MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a940a2266d54aab5f787e6b9a3889fb3c615d9754de46ad25a7ba3a1b5fe9109. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 17

Intelligence 17 IOCs YARA 11 File information Comments

SHA256 hash:	a940a2266d54aab5f787e6b9a3889fb3c615d9754de46ad25a7ba3a1b5fe9109
SHA3-384 hash:	1f95744623312aa9d68365ebf5dcc05d0c8a795ba745a928d2c4bc25427d059032bd32bf8df5145b6cb038075b86884d
SHA1 hash:	34b6152387cb43947bb00b47abd6903e28a8103d
MD5 hash:	e82163d300e4f3a3edd8a123c9acb9c1
humanhash:	football-cola-jupiter-virginia
File name:	rPO59687543.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	471'552 bytes
First seen:	2023-07-11 01:53:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	6144:WSDk309x96zHcrpW42qUCPCdMWhA6QBdAgHH5GV2b2qr:Po3092zHopt/PCtA6QBzpqW
Threatray	2'384 similar samples on MalwareBazaar
TLSH	T117A4C4446B8A95B9CD3CB4BA9B9500C697BE31E32316FC241FCB997B37975480F62C24
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	e4e4ccdcb2c2c4cc (1 x RemcosRAT)
Reporter	FXOLabs
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

436

Origin country :

Vendor Threat Intelligence

Malware family:

avemaria

ID:

File name:

rPO59687543.exe

Verdict:

Malicious activity

Analysis date:

2023-07-11 01:53:38 UTC

Tags:

stealer rat avemaria warzone arkei remcos keylogger

Link:

https://app.any.run/tasks/167eed31-e7fa-4c75-9b09-1d579ae3a75b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

WarzoneRAT

Link:

https://www.capesandbox.com/analysis/414838/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.17013.15895.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Creating a window

DNS request

Reading critical registry keys

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Sending a TCP request to an infection source

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

lolbin msbuild packed remcos

Link:

https://www.filescan.io/uploads/64acb63a57d1eb6a904eee13/reports/11de58af-68ee-4526-b01b-84d957713dc8/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/a940a2266d54aab5f787e6b9a3889fb3c615d9754de46ad25a7ba3a1b5fe9109

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/932f18e9-b701-462c-b2db-232984873de3

Result

Threat name:

Remcos, AveMaria

Detection:

malicious

Classification:

phis.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1270430

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to hide user accounts

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal e-mail passwords

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Increases the number of concurrent connection per server for Internet Explorer

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Sigma detected: Set autostart key via New-ItemProperty Cmdlet

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected AveMaria stealer

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

avemaria

Link:

https://mwdb.cert.pl/sample/a940a2266d54aab5f787e6b9a3889fb3c615d9754de46ad25a7ba3a1b5fe9109/

Threat name:

Win32.Backdoor.Warzone

Status:

Malicious

First seen:

2023-07-11 01:54:04 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 23 (78.26%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vfakejtnksvll54h4242hce7wpdblwlvjxsgvus2por2dnp6seeq._file

Verdict:

malicious

Label(s):

remcos

avemaria

RemcosRAT

4cd2a6b92caa467a8e4b72426b8d2823e1d00ef28a62b28e5df91527a8d44f65

RemcosRAT

555781a1e79cedec7352e9d85eb0a9f64dbbdee6873e481c91e35c48505e6ba2

RemcosRAT

64f2a6308c94b35be90cc1085538912c33956c06182756cd324f6874ae6c62f6

RemcosRAT

845aea480b4e69994eec7fc5b5db0b1377746ac925bd093d327325c8d84bb576

RemcosRAT

853e1ec7d4d8fa449d88746cab1bfac6074e0d81e9a26ef6948793059e9bd781

RemcosRAT

b71ac80addac74e89b71f6893d989d7233d8174b8836138a3292cc1409ae8e58

RemcosRAT

f0b92472c6a95a379f7235c22460fdb3602d625a662141e7baecc48c049ad715

RemcosRAT

+ 2'374 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:remcos family:warzonerat botnet:remotehost collection infostealer persistence rat

Link:

https://tria.ge/reports/230711-cbjapaeb37/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Adds Run key to start application

Executes dropped EXE

Loads dropped DLL

Downloads MZ/PE file

Warzone RAT payload

Remcos

WarzoneRat, AveMaria

Malware Config

C2 Extraction:

91.192.100.10:10011
91.192.100.10:11010

Unpacked files

SH256 hash:

477cab8d4385172d679200edc6619462de2402d912f21f36981fc058987a6d52

MD5 hash:

16a9ddc4b32981114fe4f069a4353105

SHA1 hash:

bf73849f57c150f9e2199c61427f631be2dfa595

Link:

https://www.unpac.me/results/cbc38fb2-2658-432e-b43f-d1562e828277/

SH256 hash:

fd56a07f2da75c84337cbf94e0acafc09fb909cfb187a0ae214827ce2c4708bb

MD5 hash:

d93c5f59ddc41313bf36f106a2f1fe17

SHA1 hash:

97c5cd9d0689c1cd74685bc979122a13eba3fcc9

Link:

https://www.unpac.me/results/cbc38fb2-2658-432e-b43f-d1562e828277/

SH256 hash:

34cc7553faef904192ea574842eb176ae96934ac654ec1760a00fd328c86d050

MD5 hash:

d5b2ac87f730b3570898b7a678aa8fda

SHA1 hash:

2e8f9fe19ef49f98d426478974bac76c6d205845

Detections:

Warzone

win_ave_maria_auto

win_ave_maria_g0

Warzone

win_ave_maria_auto

win_ave_maria_g0

Warzone

win_ave_maria_auto

win_ave_maria_g0

Warzone

win_ave_maria_auto

win_ave_maria_g0

Link:

https://www.unpac.me/results/cbc38fb2-2658-432e-b43f-d1562e828277/

SH256 hash:

f71d97c3d42af0eb4cc74e640a995eb0f288bab59b7be5cd89eccb21cd304f36

MD5 hash:

6c72218c48cd68cbcb654675053a0abb

SHA1 hash:

12207fa32070f99683648d87b44410e5d3cdf2de

Link:

https://www.unpac.me/results/cbc38fb2-2658-432e-b43f-d1562e828277/

SH256 hash:

477cab8d4385172d679200edc6619462de2402d912f21f36981fc058987a6d52

MD5 hash:

16a9ddc4b32981114fe4f069a4353105

SHA1 hash:

bf73849f57c150f9e2199c61427f631be2dfa595

Link:

https://www.unpac.me/results/cbc38fb2-2658-432e-b43f-d1562e828277/

SH256 hash:

fd56a07f2da75c84337cbf94e0acafc09fb909cfb187a0ae214827ce2c4708bb

MD5 hash:

d93c5f59ddc41313bf36f106a2f1fe17

SHA1 hash:

97c5cd9d0689c1cd74685bc979122a13eba3fcc9

Link:

https://www.unpac.me/results/cbc38fb2-2658-432e-b43f-d1562e828277/

SH256 hash:

34cc7553faef904192ea574842eb176ae96934ac654ec1760a00fd328c86d050

MD5 hash:

d5b2ac87f730b3570898b7a678aa8fda

SHA1 hash:

2e8f9fe19ef49f98d426478974bac76c6d205845

Detections:

Warzone

win_ave_maria_auto

win_ave_maria_g0

Warzone

win_ave_maria_auto

win_ave_maria_g0

Warzone

win_ave_maria_auto

win_ave_maria_g0

Warzone

win_ave_maria_auto

win_ave_maria_g0

Link:

https://www.unpac.me/results/cbc38fb2-2658-432e-b43f-d1562e828277/

SH256 hash:

f71d97c3d42af0eb4cc74e640a995eb0f288bab59b7be5cd89eccb21cd304f36

MD5 hash:

6c72218c48cd68cbcb654675053a0abb

SHA1 hash:

12207fa32070f99683648d87b44410e5d3cdf2de

Link:

https://www.unpac.me/results/cbc38fb2-2658-432e-b43f-d1562e828277/

SH256 hash:

477cab8d4385172d679200edc6619462de2402d912f21f36981fc058987a6d52

MD5 hash:

16a9ddc4b32981114fe4f069a4353105

SHA1 hash:

bf73849f57c150f9e2199c61427f631be2dfa595

Link:

https://www.unpac.me/results/cbc38fb2-2658-432e-b43f-d1562e828277/

SH256 hash:

fd56a07f2da75c84337cbf94e0acafc09fb909cfb187a0ae214827ce2c4708bb

MD5 hash:

d93c5f59ddc41313bf36f106a2f1fe17

SHA1 hash:

97c5cd9d0689c1cd74685bc979122a13eba3fcc9

Link:

https://www.unpac.me/results/cbc38fb2-2658-432e-b43f-d1562e828277/

SH256 hash:

34cc7553faef904192ea574842eb176ae96934ac654ec1760a00fd328c86d050

MD5 hash:

d5b2ac87f730b3570898b7a678aa8fda

SHA1 hash:

2e8f9fe19ef49f98d426478974bac76c6d205845

Detections:

Warzone

win_ave_maria_auto

win_ave_maria_g0

Warzone

win_ave_maria_auto

win_ave_maria_g0

Warzone

win_ave_maria_auto

win_ave_maria_g0

Warzone

win_ave_maria_auto

win_ave_maria_g0

Link:

https://www.unpac.me/results/cbc38fb2-2658-432e-b43f-d1562e828277/

SH256 hash:

f71d97c3d42af0eb4cc74e640a995eb0f288bab59b7be5cd89eccb21cd304f36

MD5 hash:

6c72218c48cd68cbcb654675053a0abb

SHA1 hash:

12207fa32070f99683648d87b44410e5d3cdf2de

Link:

https://www.unpac.me/results/cbc38fb2-2658-432e-b43f-d1562e828277/

SH256 hash:

477cab8d4385172d679200edc6619462de2402d912f21f36981fc058987a6d52

MD5 hash:

16a9ddc4b32981114fe4f069a4353105

SHA1 hash:

bf73849f57c150f9e2199c61427f631be2dfa595

Link:

https://www.unpac.me/results/cbc38fb2-2658-432e-b43f-d1562e828277/

SH256 hash:

fd56a07f2da75c84337cbf94e0acafc09fb909cfb187a0ae214827ce2c4708bb

MD5 hash:

d93c5f59ddc41313bf36f106a2f1fe17

SHA1 hash:

97c5cd9d0689c1cd74685bc979122a13eba3fcc9

Link:

https://www.unpac.me/results/cbc38fb2-2658-432e-b43f-d1562e828277/

SH256 hash:

34cc7553faef904192ea574842eb176ae96934ac654ec1760a00fd328c86d050

MD5 hash:

d5b2ac87f730b3570898b7a678aa8fda

SHA1 hash:

2e8f9fe19ef49f98d426478974bac76c6d205845

Detections:

Warzone

win_ave_maria_auto

win_ave_maria_g0

Warzone

win_ave_maria_auto

win_ave_maria_g0

Warzone

win_ave_maria_auto

win_ave_maria_g0

Warzone

win_ave_maria_auto

win_ave_maria_g0

Link:

https://www.unpac.me/results/cbc38fb2-2658-432e-b43f-d1562e828277/

SH256 hash:

f71d97c3d42af0eb4cc74e640a995eb0f288bab59b7be5cd89eccb21cd304f36

MD5 hash:

6c72218c48cd68cbcb654675053a0abb

SHA1 hash:

12207fa32070f99683648d87b44410e5d3cdf2de

Link:

https://www.unpac.me/results/cbc38fb2-2658-432e-b43f-d1562e828277/

SH256 hash:

a940a2266d54aab5f787e6b9a3889fb3c615d9754de46ad25a7ba3a1b5fe9109

MD5 hash:

e82163d300e4f3a3edd8a123c9acb9c1

SHA1 hash:

34b6152387cb43947bb00b47abd6903e28a8103d

Link:

https://www.unpac.me/results/cbc38fb2-2658-432e-b43f-d1562e828277/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a940a2266d54/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a940a2266d54aab5f787e6b9a3889fb3c615d9754de46ad25a7ba3a1b5fe9109

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM Create hunting rule
Author:	ditekSHen
Description:	Detects executables embedding command execution via IExecuteCommand COM object

Rule name:	MALWARE_Win_AveMaria Create hunting rule
Author:	ditekSHen
Description:	AveMaria variant payload

Rule name:	MALWARE_Win_WarzoneRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AveMaria/WarzoneRAT

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_AveMaria_31d2bce9 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

exe a940a2266d54aab5f787e6b9a3889fb3c615d9754de46ad25a7ba3a1b5fe9109

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/414838/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample