MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8ea6d7396aee16dfaa77560df46c54e21d723d5e8af2849a7fa52499c31573c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a8ea6d7396aee16dfaa77560df46c54e21d723d5e8af2849a7fa52499c31573c
SHA3-384 hash: 1fdcfbf3121b5c9757dd6a406c2c5ed27a23295ab3f141fbd2f786907f8abbda8cf8807e22e96d5e9b882a6c0bd5ce87
SHA1 hash: 420c22359f11b7ab18fc5b50f9aa1f96bec49924
MD5 hash: 2f52e1e349c882c7e8e04435972cdb8f
humanhash: uranus-harry-chicken-magnesium
File name:2f52e1e349c882c7e8e04435972cdb8f
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:614'400 bytes
First seen:2022-08-25 15:58:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'746 x AgentTesla, 19'627 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:DoIL547Tu3XDG2l87Tyi0MKLftUv1epx0WhxwB:BL5e4G2C7Tyi09tUv4p+yxw
Threatray 871 similar samples on MalwareBazaar
TLSH T100D4BE22B5954E47D7B98BB5CD60D0A017B9BD6FA3BBE73E7E8460CC3971B018441A23
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13101/52/3)
8.6% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 6670596f4f4e0d0a (34 x Loki, 25 x AgentTesla, 21 x SnakeKeylogger)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
338
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Bentcam Fiyat Teklifi 1200033536.doc
Verdict:
Malicious activity
Analysis date:
2022-08-25 06:04:32 UTC
Tags:
exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/345b9480-bc51-4b21-8522-658d056ac7ae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/301200/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1506.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching cmd.exe command interpreter
Launching a process
Running batch commands
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug hacktool packed
Link:
https://www.filescan.io/uploads/63079c6dc7e5977f84e8e84c/reports/2d36f3a3-f78d-4db7-b39d-e12514775941/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f6b544c0-fdc5-4963-a94c-f54535d6abfe
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1057854
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates an autostart registry key pointing to binary in C:\Windows
Detected Remcos RAT
Disables UAC (registry)
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 690368 Sample: EF38Q0bXM4 Startdate: 25/08/2022 Architecture: WINDOWS Score: 100 73 Snort IDS alert for network traffic 2->73 75 Multi AV Scanner detection for domain / URL 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 12 other signatures 2->79 11 EF38Q0bXM4.exe 3 2->11         started        15 Windows Health Security.exe 2 2->15         started        17 Windows Health Security.exe 2 2->17         started        process3 file4 67 C:\Users\user\AppData\...F38Q0bXM4.exe.log, ASCII 11->67 dropped 97 Injects a PE file into a foreign processes 11->97 19 EF38Q0bXM4.exe 1 5 11->19         started        23 Windows Health Security.exe 2 15->23         started        99 Drops executables to the windows directory (C:\Windows) and starts them 17->99 26 Windows Health Security.exe 17->26         started        signatures5 process6 dnsIp7 63 C:\Windows\...\Windows Health Security.exe, PE32 19->63 dropped 65 Windows Health Sec...exe:Zone.Identifier, ASCII 19->65 dropped 89 Creates an autostart registry key pointing to binary in C:\Windows 19->89 28 cmd.exe 1 19->28         started        31 cmd.exe 1 19->31         started        71 referantsa12.duckdns.org 194.5.97.155, 4045, 49716 DANILENKODE Netherlands 23->71 91 Installs a global keyboard hook 23->91 33 cmd.exe 23->33         started        file8 signatures9 process10 signatures11 101 Uses ping.exe to sleep 28->101 35 Windows Health Security.exe 3 28->35         started        37 PING.EXE 1 28->37         started        40 conhost.exe 28->40         started        103 Uses cmd line tools excessively to alter registry or file data 31->103 105 Uses ping.exe to check the status of other devices and networks 31->105 42 reg.exe 1 31->42         started        45 conhost.exe 31->45         started        47 conhost.exe 33->47         started        49 reg.exe 33->49         started        process12 dnsIp13 51 Windows Health Security.exe 2 1 35->51         started        69 127.0.0.1 unknown unknown 37->69 95 Disables UAC (registry) 42->95 signatures14 process15 signatures16 81 Detected Remcos RAT 51->81 83 Writes to foreign memory regions 51->83 85 Allocates memory in foreign processes 51->85 87 Injects a PE file into a foreign processes 51->87 54 cmd.exe 1 51->54         started        57 iexplore.exe 51->57         started        process17 signatures18 93 Uses cmd line tools excessively to alter registry or file data 54->93 59 conhost.exe 54->59         started        61 reg.exe 1 54->61         started        process19
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a8ea6d7396aee16dfaa77560df46c54e21d723d5e8af2849a7fa52499c31573c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-08-24 13:18:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
55
AV detection:
23 of 39 (58.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vdvg244wv3qw36vhovqn6rwfjyq5oi6v5cxsqsnh7jjethbrk46a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0882a5077bf0c576a83af0808f2f16512082a1381a65da8c35d48f92c24cb2af
RemcosRAT
363d7a3311977572fd1b31f908a44970a19e7abffdd755695e755e8f9f9316d6
RemcosRAT
633203f0585ea7bbd4876c9251d751d584d9840f28fa8ff32974253533340984
RemcosRAT
96856bdbe3c2b348ef6607ff23416238098ee7677480cbd596862e691ef2fea2
RemcosRAT
97c419445239463daaf12bb767b95cb44c43d4ae6d3320e24e2caa8a910ab2db
RemcosRAT
9c69722860cf9df9b7eda8ab91abe34682055cb221d069589924c329184993a1
RemcosRAT
a34669a4f919bfb5c570b7d5ad5eea4f5fdb276268afbdb6b540907f1ddefa83
RemcosRAT
b6f71c4a1961a1154820d097720ddd75ea641761305cef62268ad7b588670762
RemcosRAT
e1f6cb63f580a6303a39bc4ed897c156df8aa7a149cd5c982ffef28dda3e3095
RemcosRAT
f10f5bb8cc88bd512d50ee6daeb4f8f04abe7810ad9a29f097d10e24ac440163
RemcosRAT
+ 861 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:23rd aug brand:microsoft evasion persistence phishing rat trojan
Link:
https://tria.ge/reports/220825-te2pwagbc2/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Modifies registry key
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Detected potential entity reuse from brand microsoft.
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Remcos
UAC bypass
Malware Config
C2 Extraction:
referantsa12.duckdns.org:4045
Unpacked files
SH256 hash:
ceda93fdfce3ad8e4f800d4f2d940d793b68b4b0b254b652bf42e13dbd189ba7
MD5 hash:
786afe844ec1723b635cace747b60efd
SHA1 hash:
fa647a584a7fcad392147a182e3a2435b3ad5bb9
Link:
https://www.unpac.me/results/095d4b87-bf24-4f1e-ab6e-7dcd0c2fcccf/
SH256 hash:
c98a833194b3902d633eedd2c9545f0c7f32471a643804501014427d5bece141
MD5 hash:
aa0488cb77ce43019e6b20ed4ce1cfaf
SHA1 hash:
e8523fe61db56ea4e35fb23954d3acc503c7dccf
Link:
https://www.unpac.me/results/095d4b87-bf24-4f1e-ab6e-7dcd0c2fcccf/
SH256 hash:
ba8d40b15d6fbe718b9d375637e9445f7a4c85715ab3734ac9678b8c41e2ae8a
MD5 hash:
a7d6ac3349520efa4a0b83ca3b1b1f49
SHA1 hash:
8f675edd160f04a9281028b9a1355bd4c1d78e14
Link:
https://www.unpac.me/results/095d4b87-bf24-4f1e-ab6e-7dcd0c2fcccf/
SH256 hash:
cb2131449ee88bee98e16a765b34b481efe707e69fc93394ccf35d4b04d7d768
MD5 hash:
e62f044726988a3d6704226f8b45e885
SHA1 hash:
5571a77a33d3fb437369a230e2fbfbd7c742d1f4
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/095d4b87-bf24-4f1e-ab6e-7dcd0c2fcccf/
SH256 hash:
9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034
MD5 hash:
93c6391d23c1aa1ed66fb13f82f2ee31
SHA1 hash:
220098c3047c32b51ae13a5cc1e9beeef3da6e18
Link:
https://www.unpac.me/results/095d4b87-bf24-4f1e-ab6e-7dcd0c2fcccf/
SH256 hash:
a8ea6d7396aee16dfaa77560df46c54e21d723d5e8af2849a7fa52499c31573c
MD5 hash:
2f52e1e349c882c7e8e04435972cdb8f
SHA1 hash:
420c22359f11b7ab18fc5b50f9aa1f96bec49924
Link:
https://www.unpac.me/results/095d4b87-bf24-4f1e-ab6e-7dcd0c2fcccf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a8ea6d7396aee16dfaa77560df46c54e21d723d5e8af2849a7fa52499c31573c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe a8ea6d7396aee16dfaa77560df46c54e21d723d5e8af2849a7fa52499c31573c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2272201/
  
URLhaus
https://urlhaus.abuse.ch/url/2277981/
Cape
Cape
https://www.capesandbox.com/analysis/301200/

Comments


Avatar
zbet commented on 2022-08-25 15:59:10 UTC

url : hxxp://208.67.105.148/chungzx.exe