MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5dfa6c8066bb006adb1490b52540bd2f049b3556c4c51eb59c4c9830c499286. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5dfa6c8066bb006adb1490b52540bd2f049b3556c4c51eb59c4c9830c499286
SHA3-384 hash: 4c7e9eed8ec6c97b7a869f4899555acedc3d21d79045e327acbe257ecf3aae726826408f4380d10e6d71b5e5681c4a48
SHA1 hash: 0ae60fc2f4ff6e057f9678191980c58fade6e48f
MD5 hash: 482aadb6cf38bee408d0c0b8ae09c02c
humanhash: south-maine-sierra-massachusetts
File name:SecuriteInfo.com.Trojan.Inject4.59820.23925.30290
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:873'984 bytes
First seen:2023-08-03 16:31:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'473 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:ymN7PaLcxZfqD6Nb7KQG0UGMfBfDsXwwchTf2mneLSv:nNTHXHNXK90UFVsX+hf2mneL
Threatray 2'504 similar samples on MalwareBazaar
TLSH T1A90523F772DED355CE591AFC54B3115803AA2F82B2CAF72D988011402D51F937BB6AB4
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 5ab9f8e4f8999ab8 (5 x Loki, 5 x AgentTesla, 3 x Formbook)
Reporter SecuriteInfoCom
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
310
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.Inject4.59820.23925.30290
Verdict:
Malicious activity
Analysis date:
2023-08-03 16:34:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d4daa909-5ff3-4028-9cd5-f214a1642e8e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/440123/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.59820.23925.30290.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
clipbanker comodo darkkomet packed remcos
Link:
https://www.filescan.io/uploads/64cbd685e0cfd564ff475887/reports/d27014f9-111c-4f0b-84af-1be574f981a3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a5dfa6c8066bb006adb1490b52540bd2f049b3556c4c51eb59c4c9830c499286
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1564a775-7735-462f-8b49-9f7018bee66c
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1285244
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Delayed program exit found
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1285244 Sample: SecuriteInfo.com.Trojan.Inj... Startdate: 03/08/2023 Architecture: WINDOWS Score: 100 93 Multi AV Scanner detection for domain / URL 2->93 95 Found malware configuration 2->95 97 Malicious sample detected (through community Yara rule) 2->97 99 11 other signatures 2->99 10 SecuriteInfo.com.Trojan.Inject4.59820.23925.30290.exe 7 2->10         started        14 ZUqZmfezsvV.exe 5 2->14         started        16 remcos.exe 2->16         started        18 remcos.exe 2->18         started        process3 file4 75 C:\Users\user\AppData\...\ZUqZmfezsvV.exe, PE32 10->75 dropped 77 C:\Users\...\ZUqZmfezsvV.exe:Zone.Identifier, ASCII 10->77 dropped 79 C:\Users\user\AppData\Local\...\tmpE370.tmp, XML 10->79 dropped 81 SecuriteInfo.com.T...23925.30290.exe.log, ASCII 10->81 dropped 117 Contains functionality to bypass UAC (CMSTPLUA) 10->117 119 Contains functionalty to change the wallpaper 10->119 121 Contains functionality to steal Chrome passwords or cookies 10->121 127 5 other signatures 10->127 20 SecuriteInfo.com.Trojan.Inject4.59820.23925.30290.exe 1 4 10->20         started        24 powershell.exe 21 10->24         started        26 schtasks.exe 1 10->26         started        123 Multi AV Scanner detection for dropped file 14->123 125 Machine Learning detection for dropped file 14->125 28 schtasks.exe 16->28         started        30 remcos.exe 16->30         started        32 schtasks.exe 18->32         started        34 remcos.exe 18->34         started        signatures5 process6 file7 71 C:\ProgramData\Remcos\remcos.exe, PE32 20->71 dropped 73 C:\ProgramData\...\remcos.exe:Zone.Identifier, ASCII 20->73 dropped 109 Creates autostart registry keys with suspicious names 20->109 36 remcos.exe 5 20->36         started        39 conhost.exe 24->39         started        41 conhost.exe 26->41         started        43 conhost.exe 28->43         started        45 conhost.exe 32->45         started        signatures8 process9 signatures10 101 Multi AV Scanner detection for dropped file 36->101 103 Machine Learning detection for dropped file 36->103 105 Adds a directory exclusion to Windows Defender 36->105 107 Injects a PE file into a foreign processes 36->107 47 remcos.exe 36->47         started        51 powershell.exe 36->51         started        53 schtasks.exe 36->53         started        process11 dnsIp12 85 212.193.30.230, 3330, 49699, 49700 SPD-NETTR Russian Federation 47->85 87 geoplugin.net 178.237.33.50, 49701, 80 ATOM86-ASATOM86NL Netherlands 47->87 89 Maps a DLL or memory area into another process 47->89 91 Installs a global keyboard hook 47->91 55 remcos.exe 47->55         started        58 remcos.exe 47->58         started        60 remcos.exe 47->60         started        66 19 other processes 47->66 62 conhost.exe 51->62         started        64 conhost.exe 53->64         started        signatures13 process14 dnsIp15 111 Tries to steal Instant Messenger accounts or passwords 55->111 113 Tries to steal Mail credentials (via file / registry access) 55->113 83 192.168.2.1 unknown unknown 66->83 115 Tries to harvest and steal browser information (history, passwords, etc) 66->115 69 WerFault.exe 66->69         started        signatures16 process17
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a5dfa6c8066bb006adb1490b52540bd2f049b3556c4c51eb59c4c9830c499286/
Threat name:
ByteCode-MSIL.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2023-08-03 14:53:35 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uxp2nsagnoyanlnrjefveval2lyetm2vnrgfd22zyteygdcjskda._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
136179ab4468cf49d8a048a24716546d4f3380c7f823320bd46e8f4510fb2380
RemcosRAT
41fba72245a47fc97ba08382fb31a6cb58d8fe33a5098948dc45fde442732790
RemcosRAT
8df743bfde0cc4b44753b7efdeb0f37e381a302f3248470cb949ed16730dd106
RemcosRAT
a279d0d918c8c3e075235db70b6c8086c4ca6332973c08035c6696c63315f85d
RemcosRAT
aeb0f38f394e7f520a237d6488b5562162bb3826ee07caeac4337994a61b1179
RemcosRAT
d021a19c0089bc53a0f8adbeb4fe2221bfbe0a2b6a503aca3f1948dce9580db4
RemcosRAT
d8ed3fb0de9b294adf3d48b7149010d51b01a9f9b262581aff015f1318999671
RemcosRAT
dd76fd61be4e869427bf5ec1e4d6bcc62a6afaef188412103f7376daff1762e8
RemcosRAT
e43e6ed9728722214571cc37b745086f7dc04731d08375bf54ee7cbe83cc6ace
RemcosRAT
f25d6018d3bab1f7651937b7b8e618979ea3c45b06e42e3d93e8b59cac9d46c3
RemcosRAT
+ 2'494 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat spyware stealer
Link:
https://tria.ge/reports/230803-t1ykcaed37/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
212.193.30.230:3330
Unpacked files
SH256 hash:
49145ed861b412bc015ff0800969052756deea17d5c6285da8f5937c0efdad46
MD5 hash:
0ef5168d36eee9ca0bcefcd84b907b70
SHA1 hash:
b40debea28d99750fe9b6a2b7d243eb35549aed5
Link:
https://www.unpac.me/results/2faadeec-d08e-46fe-a27a-1dfb40d48548/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/2faadeec-d08e-46fe-a27a-1dfb40d48548/
SH256 hash:
3d9f5ea8ca556999596abb635130081f1d64c5706117ba6282f5860ddc072df2
MD5 hash:
6e54cd25231c296bf2f0f9ac8164b253
SHA1 hash:
7caff39d9cc3eaf343e135f599a9cde4dc749b0a
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/2faadeec-d08e-46fe-a27a-1dfb40d48548/
Parent samples :
36f8e4eb768b6f4bcb732179cfb4d8795452c285d565e4fc4998455de0006f51
877371d8ae10433714781fc8187b21a9bd55e01738d1e701603118d1e2b89944
a5dfa6c8066bb006adb1490b52540bd2f049b3556c4c51eb59c4c9830c499286
e842b6dff73f8cc125170bafb505357263972cefc0d7187207295a207a6a3bdf
ba82a2d12cfee47fcfab1e288a80e1792e6a8e8260e7582b007221918aba0310
SH256 hash:
a6fcb6147a0c7b83a0e8f44d7334a7a0ac2b6e136420e06498f4dd23699b55dc
MD5 hash:
eaf7a14de24e5a828dd119aa1d1b30b5
SHA1 hash:
4eef6a2c404a31b009b273c5b3fbffedff4f6e39
Link:
https://www.unpac.me/results/2faadeec-d08e-46fe-a27a-1dfb40d48548/
SH256 hash:
a5dfa6c8066bb006adb1490b52540bd2f049b3556c4c51eb59c4c9830c499286
MD5 hash:
482aadb6cf38bee408d0c0b8ae09c02c
SHA1 hash:
0ae60fc2f4ff6e057f9678191980c58fade6e48f
Link:
https://www.unpac.me/results/2faadeec-d08e-46fe-a27a-1dfb40d48548/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a5dfa6c8066b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a5dfa6c8066bb006adb1490b52540bd2f049b3556c4c51eb59c4c9830c499286

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/440123/

Comments