947/
SH256 hash:
9bbad0b231f56f22855746de8883bb11d5cfc3b0888760ab47620d0538af8962
MD5 hash:
cb1a16ee9daca73b36374f5c4753dc85
SHA1 hash:
f08c5033d032f722f84bb0540306f3b525e80867
Link:
https://www.unpac.me/results/04caeea1-6221-4072-ae43-64743e0e2947/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9bbad0b231f5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9bbad0b231f56f22855746de8883bb11d5cfc3b0888760ab47620d0538af8962

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 9bbad0b231f56f22855746de8883bb11d5cfc3b0888760ab47620d0538af8962

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2449484/
Cape
Cape
https://www.capesandbox.com/analysis/343874/

Comments


Avatar
zbet commented on 2022-12-07 11:57:37 UTC

url : hxxp://ewsdghmrhfuier.ga/yy/NHyGGGH.exe