MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e2bf00ed331c02f9ce582339b8cc771a5422998154b7310a5b3bbcc8fc2dc6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9e2bf00ed331c02f9ce582339b8cc771a5422998154b7310a5b3bbcc8fc2dc6c
SHA3-384 hash: de415a621f37d9ce705b4febe5addd4c87bc033939f7e826bdae81e3ab686e6ef2564e26f1844b80ee234a5a47610a5a
SHA1 hash: 57c2180d81414b1330f5cca3a1ec725f79bf20ee
MD5 hash: 56ffc83c5e268b13b8b4b7a03b2bf6ab
humanhash: fish-jersey-johnny-nineteen
File name:56ffc83c5e268b13b8b4b7a03b2bf6ab.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:579'378 bytes
First seen:2022-12-08 10:49:50 UTC
Last seen:2022-12-08 12:48:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 97318da386948415d08cef4a9006d669 (71 x Formbook, 35 x SnakeKeylogger, 26 x AgentTesla)
ssdeep 12288:Xzi3w8CALRzW6T76bEFZQvbx7H3uqcwrm:XOw8ZfO4ZQvNCUrm
TLSH T1B6C4235ABFF8446ECC3681B218A85D8692BB4F1D03D50757B325BFB236B32F3041659A
TrID 92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon f2d6d6c6c6e6d0d2 (2 x Formbook, 2 x RemcosRAT, 1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/344275/
Detection(s):
SecuriteInfo.com.FileRepMalware.17298.11596.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Setting a keyboard event handler
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6391c15df6e448d42df79ebf/reports/1fd73b0f-f925-4189-bf8e-9a03e7697b46/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5b41b390-c7cc-47d3-9f2f-828c0e62d8be
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1130625
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Installs a global keyboard hook
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 763349 Sample: mod9gJkrkn.exe Startdate: 08/12/2022 Architecture: WINDOWS Score: 100 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected Remcos RAT 2->53 55 C2 URLs / IPs found in malware configuration 2->55 7 mod9gJkrkn.exe 19 2->7         started        10 anpfix32.exe 1 2->10         started        13 anpfix32.exe 1 2->13         started        process3 file4 33 C:\Users\user\AppData\Local\...\pcnhtrbc.exe, PE32 7->33 dropped 15 pcnhtrbc.exe 1 3 7->15         started        57 Multi AV Scanner detection for dropped file 10->57 59 Machine Learning detection for dropped file 10->59 19 WerFault.exe 3 10 10->19         started        21 conhost.exe 10->21         started        23 WerFault.exe 10 13->23         started        25 conhost.exe 13->25         started        signatures5 process6 file7 35 C:\Users\user\AppData\...\anpfix32.exe, PE32 15->35 dropped 41 Multi AV Scanner detection for dropped file 15->41 43 Performs DNS queries to domains with low reputation 15->43 45 Machine Learning detection for dropped file 15->45 47 5 other signatures 15->47 27 pcnhtrbc.exe 2 17 15->27         started        31 conhost.exe 15->31         started        signatures8 process9 dnsIp10 37 fineboy.andosela.xyz 37.120.153.94, 2829, 49702 M247GB Romania 27->37 39 geoplugin.net 178.237.33.50, 49703, 80 ATOM86-ASATOM86NL Netherlands 27->39 61 Installs a global keyboard hook 27->61 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9e2bf00ed331c02f9ce582339b8cc771a5422998154b7310a5b3bbcc8fc2dc6c/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-12-08 06:21:05 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tyv7adwtghac7hhfqizzxdghogsuekmycvfxgeffwo54zd6c3rwa._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:mainceleb persistence rat
Link:
https://tria.ge/reports/221208-mw9cqahg25/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
fineboy.andosela.xyz:2829
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8cc6a555-8c0c-4697-aeba-0cedf4e4dd4b
Unpacked files
SH256 hash:
0edfe3e40e9c678761e0f1fcc9a916ad9b20aecea843517dca6cd5f53fffbb12
MD5 hash:
5e1d0c775e2adbd5d636edc7d463041d
SHA1 hash:
4dc93fc8fb444afdaf039320dd0be1f0c88ebd9f
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/9f8379aa-f5ea-4e19-96ac-d672b133769f/
Parent samples :
1e6af577e1d5f5fea983228641b0b2f6cacbf4f6c464dcc0d8608ce6fe549338
9e2bf00ed331c02f9ce582339b8cc771a5422998154b7310a5b3bbcc8fc2dc6c
SH256 hash:
a6eda4ddec79168d653fe4988a232d85680327f2339cc688886b01311741d1cc
MD5 hash:
750224479b974c0acef9c906c24a4b29
SHA1 hash:
0ddc32939c27c2bd375fb04949cb4413f138ed66
Link:
https://www.unpac.me/results/9f8379aa-f5ea-4e19-96ac-d672b133769f/
SH256 hash:
9e2bf00ed331c02f9ce582339b8cc771a5422998154b7310a5b3bbcc8fc2dc6c
MD5 hash:
56ffc83c5e268b13b8b4b7a03b2bf6ab
SHA1 hash:
57c2180d81414b1330f5cca3a1ec725f79bf20ee
Link:
https://www.unpac.me/results/9f8379aa-f5ea-4e19-96ac-d672b133769f/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9e2bf00ed331/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9e2bf00ed331c02f9ce582339b8cc771a5422998154b7310a5b3bbcc8fc2dc6c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 9e2bf00ed331c02f9ce582339b8cc771a5422998154b7310a5b3bbcc8fc2dc6c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2450896/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/344275/

Comments