MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9abb10aae580e88bc19de25ff6e4c3467b90de20f21f50573ba0ed237f079ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9abb10aae580e88bc19de25ff6e4c3467b90de20f21f50573ba0ed237f079ea
SHA3-384 hash: e6d26a9052502fe666bd3971abaae0808c229c0f4fd7110f08836aa712a6cd2d3b705c2d957091fe00b038e44fdfbd46
SHA1 hash: 3fa385c7b30be60c6e37ac70c5ba041ce01f4257
MD5 hash: cb1264cb0bde25f22462e59f6d4a3917
humanhash: sixteen-quiet-violet-failed
File name:cb1264cb0bde25f22462e59f6d4a3917
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:908'288 bytes
First seen:2022-05-20 13:28:57 UTC
Last seen:2022-05-20 14:47:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:6xa3zh7lztbxde+Cyr+joRDmNv3MzRRCpLDvv99VNX7PJlq+n1LnbT0hsA7onhUc:qoDzBFCyrehvM63vv3H3bxdwqUZ
Threatray 2'083 similar samples on MalwareBazaar
TLSH T103152388B6B98F79D86C57B2A092C10053FB1CE57953EE0D9FA130858CB3B60475A77B
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon d0d8d0c4c4c4dcd4 (12 x RemcosRAT, 3 x NanoCore, 3 x AveMariaRAT)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
270
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
000002-Scan_Copy.xlsx
Verdict:
Malicious activity
Analysis date:
2022-05-20 12:48:02 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader rat remcos keylogger
Link:
https://app.any.run/tasks/eb629750-0049-4273-a1ca-ab2152f21f29

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/273058/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1348.316.6531.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed update.exe
Link:
https://www.filescan.io/uploads/628797a03223462f89d5dcf3/reports/2eb21104-373c-4025-aa64-5cf5f5fbbf59/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4d00a364-fa32-40a2-a92d-0eb18b6a39b9
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/998635
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 631154 Sample: YE7W8nbjDv Startdate: 20/05/2022 Architecture: WINDOWS Score: 100 29 Found malware configuration 2->29 31 Malicious sample detected (through community Yara rule) 2->31 33 Multi AV Scanner detection for dropped file 2->33 35 5 other signatures 2->35 7 YE7W8nbjDv.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\...\HXnNcwQLngZf.exe, PE32 7->23 dropped 25 C:\Users\user\AppData\Local\...\tmpEDB6.tmp, XML 7->25 dropped 27 C:\Users\user\AppData\...\YE7W8nbjDv.exe.log, ASCII 7->27 dropped 37 Uses schtasks.exe or at.exe to add and modify task schedules 7->37 39 Adds a directory exclusion to Windows Defender 7->39 11 powershell.exe 25 7->11         started        13 schtasks.exe 1 7->13         started        15 vbc.exe 7->15         started        17 4 other processes 7->17 signatures5 process6 process7 19 conhost.exe 11->19         started        21 conhost.exe 13->21         started       
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a9abb10aae580e88bc19de25ff6e4c3467b90de20f21f50573ba0ed237f079ea/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-20 11:14:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vgv3ccvolahirpaz3ys763smgrt3sdpcb4q7kbltxihnen7qphva._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1a63019ffa3ae538033ff20cd9fe5a160d45841f47fbd396a461bc7e8ae34aca
RemcosRAT
2b001efb73728bc1e2eb6673245d9ce216a70b7b67c779824905ed29eda85038
RemcosRAT
2de49b3102da5350531a70b7d670ce8c1a9da5d664d7530325780b9d19aed395
RemcosRAT
a0e98fb5bfa5b1671c5b14e841ffe75432057cda5149ab60995ccd6e21dc29c6
RemcosRAT
a699fd6cdf390a24f20aff0eff58a571088585ca7197464d3729a49e3bae6652
RemcosRAT
a9a3cf652bccfa1482aa9856a8c3ffe6ecd932d877f807cbe657130bd93f4de9
RemcosRAT
fa889c904ddf5bce4235c8a83a72c51bd7d59bd181cc5d89d36757f6e56ec448
RemcosRAT
+ 2'073 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/220520-qq8e1sdha3/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Uses the VBS compiler for execution
Remcos
Malware Config
C2 Extraction:
power22.myftp.org:6211
Unpacked files
SH256 hash:
285fa424f04aea7fb7fd723ced3c8573b95c93ba2b0535933cffeb9bf2c0a954
MD5 hash:
28722ca63496f7d82ef2966b866a0427
SHA1 hash:
29d8f70fade6e7902a91530b47cbaa943cf57c68
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/b8e82280-0ac1-4917-93fa-c2352b4776a0/
Parent samples :
a9abb10aae580e88bc19de25ff6e4c3467b90de20f21f50573ba0ed237f079ea
b712c36526719c3be98efe901fdb86a7cc7c3a325167daaba4c4fd6a34c14d92
SH256 hash:
385fe0106d165a9b374d0e8f724adcdd26597511545b1de87cd00c21ad6cf6f3
MD5 hash:
ebb84453b13bfd03152767e4fdc6c596
SHA1 hash:
4d3475ee937b8cd10552b93993d238a4d9f25613
Link:
https://www.unpac.me/results/b8e82280-0ac1-4917-93fa-c2352b4776a0/
SH256 hash:
187700e1704dbfc438d8e0e47ed6d15b4d4e0bffa638216eddfcc51ec0a2d617
MD5 hash:
3a0fe46229da323fff01b7e23b6c484b
SHA1 hash:
f795f8ad1a08e3ab98bc3db2b51683fdfba99f66
Link:
https://www.unpac.me/results/b8e82280-0ac1-4917-93fa-c2352b4776a0/
SH256 hash:
b295fbe4ca39bf78db74392aca65ea85f6aeabcf786716a8859e032cc282ee86
MD5 hash:
d74a518cacc0bc147fe7eceefd676548
SHA1 hash:
dde63683f935ed38717c31cbd297f90e2b257b2e
Link:
https://www.unpac.me/results/b8e82280-0ac1-4917-93fa-c2352b4776a0/
SH256 hash:
a9abb10aae580e88bc19de25ff6e4c3467b90de20f21f50573ba0ed237f079ea
MD5 hash:
cb1264cb0bde25f22462e59f6d4a3917
SHA1 hash:
3fa385c7b30be60c6e37ac70c5ba041ce01f4257
Link:
https://www.unpac.me/results/b8e82280-0ac1-4917-93fa-c2352b4776a0/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a9abb10aae58/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a9abb10aae580e88bc19de25ff6e4c3467b90de20f21f50573ba0ed237f079ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe a9abb10aae580e88bc19de25ff6e4c3467b90de20f21f50573ba0ed237f079ea

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2204011/
Cape
Cape
https://www.capesandbox.com/analysis/273058/

Comments


Avatar
zbet commented on 2022-05-20 13:29:06 UTC

url : hxxp://104.243.37.55/800/0987654321345678-REVISED_PI.exe