MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f1ee6916ffb1de887fd7f8e9a6c6a23cf588d6498db31e35182bfd5f94fd62a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f1ee6916ffb1de887fd7f8e9a6c6a23cf588d6498db31e35182bfd5f94fd62a
SHA3-384 hash: d7fc2706f5cb9c510bf64432bc3dc671c330c80609914e5f59ff784e128d7300389ace3ea0d59b5f8de07921cf036f9b
SHA1 hash: 820ac589765395d48e18dbb3e21d74e01153197a
MD5 hash: e2f5006e1aaef2772f0593ca9e63d13b
humanhash: nebraska-don-violet-whiskey
File name:e2f5006e1aaef2772f0593ca9e63d13b
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'011'200 bytes
First seen:2023-05-23 05:43:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:mTBHPs1M7p+HH714RAUBey7bwRV5/OeaT8x:AHPs1McH7epj70RD/OeE
Threatray 1'928 similar samples on MalwareBazaar
TLSH T11A25018066985C04E66A5FB54BB7F27043B56C68EB23D35D64E42C8F7C66B827B007C7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 224472b2a0c04280 (13 x AgentTesla, 10 x Formbook, 8 x Loki)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
295
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
e2f5006e1aaef2772f0593ca9e63d13b
Verdict:
Malicious activity
Analysis date:
2023-05-23 05:43:34 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/d13d2edb-4c66-40a4-9454-fe6a1835a1d0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67166802.19467.28552.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed remcos
Link:
https://www.filescan.io/uploads/646c52a20b148f6d8bcb43ad/reports/46b96792-b6a4-4aa5-bcc2-e08800d18122/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/9f1ee6916ffb1de887fd7f8e9a6c6a23cf588d6498db31e35182bfd5f94fd62a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/73ea3bee-7b7e-444c-ad20-a14e38a07b66
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1240491
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 873496 Sample: kG65vGB3nx.exe Startdate: 23/05/2023 Architecture: WINDOWS Score: 100 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 6 other signatures 2->56 8 kG65vGB3nx.exe 3 2->8         started        12 remcos.exe 2 2->12         started        14 remcos.exe 2 2->14         started        16 remcos.exe 2 2->16         started        process3 file4 46 C:\Users\user\AppData\...\kG65vGB3nx.exe.log, ASCII 8->46 dropped 64 Contains functionality to bypass UAC (CMSTPLUA) 8->64 66 Contains functionality to steal Chrome passwords or cookies 8->66 68 Contains functionality to modify clipboard data 8->68 70 2 other signatures 8->70 18 kG65vGB3nx.exe 2 4 8->18         started        21 kG65vGB3nx.exe 8->21         started        23 remcos.exe 12->23         started        25 remcos.exe 12->25         started        27 remcos.exe 12->27         started        29 remcos.exe 14->29         started        31 remcos.exe 14->31         started        33 remcos.exe 16->33         started        signatures5 process6 file7 42 C:\ProgramData\Remcos\remcos.exe, PE32 18->42 dropped 44 C:\ProgramData\...\remcos.exe:Zone.Identifier, ASCII 18->44 dropped 35 remcos.exe 3 18->35         started        process8 signatures9 58 Multi AV Scanner detection for dropped file 35->58 60 Machine Learning detection for dropped file 35->60 38 remcos.exe 3 3 35->38         started        process10 dnsIp11 48 45.81.243.246, 2022, 49699, 49700 LVLT-10753US Germany 38->48 62 Installs a global keyboard hook 38->62 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f1ee6916ffb1de887fd7f8e9a6c6a23cf588d6498db31e35182bfd5f94fd62a/
Threat name:
ByteCode-MSIL.Trojan.AveMariaRAT
Create hunting rule
Status:
Malicious
First seen:
2023-05-22 08:35:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t4ponelp7mo6rb75p6hju3dkephvrdletdntdy2rqk75l6kp2yva._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
14fb2daf697ee302647b7d63c26e94f443c9516a5a707b85952b1158e5ffe12a
RemcosRAT
2010a7e1a136a9881ba4db4beb99088ea77ea2997d36e6d1d16fc696b34fda8b
RemcosRAT
32fcd31207c5e310957801fca81578c9dcba9ed3515809f62a7d50d93ad033db
RemcosRAT
3c2ffc42864aba9e07bb8cd494141ea7125a2d24a8717f0cf0a33da8020dbdfb
RemcosRAT
6053c5c3a4202b8c2e6b2f176a99c980233f63024be06b67d3a30e2f0b4470f4
RemcosRAT
cadf95355bd6ea18fdd3555ea3f85d102f40b3df0dc36b332f9ad8b505105f6e
RemcosRAT
edd0bc79de9c5ecb3d4903d20259b356171aa41af2df2a43aad0bf36bda95c7b
RemcosRAT
f07ddc7c081b1106a27590e5497bec74f0d48f18b8c49d17ea57fa3d7d0704d8
RemcosRAT
+ 1'918 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat
Link:
https://tria.ge/reports/230523-ge5qbaeg9t/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Remcos
Malware Config
C2 Extraction:
45.81.243.246:2022
Unpacked files
SH256 hash:
b9c59731c9e0855791a1257cb93e7814f63e5c9863e9d8efd7d9a090488ee5a3
MD5 hash:
e4df22c5dfcab15bf723763ad5bf221c
SHA1 hash:
b5a35bf2d086b16dbb7a0f296ef1d8d4fc229609
Link:
https://www.unpac.me/results/4775a202-d3e9-4071-96ee-5160936a7435/
SH256 hash:
462d46ea50a0308430d28572ebdf166e680bf400d27c244fecd150478cf0c827
MD5 hash:
1ef0d66ce0c1f4c755c7fcce9f1eb5db
SHA1 hash:
b3ccaa614dfff3dbafed4120184b5f00d4bd5679
Link:
https://www.unpac.me/results/4775a202-d3e9-4071-96ee-5160936a7435/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/4775a202-d3e9-4071-96ee-5160936a7435/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
5bd2ca59e6d77744d33000f7182c13ab3ec175abcc5d3702504ddb855d32a194
MD5 hash:
10a252cefcce126825bd781dfcb73ff2
SHA1 hash:
7b2e8ddc671dbed607b056ba54c850fe2cf0798c
Link:
https://www.unpac.me/results/4775a202-d3e9-4071-96ee-5160936a7435/
SH256 hash:
48df2b04646d261d10644b725f4867d7913e3294ddf4e141904f5b2b527a0b8d
MD5 hash:
fa2931302c8cc7679a7357d8a78ea9e7
SHA1 hash:
6d33ae716c6991019ab16e61c8b650d2056192b0
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/4775a202-d3e9-4071-96ee-5160936a7435/
Parent samples :
b795277d105f23e54cff675b26437ccfa26dd597aa6475978e472843cf994e5c
98e8a76487a5811e1dd8574c08a8b66dc39506044045fc8c994e5d0e533a663c
9f1ee6916ffb1de887fd7f8e9a6c6a23cf588d6498db31e35182bfd5f94fd62a
SH256 hash:
9f1ee6916ffb1de887fd7f8e9a6c6a23cf588d6498db31e35182bfd5f94fd62a
MD5 hash:
e2f5006e1aaef2772f0593ca9e63d13b
SHA1 hash:
820ac589765395d48e18dbb3e21d74e01153197a
Link:
https://www.unpac.me/results/4775a202-d3e9-4071-96ee-5160936a7435/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9f1ee6916ffb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.75
Link:
https://yomi.yoroi.company/submissions/9f1ee6916ffb1de887fd7f8e9a6c6a23cf588d6498db31e35182bfd5f94fd62a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 9f1ee6916ffb1de887fd7f8e9a6c6a23cf588d6498db31e35182bfd5f94fd62a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2639283/

Comments


Avatar
zbet commented on 2023-05-23 05:43:09 UTC

url : hxxp://194.180.48.59/papizx.exe