MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ea26ea3cf4034580c0c02f1ce4627887fd5a68e069a2c4189c8f253b5919842. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9ea26ea3cf4034580c0c02f1ce4627887fd5a68e069a2c4189c8f253b5919842
SHA3-384 hash: 168ac0a962c27025a8532b5be67647b8d36a87c636ecf83ab461fca7ce94478da5497c08e9773f415fb701b647d9673e
SHA1 hash: 0ed40afd4e347ccfb97f33639814b8fb23eb6f29
MD5 hash: bfd832768c77c60e6cea6237509db468
humanhash: batman-steak-kitten-california
File name:bfd832768c77c60e6cea6237509db468
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'254'912 bytes
First seen:2022-05-23 14:00:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:N1ddtWB/FGxNHhZtlS3rsowzsqqJ/3WqDA2Qnd8Q50ol:NfdtS/MxNHhZ3QsF6GqQJ
Threatray 1'597 similar samples on MalwareBazaar
TLSH T1F7451221B2E18749ECB987F48931941067777C2EB470E65F6D8276CD3A32B428792B63
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e4f4d4c4c4d4c4cc (1 x RemcosRAT)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
256
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
bfd832768c77c60e6cea6237509db468
Verdict:
Malicious activity
Analysis date:
2022-05-23 23:35:51 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/6e77fce5-4adb-4bad-86be-d26f0fac44fc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/273736/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit obfuscated packed
Link:
https://www.filescan.io/uploads/628b939f3ec49f83a6c48b5d/reports/2dac7eb9-de84-4ecb-a3cc-5d59f84ff7ed/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d231a2de-f4e7-4458-b4e9-27edd849d414
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/999862
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected unpacking (creates a PE file in dynamic memory)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 632354 Sample: 3zyqQxkPKc Startdate: 23/05/2022 Architecture: WINDOWS Score: 100 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for dropped file 2->46 48 Antivirus / Scanner detection for submitted sample 2->48 50 10 other signatures 2->50 7 3zyqQxkPKc.exe 7 2->7         started        process3 file4 30 C:\Users\user\AppData\Roaming\wtuQSfgzp.exe, PE32 7->30 dropped 32 C:\Users\...\wtuQSfgzp.exe:Zone.Identifier, ASCII 7->32 dropped 34 C:\Users\user\AppData\Local\...\tmpED0D.tmp, XML 7->34 dropped 36 C:\Users\user\AppData\...\3zyqQxkPKc.exe.log, ASCII 7->36 dropped 56 Detected unpacking (creates a PE file in dynamic memory) 7->56 58 Contains functionality to steal Chrome passwords or cookies 7->58 60 Contains functionality to inject code into remote processes 7->60 62 5 other signatures 7->62 11 3zyqQxkPKc.exe 2 16 7->11         started        15 powershell.exe 25 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 38 salesumishcn.ddns.net 31.42.186.188, 49768, 49781, 49783 YURTEH-ASUA Ukraine 11->38 40 geoplugin.net 178.237.33.50, 49773, 80 ATOM86-ASATOM86NL Netherlands 11->40 42 192.168.2.1 unknown unknown 11->42 64 Installs a global keyboard hook 11->64 66 Injects a PE file into a foreign processes 11->66 19 3zyqQxkPKc.exe 2 11->19         started        22 3zyqQxkPKc.exe 1 11->22         started        24 conhost.exe 11->24         started        26 conhost.exe 15->26         started        28 conhost.exe 17->28         started        signatures8 process9 signatures10 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Tries to steal Instant Messenger accounts or passwords 22->54
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9ea26ea3cf4034580c0c02f1ce4627887fd5a68e069a2c4189c8f253b5919842/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-23 14:01:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
60
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t2rg5i6pia2fqdamaly44rrhrb75ljuoa2ncyqmjzdzfhnmrtbba._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
7d86068523fe035aec83fcb57be4edc0bdca3000fa6046fb66ef246b20e15601
RemcosRAT
81b648fca4135b631044dd68aee71ee704dcc930ae635658b9438585c5dc6b90
RemcosRAT
b69f04883131047159a3f3f13a7943ffdf43c742bc2a8994f7ef1f1a42c16eee
RemcosRAT
ba8d32d0c7844fdd2e5c4311fc6dc7a400d7c1ff97bebd9760d62308c669fb8f
RemcosRAT
e6a1d0c6cdb62e541492740eeabafe7f88f242d6a442fa0e2d2b4e8b1a2b1617
RemcosRAT
fafd7463254353a7e4ea4900b93f412fb84bbbddae730fc145c54331eb2533f8
RemcosRAT
+ 1'587 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:doings01 rat
Link:
https://tria.ge/reports/220523-rbjc1shcdr/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
salesumishcn.ddns.net:9854
Unpacked files
SH256 hash:
fb665f29a523098375a379127d05274e73a0c5e7f9f1f4e59abbfb96636862ed
MD5 hash:
23fb93067fcbcc42bcc3b475d2a4dfb1
SHA1 hash:
f74b332b630f898f0822feac89aeb9a278053639
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/1850a3f1-7aa1-4191-84e7-9d2a1ba72031/
SH256 hash:
fdd10fb67e6276b3d848c92d4686f56b2ecbea1d629795a241ca6306a2f62d55
MD5 hash:
f20fd214bbda1a459a3eb415eec86017
SHA1 hash:
c658f61e4f308a69a4509649439814166c655e84
Link:
https://www.unpac.me/results/1850a3f1-7aa1-4191-84e7-9d2a1ba72031/
SH256 hash:
dfb433254bc03b816959c14a83b83f4e68a79c41c91b31b55322c7fca8261a26
MD5 hash:
f61920e55139f80a4241dc12144ac3e0
SHA1 hash:
85ecde3f61c938f461daeec9d86c582c538cc306
Link:
https://www.unpac.me/results/1850a3f1-7aa1-4191-84e7-9d2a1ba72031/
SH256 hash:
260b5fd8c93db7bf86e36b587079483233020e755074798ddbc40821a4afe0eb
MD5 hash:
13346af03b105b0b8f593724d6dc0c1d
SHA1 hash:
85c3722ba3a0cbe36b4a8997a9476bc498b7b3e7
Link:
https://www.unpac.me/results/1850a3f1-7aa1-4191-84e7-9d2a1ba72031/
SH256 hash:
09eae7ad59ee85dee81a0ab99b9f21398f32ba2d9241d57e2c978ff1bebab40b
MD5 hash:
7b70498b3875779eba91e2ed2ba3073f
SHA1 hash:
16d4f64782dbd9639765631e0b186b7a0fbda585
Link:
https://www.unpac.me/results/1850a3f1-7aa1-4191-84e7-9d2a1ba72031/
SH256 hash:
9ea26ea3cf4034580c0c02f1ce4627887fd5a68e069a2c4189c8f253b5919842
MD5 hash:
bfd832768c77c60e6cea6237509db468
SHA1 hash:
0ed40afd4e347ccfb97f33639814b8fb23eb6f29
Link:
https://www.unpac.me/results/1850a3f1-7aa1-4191-84e7-9d2a1ba72031/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9ea26ea3cf40/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9ea26ea3cf4034580c0c02f1ce4627887fd5a68e069a2c4189c8f253b5919842

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 9ea26ea3cf4034580c0c02f1ce4627887fd5a68e069a2c4189c8f253b5919842

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2207976/
Cape
Cape
https://www.capesandbox.com/analysis/273736/

Comments


Avatar
zbet commented on 2022-05-23 14:00:56 UTC

url : hxxp://172.245.120.39/550/vbc.exe