MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f9f3096c804ba3921cfbdbcc3e2f877ab7d3f5f0e2d264be739c485fd02ccd8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f9f3096c804ba3921cfbdbcc3e2f877ab7d3f5f0e2d264be739c485fd02ccd8
SHA3-384 hash: 95be439ed6422cf7e36bcf0c167e1171c96be91dee6a6e6882620c31bd8c8dd054e1d0dcc87707e0124866d34d4a8bc1
SHA1 hash: 92a7cec78e9ae92134b34b3c8a0e9cc62f856116
MD5 hash: 2b4d1aafb6e0a1b305ad8ca1756ada83
humanhash: utah-failed-wisconsin-lactose
File name:file
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:780'144 bytes
First seen:2023-03-01 17:43:46 UTC
Last seen:2023-03-01 19:35:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:ffZkpaYPfUTQMeCnyZVF9Ikz7SWbdIQg1FCE+2VIjedWrBUSVySbzRL9EPw3wfW9:JkpHUXeC2N2OIF5+0I6WBt0SbGwcNmC0
Threatray 964 similar samples on MalwareBazaar
TLSH T181F4124153CCCFAFF42589B1B4918ABD89A34C328240F44DB15A99F61896BF505CEFAF
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter jstrosch
Tags:.NET exe MSIL RemcosRAT signed X64

Code Signing Certificate

Organisation:cassandra.pw
Issuer:cassandra.pw
Algorithm:sha256WithRSAEncryption
Valid from:2023-03-01T06:57:00Z
Valid to:2024-02-29T06:57:00Z
Serial number: e030475ef9eb69ae65c028fc1bb5be8b
Thumbprint Algorithm:SHA256
Thumbprint: 3d47fe4e1686ada89725e31f6e150e270451f4c29b258df3f32306840bee503d
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-03-01 17:48:54 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/82d16dab-0670-4fac-81b0-9b61dff7d540

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/370851/
Detection(s):
SecuriteInfo.com.Trojan.Siggen19.61270.22975.7352.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed powershell
Link:
https://www.filescan.io/uploads/63ff8eebbbedb8176ff20456/reports/729b37a6-789c-400d-b514-180574984bdb/overview
Verdict:
Malicious
Labled as:
Barys.Generic
Link:
https://www.hybrid-analysis.com/sample/9f9f3096c804ba3921cfbdbcc3e2f877ab7d3f5f0e2d264be739c485fd02ccd8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1ea68b18-b899-4a82-bcf4-125c2f0aed83
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1185065
Signature
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops PE files with benign system names
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Remcos
Sigma detected: Schedule system process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 817921 Sample: file.exe Startdate: 01/03/2023 Architecture: WINDOWS Score: 100 66 Malicious sample detected (through community Yara rule) 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 Yara detected UAC Bypass using CMSTP 2->70 72 6 other signatures 2->72 9 svchost.exe 2 2->9         started        12 file.exe 1 7 2->12         started        15 svchost.exe 2 2->15         started        17 9 other processes 2->17 process3 file4 88 Multi AV Scanner detection for dropped file 9->88 90 Writes to foreign memory regions 9->90 92 Injects a PE file into a foreign processes 9->92 19 AddInProcess32.exe 9->19         started        22 RegSvcs.exe 9->22         started        58 C:\Users\user\AppData\Roaming\svchost.exe, PE32+ 12->58 dropped 60 C:\Users\user\AppData\Local\...\file.exe.log, CSV 12->60 dropped 94 Drops PE files with benign system names 12->94 24 cmd.exe 1 12->24         started        26 cmd.exe 1 12->26         started        28 ngentask.exe 15->28         started        30 RegAsm.exe 15->30         started        32 mscorsvw.exe 15->32         started        34 3 other processes 15->34 96 Query firmware table information (likely to detect VMs) 17->96 98 Changes security center settings (notifications, updates, antivirus, firewall) 17->98 signatures5 process6 signatures7 74 Contains functionality to bypass UAC (CMSTPLUA) 19->74 76 Contains functionalty to change the wallpaper 19->76 78 Contains functionality to steal Chrome passwords or cookies 19->78 82 2 other signatures 19->82 36 svchost.exe 3 24->36         started        39 conhost.exe 24->39         started        41 timeout.exe 1 24->41         started        80 Uses schtasks.exe or at.exe to add and modify task schedules 26->80 43 conhost.exe 26->43         started        45 schtasks.exe 1 26->45         started        process8 signatures9 84 Writes to foreign memory regions 36->84 86 Injects a PE file into a foreign processes 36->86 47 jsc.exe 36->47         started        50 CasPol.exe 36->50         started        52 aspnet_regsql.exe 36->52         started        54 14 other processes 36->54 process10 dnsIp11 62 185.222.58.53, 1190, 49700 ROOTLAYERNETNL Netherlands 47->62 64 geoplugin.net 178.237.33.50, 49701, 80 ATOM86-ASATOM86NL Netherlands 47->64 56 conhost.exe 47->56         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f9f3096c804ba3921cfbdbcc3e2f877ab7d3f5f0e2d264be739c485fd02ccd8/
Threat name:
ByteCode-MSIL.Trojan.Barys
Create hunting rule
Status:
Malicious
First seen:
2023-03-01 11:53:42 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
18 of 25 (72.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t6ptbfwias5dsiopxw6mhyxyo6vx2p27bywsms7hhhcil7icztma._file
Verdict:
malicious
Similar samples:
264287c5f1b361ec812fe7ecb1976f7dd6ef60bff2e40000f6258f190d481ccd
RemcosRAT
313d7ab3ab9ce9c507806980d866aa7f47cad13f943f3fcf24cc0a6050be6716
RemcosRAT
658e0f3e03622f2ef3a44be0e3c19d116f9e7445dacc1b6264ea75ed2af25294
RemcosRAT
66b93d3953720772c3adf5f424c5dc4d5e6a61c7e9d08157ccf8ad9eec069f1c
RemcosRAT
88d0963292143c5ba31261b14fa12f59edcd78df1bea35281e8cf080aa1460c0
RemcosRAT
aa0e0b9735614a120e1d49cd292470953e32f8d7b3fd299c0f7561400c4da72f
RemcosRAT
b0a04b50fca4dbfc5e6ce93ba36bf91777d3416e82396e7138df95483811446d
RemcosRAT
ddcfd6bd425a2ab84afef1a8443c3a9c858502d6eaa882c6f4cb830784d779b6
RemcosRAT
fe14ae75b872e1b4419de4aac769c767a5d23479d2bd6c957be5648ad802a246
RemcosRAT
+ 954 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat
Link:
https://tria.ge/reports/230301-wa58lsgh3z/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Uses the VBS compiler for execution
Remcos
Malware Config
C2 Extraction:
185.222.58.53:1190
Unpacked files
SH256 hash:
9f9f3096c804ba3921cfbdbcc3e2f877ab7d3f5f0e2d264be739c485fd02ccd8
MD5 hash:
2b4d1aafb6e0a1b305ad8ca1756ada83
SHA1 hash:
92a7cec78e9ae92134b34b3c8a0e9cc62f856116
Link:
https://www.unpac.me/results/204f85af-64b9-4469-8df8-4944efad2988/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9f9f3096c804/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9f9f3096c804ba3921cfbdbcc3e2f877ab7d3f5f0e2d264be739c485fd02ccd8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 9f9f3096c804ba3921cfbdbcc3e2f877ab7d3f5f0e2d264be739c485fd02ccd8

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2538577/
Cape
Cape
https://www.capesandbox.com/analysis/370851/

Comments