MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a439a0f9a25819c7b124965c1d48eff1f981aa3d6190c3f24239c97ec39b2c39. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a439a0f9a25819c7b124965c1d48eff1f981aa3d6190c3f24239c97ec39b2c39
SHA3-384 hash: 709a5542ab911b94cde03f6eb3072a1628089d3cc93efdb47d6af30aaa282051f001cecfc20c9afeba872418c86ef9d9
SHA1 hash: 50313ccb2b79c67c6adb52e34b3af2a1fa6f4683
MD5 hash: a07c221c9f3dc8fcb886290fab3ce121
humanhash: timing-berlin-dakota-maine
File name:march full order list 2022.pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'384'448 bytes
First seen:2022-03-14 05:51:15 UTC
Last seen:2022-03-14 08:05:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:xCRIYc1Ra51DReFN4aKbUM/qU/R5RqF2XmjKGNNqqDbDscFcWVMoy+x:xCRD4SIwZbU2q0tqF22DNq0scA
Threatray 2'600 similar samples on MalwareBazaar
TLSH T19155BFE46B08527FEEB1237AC1B815313EB61D4AA895FF28568D32C94973F8F08D641D
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
194.31.98.58:2405

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.31.98.58:2405 https://threatfox.abuse.ch/ioc/395086/

Intelligence

File Origin
# of uploads :
2
# of downloads :
254
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/249946/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.25179.27590.20231.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Setting a keyboard event handler
Running batch commands
Forced shutdown of a system process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe update.exe
Link:
https://www.filescan.io/uploads/622ed80adfdfa8501c9c30c6/reports/1ef5e734-5ed5-438c-97e7-246ae5c94644/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a870c272-b17b-47c3-b3f4-e71776d38d81
Result
Threat name:
AsyncRAT Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/955818
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected unpacking (creates a PE file in dynamic memory)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Sigma detected: Suspicious Double Extension
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 588295 Sample: march full order list 2022.... Startdate: 14/03/2022 Architecture: WINDOWS Score: 100 79 part-0032.t-0009.fb-t-msedge.net 2->79 81 part-0017.t-0009.fb-t-msedge.net 2->81 83 6 other IPs or domains 2->83 107 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->107 109 Malicious sample detected (through community Yara rule) 2->109 111 Multi AV Scanner detection for dropped file 2->111 113 21 other signatures 2->113 10 march full order list 2022.pdf.exe 7 2->10         started        signatures3 process4 file5 71 C:\Users\user\AppData\...71YzIWuNJPDi.exe, PE32 10->71 dropped 73 C:\Users\user\AppData\Local\...\tmpFEB2.tmp, XML 10->73 dropped 75 C:\...\march full order list 2022.pdf.exe.log, ASCII 10->75 dropped 119 Adds a directory exclusion to Windows Defender 10->119 14 march full order list 2022.pdf.exe 3 5 10->14         started        19 powershell.exe 25 10->19         started        21 schtasks.exe 1 10->21         started        signatures6 process7 dnsIp8 95 primetoolz.duckdns.org 194.31.98.58, 2404, 2405, 49779 BURSABILTR Netherlands 14->95 97 192.168.2.1 unknown unknown 14->97 77 C:\Users\user\Desktop\dwn.exe, PE32 14->77 dropped 99 Writes to foreign memory regions 14->99 101 Allocates memory in foreign processes 14->101 103 Installs a global keyboard hook 14->103 105 Injects a PE file into a foreign processes 14->105 23 dwn.exe 14->23         started        26 march full order list 2022.pdf.exe 4 14->26         started        29 march full order list 2022.pdf.exe 14->29         started        35 7 other processes 14->35 31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        file9 signatures10 process11 file12 69 C:\Users\user\AppData\Roaming\Adobe.exe, PE32 23->69 dropped 37 cmd.exe 23->37         started        39 cmd.exe 23->39         started        115 Tries to harvest and steal browser information (history, passwords, etc) 26->115 117 Tries to steal Instant Messenger accounts or passwords 29->117 41 chrome.exe 35->41         started        44 chrome.exe 35->44         started        46 chrome.exe 35->46         started        48 3 other processes 35->48 signatures13 process14 dnsIp15 50 Adobe.exe 37->50         started        53 conhost.exe 37->53         started        55 timeout.exe 37->55         started        57 conhost.exe 39->57         started        59 schtasks.exe 39->59         started        93 239.255.255.250 unknown Reserved 41->93 61 chrome.exe 41->61         started        63 chrome.exe 44->63         started        65 chrome.exe 46->65         started        67 3 other processes 48->67 process16 dnsIp17 85 primetoolz.duckdns.org 50->85 87 part-0032.t-0009.fb-t-msedge.net 13.107.253.60, 443, 49806, 49807 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 61->87 89 googlehosted.l.googleusercontent.com 142.250.185.65, 443, 49955, 55872 GOOGLEUS United States 61->89 91 9 other IPs or domains 61->91
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a439a0f9a25819c7b124965c1d48eff1f981aa3d6190c3f24239c97ec39b2c39/
Threat name:
ByteCode-MSIL.Trojan.AgenteslaPacker
Create hunting rule
Status:
Malicious
First seen:
2022-03-14 05:52:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uq42b6nclam4pmjeszob2shp6h4ydkr5mgimh4schhex5q43fq4q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
02d3ff621a1778737ee5207686d5f8a0f2f8c661908e3ba7cdfab8221321c8b5
RemcosRAT
1201a0c89e08bb6bad16c0a265ed660dd8473a16bf74980f372ed0a49190c39f
RemcosRAT
4d1cfc06d50c33a02572d8d32f34c277bb89bad8d2932c4e0549409d98d5ddda
RemcosRAT
88a52cb96bc7ae6d6788e1c3f4bca7c4bd379037cba08c6a86f28694f767d9d9
RemcosRAT
eb1d29174d0a65b4ff95f172d35532666fed7cd6659ec77591240777b5b76452
RemcosRAT
fa7229938d7109be9b5947f67058cb3cab1d366ababae65b83786b80584a160a
RemcosRAT
+ 2'590 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:remcos botnet:default botnet:remotehost brand:microsoft collection persistence phishing rat spyware stealer suricata
Link:
https://tria.ge/reports/220314-gkr2eaffap/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Enumerates physical storage devices
Drops file in Program Files directory
Detected potential entity reuse from brand microsoft.
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
.NET Reactor proctector
Async RAT payload
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
AsyncRat
Remcos
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Remocs 3.x Unencrypted Checkin
suricata: ET MALWARE Remocs 3.x Unencrypted Server Response
Malware Config
C2 Extraction:
primetoolz.duckdns.org:2404
primetoolz.duckdns.org:2405
Unpacked files
SH256 hash:
be96e0f82a3d8e6d6c3df8b443cb7bbdc2985f90c14627f8047516f0f6b9af4f
MD5 hash:
ad0cf00c029dcf9e4a1e7ff6732ab2f6
SHA1 hash:
7c1f837d9c95c69c2b4bf6cfc245788e6781f6f9
Link:
https://www.unpac.me/results/efb9766f-0794-4857-a6ec-4195d26107dc/
SH256 hash:
c90ed028a69fe6134409dc2f40365c1f17072335b847cb4874938b1ca4efd3e5
MD5 hash:
b48688a1b164f34f679feb880314322c
SHA1 hash:
75a301b306874998ebf7ecbe0e6e3c29a4f8eab4
Link:
https://www.unpac.me/results/efb9766f-0794-4857-a6ec-4195d26107dc/
SH256 hash:
9b00e2fa33ad72dec22a5e107ab6886da72bbe0bed89a721e877c1dc3ce6a662
MD5 hash:
b4c9c16228f0ee1de70ffc6264fb720c
SHA1 hash:
437049e452a511e220abdb32df695cdf07f5a7d0
Link:
https://www.unpac.me/results/efb9766f-0794-4857-a6ec-4195d26107dc/
SH256 hash:
e3f773aeecd0175f8fced3179dc01ef341fddf2ee8479eb465edb76280a63e63
MD5 hash:
0f596946a2d351be7d8ed68d98fac665
SHA1 hash:
3353fb60d79c99553003418fef82e1ee811a226a
Link:
https://www.unpac.me/results/efb9766f-0794-4857-a6ec-4195d26107dc/
SH256 hash:
a439a0f9a25819c7b124965c1d48eff1f981aa3d6190c3f24239c97ec39b2c39
MD5 hash:
a07c221c9f3dc8fcb886290fab3ce121
SHA1 hash:
50313ccb2b79c67c6adb52e34b3af2a1fa6f4683
Link:
https://www.unpac.me/results/efb9766f-0794-4857-a6ec-4195d26107dc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a439a0f9a25819c7b124965c1d48eff1f981aa3d6190c3f24239c97ec39b2c39

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/249946/

Comments