MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e3c6d2f7b4a61b99f97c864da82a42d4e8ab8eacc729618172fbe44bf237155. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9e3c6d2f7b4a61b99f97c864da82a42d4e8ab8eacc729618172fbe44bf237155
SHA3-384 hash: 1b8db519eb1f831ee9a501157a195785bc4ec99a36d8669cb1e7c9c973ae0f007f3d4c4edc916cc26db4f213532e508d
SHA1 hash: 87e22d423f4ca18c410f033f6c3d583b256b2db6
MD5 hash: 10a338066bab1f5d7e67a09d4ebb7a15
humanhash: arkansas-lake-oranges-lion
File name:SecuriteInfo.com.Win32.PWSX-gen.21616
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:596'832 bytes
First seen:2022-09-09 09:53:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:FOkE5gVBa576QeasvLnnU0Wd8Oe2tzBydHKlGbhNIsB7:FnEIBaBe3wFe2tNsKlE7
Threatray 2'549 similar samples on MalwareBazaar
TLSH T1A1C41346D7D00063C98BAE76309247934BB0D20E5C924FDB9699F1190F6E3CAB64E9DF
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 550959654d651945 (37 x Formbook, 28 x AgentTesla, 14 x RemcosRAT)
Reporter SecuriteInfoCom
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
369
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.21616
Verdict:
Malicious activity
Analysis date:
2022-09-09 09:56:09 UTC
Tags:
remcos
Link:
https://app.any.run/tasks/daacb7d0-96a7-46c6-8af8-7e8dd7684294

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/308966/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.21616.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated overlay packed
Link:
https://www.filescan.io/uploads/631b0d7ed94ccae41087a9eb/reports/fc1f438d-00ac-4385-a067-1215c87e17b7/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/95a93b61-0f13-42d6-b4f4-8201e5f44f8a
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1067694
Signature
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Uses dynamic DNS services
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9e3c6d2f7b4a61b99f97c864da82a42d4e8ab8eacc729618172fbe44bf237155/
Threat name:
ByteCode-MSIL.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2022-09-09 01:42:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
21 of 25 (84.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ty6g2l33jjq3th4xzbsnvavefvhivohkzrzjmgaxf67ejpzdofkq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0c3d385c94560cc9fa56c7cab2a5401c37397820956adaa20e5b4fa6422ceb3d
RemcosRAT
217bb63194104a743dea34fafc9d8f38c842cde812ec86dfff64b03526bd2d89
RemcosRAT
2a472c3e4490813516275d88063dfddd2070a6553563ae2548ec6d5053fdab7d
RemcosRAT
38816055042a3693ff846a391e8280f800d06a3c49ca0181ab0f99d99db48b09
RemcosRAT
71b55b8575963a25df831dbc936196e996ce48927577f2f4cc8a5398994b1cbd
RemcosRAT
7d237aef354c63c3618c8c8df4718e2c5056edd90702bc77a233944e2c42de9b
RemcosRAT
a6abf72d95dac9ba6e6e4b53d9cbcd013846660a18ac5b9eeacb6cd87c783a2c
RemcosRAT
d17de6f437033140a8197c29721e535e19cde342b211c3a0074fa54f79afb375
RemcosRAT
+ 2'539 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:gusta rat
Link:
https://tria.ge/reports/220909-lw7y8aghf4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Remcos
Malware Config
C2 Extraction:
freetogo01.ddns.net:4545
Unpacked files
SH256 hash:
fd56a07f2da75c84337cbf94e0acafc09fb909cfb187a0ae214827ce2c4708bb
MD5 hash:
d93c5f59ddc41313bf36f106a2f1fe17
SHA1 hash:
97c5cd9d0689c1cd74685bc979122a13eba3fcc9
Link:
https://www.unpac.me/results/076b81b0-e620-47a7-810f-504fce92aad0/
SH256 hash:
bb3c3c2550d5686ff472239f9188fe2a88a5440a5451664b606ae99355c55be4
MD5 hash:
a92d30a6b7873ed472ab17c3b553aee6
SHA1 hash:
4379cb7d83652114d4052ec4858b65b3dd53d711
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/076b81b0-e620-47a7-810f-504fce92aad0/
Parent samples :
9e3c6d2f7b4a61b99f97c864da82a42d4e8ab8eacc729618172fbe44bf237155
0055c0240aa6da781fdbe57182ebe6d1e69c9d9a1eb401cdab0ad574e9191c17
SH256 hash:
9e3c6d2f7b4a61b99f97c864da82a42d4e8ab8eacc729618172fbe44bf237155
MD5 hash:
10a338066bab1f5d7e67a09d4ebb7a15
SHA1 hash:
87e22d423f4ca18c410f033f6c3d583b256b2db6
Link:
https://www.unpac.me/results/076b81b0-e620-47a7-810f-504fce92aad0/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9e3c6d2f7b4a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/308966/

Comments