MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a57defebe6f605e5c8ec0233fc81166f9a53abfc2465be6a738072d3e44fa414. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a57defebe6f605e5c8ec0233fc81166f9a53abfc2465be6a738072d3e44fa414
SHA3-384 hash: 7b417084e180893728d605dfe3828f51b3ad2019fc25a5f131062abad7d4b9a2f71557fed48650a49d48e3d4012baf38
SHA1 hash: 6b2cb56eef2d747e5f68a688e0cb1f5d6a8d587a
MD5 hash: 72272f92ab113c161fb94932d478dd1b
humanhash: connecticut-bakerloo-asparagus-floor
File name:72272f92ab113c161fb94932d478dd1b
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'797'632 bytes
First seen:2021-08-12 15:20:23 UTC
Last seen:2021-08-12 17:42:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:aVHXdjBCInPMSS1ttRYLSDab65NCANZZS5R0:aVHXdkIn+PnUKCAN3B
Threatray 13 similar samples on MalwareBazaar
TLSH T13E859F3D19B92637C1A5C6758AE18817F0409CAF31D1A9BC94D27F66C3F2A5335832EE
dhash icon 0c3269d44569300c (17 x AgentTesla, 8 x Formbook, 7 x SnakeKeylogger)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
208
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
JUNE -- JULY SOA---- Worldwide Partner--WWP SC+SHA.xlsx
Verdict:
Malicious activity
Analysis date:
2021-08-12 13:48:58 UTC
Tags:
encrypted exploit CVE-2017-11882 rat remcos
Link:
https://app.any.run/tasks/a1ca746a-041f-4022-afcd-5baa1d842557

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/178774/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.59996.13443.4040.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a file
Connection attempt
Sending a custom TCP request
Forced shutdown of a system process
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/da05ca74-db1d-4899-8092-949b447a462e
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/831893
Signature
.NET source code contains very large strings
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a57defebe6f605e5c8ec0233fc81166f9a53abfc2465be6a738072d3e44fa414/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2021-08-12 13:58:56 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uv66727g6yc6lshmaiz7zaiwn6nfhk74ers342ttqbznhzcpuqka._file
Verdict:
unknown
Similar samples:
10f1adb9850bf8aabcefaebe019d8d8245ffd81bff8f4c2a6e578ffbe455f292
RemcosRAT
1d1481448331318ac01e5de6b53de842b79211bc4c4cc13829f38f699a6cc3a1
RemcosRAT
3c274255e35e340152ba94463f4b27e0f5f2554062abc27b4ec4d3389545379a
RemcosRAT
45fad79d5665cbad096d1029eb228bdca999352958c393d08e2813787fc2dcb0
RemcosRAT
53ec270c6cef24f224cc4a2b9d42334c9ba83010f596fcf1f69156715318eb4d
RemcosRAT
6ce6f6c16310e90a3d624750f1d7146aa4d2e8baa04d409133869199d4a5d23a
RemcosRAT
7c2a1cd4698642e67d5c4240c34940196be56850086c52d049a10204a81f6eac
RemcosRAT
b2d0646c000d113ebaf252cf3d5eac243608b1358c653e7ec7fd85880cf1f5d4
RemcosRAT
c448169380e81c58f9468dfc7ffe85622b8e01d1b1b9cb66dabb7be265cd5306
RemcosRAT
e2baf0f5b01a92323fa0f46207e5b9ae09ec8945ef722b912d3559d43c6e907c
RemcosRAT
+ 3 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/210812-9qve6wek32/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Remcos
Malware Config
C2 Extraction:
45.137.22.101:5888
Unpacked files
SH256 hash:
33ac6b8012ce739e72022086b5d39b7fc030c20fa72988f76957685509d5c041
MD5 hash:
83f8ae95a7e6f016f6b00482588086e6
SHA1 hash:
70392939d6d60a913b51084ec1d98eaae8ca4868
Link:
https://www.unpac.me/results/30eec475-82cd-45d1-84d3-05e4f7c384e2/
SH256 hash:
9d5f53ff661746b97e3f4294d50ede95dcba29f34f5eff3b26b174373a648ad7
MD5 hash:
680990d62466275da95c547fcb92b131
SHA1 hash:
89c6f670f23ca550dd4ff678bc37f704f913f032
Link:
https://www.unpac.me/results/30eec475-82cd-45d1-84d3-05e4f7c384e2/
SH256 hash:
b99da2391cfa71d44b94b3fad454ba2b538d38ce7d12f37f7f2f604a5ef8067a
MD5 hash:
cb4207e174c78f000889dc9f3aa93d0c
SHA1 hash:
8cb802e4cb5df80c4ce13e732732c88576075918
Detections:
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/30eec475-82cd-45d1-84d3-05e4f7c384e2/
Parent samples :
e391c863171dbe0a79e9ee01b3f221603e1dddb3938c3215980cd5b991578f4e
e291787eb38a6bd40ca70158d8873ee4f9d8efe22906edf703f0ea2b8af3c248
a57defebe6f605e5c8ec0233fc81166f9a53abfc2465be6a738072d3e44fa414
SH256 hash:
a57defebe6f605e5c8ec0233fc81166f9a53abfc2465be6a738072d3e44fa414
MD5 hash:
72272f92ab113c161fb94932d478dd1b
SHA1 hash:
6b2cb56eef2d747e5f68a688e0cb1f5d6a8d587a
Link:
https://www.unpac.me/results/30eec475-82cd-45d1-84d3-05e4f7c384e2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a57defebe6f6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a57defebe6f605e5c8ec0233fc81166f9a53abfc2465be6a738072d3e44fa414

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe a57defebe6f605e5c8ec0233fc81166f9a53abfc2465be6a738072d3e44fa414

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1527879/
Cape
Cape
https://www.capesandbox.com/analysis/178774/

Comments


Avatar
zbet commented on 2021-08-12 15:20:24 UTC

url : hxxp://198.23.251.109/global/vbc.exe