MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7a695a309a4d733be36d20b77c293291bfaf421cd6244b4e46119fcab63141e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a7a695a309a4d733be36d20b77c293291bfaf421cd6244b4e46119fcab63141e
SHA3-384 hash: c7f127d9852cff84aa38d56429073534090a1a5c75c03957d6e2e2ef006a2a41a06e2c8e67c6adaea050b534636e8156
SHA1 hash: 7591c97515082d6f0fbbee28a277a290e756e3d5
MD5 hash: eeb9a0cbacc1f8eeb6d10baaf9871d5f
humanhash: low-hot-johnny-ohio
File name:king33.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:621'181 bytes
First seen:2023-12-19 15:09:52 UTC
Last seen:2023-12-19 16:16:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b1a57b635b23ffd553b3fd1e0960b2bd (39 x Formbook, 29 x Loki, 27 x AgentTesla)
ssdeep 12288:KqdTMofQULyAHjeYspjDhwW+Fvr/obAVenkfhzsb6jPeC:KqdTMooAyADeJjj+xEbAVekdsb6B
Threatray 3'250 similar samples on MalwareBazaar
TLSH T101D4012937D7C872C6C52AB65FA0E7BB8365CC0F1658475B52E03E637EBF0865879082
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
338
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/468514/
Detection(s):
SecuriteInfo.com.FileRepMalware.9266.9331.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Setting a keyboard event handler
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed remcos shell32
Link:
https://www.filescan.io/uploads/6581b256b4e856b7281fe2db/reports/9ff2ce20-c807-4df6-b952-591c39ae7126/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/a7a695a309a4d733be36d20b77c293291bfaf421cd6244b4e46119fcab63141e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/87d9f54b-7d7c-4874-8222-5a325fdbd62a
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1364595
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1364595 Sample: king33.exe Startdate: 19/12/2023 Architecture: WINDOWS Score: 100 35 geoplugin.net 2->35 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for URL or domain 2->53 55 5 other signatures 2->55 8 king33.exe 18 2->8         started        11 rnwgclqavfo.exe 2->11         started        14 rnwgclqavfo.exe 2->14         started        signatures3 process4 file5 31 C:\Users\user\AppData\Local\...\yekthtsv.exe, PE32 8->31 dropped 16 yekthtsv.exe 1 2 8->16         started        59 Antivirus detection for dropped file 11->59 61 Contains functionality to bypass UAC (CMSTPLUA) 11->61 63 Detected unpacking (changes PE section rights) 11->63 67 8 other signatures 11->67 20 rnwgclqavfo.exe 11->20         started        65 Maps a DLL or memory area into another process 14->65 22 rnwgclqavfo.exe 14->22         started        signatures6 process7 file8 29 C:\Users\user\AppData\...\rnwgclqavfo.exe, PE32 16->29 dropped 41 Antivirus detection for dropped file 16->41 43 Contains functionality to bypass UAC (CMSTPLUA) 16->43 45 Detected unpacking (changes PE section rights) 16->45 47 10 other signatures 16->47 24 yekthtsv.exe 3 16 16->24         started        signatures9 process10 dnsIp11 37 109.248.151.72, 49729, 7770 DATACLUBLV Russian Federation 24->37 39 geoplugin.net 178.237.33.50, 49730, 80 ATOM86-ASATOM86NL Netherlands 24->39 33 C:\ProgramData\remcos\logs.dat, data 24->33 dropped 57 Installs a global keyboard hook 24->57 file12 signatures13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a7a695a309a4d733be36d20b77c293291bfaf421cd6244b4e46119fcab63141e
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a7a695a309a4d733be36d20b77c293291bfaf421cd6244b4e46119fcab63141e/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2023-12-19 15:10:09 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
20 of 23 (86.96%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=u6tjliyjutlthprw2ifxpqutfen7v5bbzvrejnhemem7zk3dcqpa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
280945c850b2ee81256b36dacdec35b2bbc147c3cba57b344cd50bf464d74f97
RemcosRAT
2e2abfd4db12a9c2377450a9ac0fd7bc4657b235f605d1a14de3e6b5c4b65744
RemcosRAT
3cb93d166196c1400e069fd437153d956df26d587c969c2c1a525874633a1e99
RemcosRAT
6234e49bf7956d3dcceda1ef8e631c3794df29a6a29afa2e2a1dfa18abbd1153
RemcosRAT
9ef9b4a8ab8366ea77b049febf61fd2003aa90b9b38f5c301bff8a60a0feef24
RemcosRAT
ab1a6d657eff3d3eb8927d5dab552f15e8783ae738a604db7630d4356d2b48b9
RemcosRAT
ca49853927005b03dcbfc86f17f34e28120cb37f0a9cd9ead30b38f9c9a7b816
RemcosRAT
+ 3'240 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:king3 persistence rat
Link:
https://tria.ge/reports/231219-sj14gabdep/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Remcos
Malware Config
C2 Extraction:
109.248.151.72:7770
109.248.151.72:2179
Unpacked files
SH256 hash:
6246b1279d10205d0c077927dbd08671b542ab5865fe55b4b3541caf255d6a5f
MD5 hash:
472917cbb9b4797c36242ae49e52ea5c
SHA1 hash:
156740454a5f480664ac855f71df3ecdd6d07060
Detections:
Remcos
Create hunting rule
win_remcos_w0
Create hunting rule
win_remcos_auto
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
win_remcos_rat_unpacked
Create hunting rule
Link:
https://www.unpac.me/results/8f566869-ba5f-4071-9203-6ba56635f42c/
SH256 hash:
b3b38160542a8e168e4119b0daecd564e83db726801c2ccb419752e15957f79c
MD5 hash:
91194ac966c72465e7b0d542468e51bd
SHA1 hash:
adc49b28755980a4636be1e401859929b2db07ca
Link:
https://www.unpac.me/results/8f566869-ba5f-4071-9203-6ba56635f42c/
SH256 hash:
a7a695a309a4d733be36d20b77c293291bfaf421cd6244b4e46119fcab63141e
MD5 hash:
eeb9a0cbacc1f8eeb6d10baaf9871d5f
SHA1 hash:
7591c97515082d6f0fbbee28a277a290e756e3d5
Link:
https://www.unpac.me/results/8f566869-ba5f-4071-9203-6ba56635f42c/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a7a695a309a4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a7a695a309a4d733be36d20b77c293291bfaf421cd6244b4e46119fcab63141e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe a7a695a309a4d733be36d20b77c293291bfaf421cd6244b4e46119fcab63141e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/468514/

Comments