MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9c5050588f7b5d3a5c8806c8bf60d390b342f28c12c7bcfc58422855b02bf91. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9c5050588f7b5d3a5c8806c8bf60d390b342f28c12c7bcfc58422855b02bf91
SHA3-384 hash: a20f082326af5cfb34e6777de9b80fa02c5a3521b0e3c66e8da8ecbfb976b28ae9fc9f0b896e3a151ad0c927b81e22be
SHA1 hash: 1e6131e9065458856c919588af5e0cfbcf68706b
MD5 hash: 2d7258fe9164899b775d30f66207955f
humanhash: lake-six-idaho-monkey
File name:New Europe RFQ & Samples for June-2022_Purchase_0622.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:122'880 bytes
First seen:2022-06-24 16:25:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 1536:5dfjkZULaAv4zn0glD/RDtE9tdl8ype5X5xRJ6Hhr:waLaAv4zn0WjRD+9tje5X5cBr
Threatray 1'397 similar samples on MalwareBazaar
TLSH T173C30A63F218A8DBEC7E67B2A9338A2615537C6A5770162D745AF3261AB33434007F1F
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon cc92928282c282a2 (1 x Formbook, 1 x RemcosRAT)
Reporter lowmal3
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/283119/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Sending an HTTP GET request
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62b5e59d62d792dc57420dbd/reports/da07d548-3256-40d8-9bee-4fab7e023597/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6d8faa8a-f421-4fd4-ab3e-b79ba8d55c88
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1019477
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 651973 Sample: New Europe RFQ & Samples fo... Startdate: 24/06/2022 Architecture: WINDOWS Score: 100 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for URL or domain 2->48 50 Yara detected Remcos RAT 2->50 52 5 other signatures 2->52 7 elsecur.exe 14 2 2->7         started        11 New Europe RFQ & Samples for June-2022_Purchase_0622.exe 16 5 2->11         started        14 elsecur.exe 2 2->14         started        process3 dnsIp4 34 162.159.134.233, 443, 49762 CLOUDFLARENETUS United States 7->34 54 Machine Learning detection for dropped file 7->54 56 Writes to foreign memory regions 7->56 58 Allocates memory in foreign processes 7->58 16 RegSvcs.exe 2 15 7->16         started        36 srv87291324.ultasrv.com 174.139.150.117, 443, 49752, 49755 VPLSNETUS United States 11->36 38 cdn.discordapp.com 162.159.133.233, 443, 49743 CLOUDFLARENETUS United States 11->38 26 C:\Users\user\AppData\Roaming\...\elsecur.exe, PE32 11->26 dropped 28 C:\Users\user\...\elsecur.exe:Zone.Identifier, ASCII 11->28 dropped 60 Injects a PE file into a foreign processes 11->60 20 RegSvcs.exe 11->20         started        40 162.159.135.233, 443, 49766 CLOUDFLARENETUS United States 14->40 42 192.168.2.1 unknown unknown 14->42 22 RegSvcs.exe 14->22         started        file5 signatures6 process7 dnsIp8 30 romec.shipnotifica.com 185.156.172.149, 2829, 49770 M247GB Romania 16->30 32 geoplugin.net 178.237.33.50, 49772, 80 ATOM86-ASATOM86NL Netherlands 16->32 44 Installs a global keyboard hook 16->44 24 WerFault.exe 23 9 20->24         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a9c5050588f7b5d3a5c8806c8bf60d390b342f28c12c7bcfc58422855b02bf91/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-06-24 13:43:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
13 of 38 (34.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vhcqkbmi6625hjoiqbwix5qnheftilziyewhxt6fqqrikwycx6iq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0639a34ed8b8a0702daec2d05da6afdd33c6c41dc2bb9cb2537c247825843adf
RemcosRAT
1e3d5369ea28851f7013099f82d535b12e3e88c72ae190fdf571fb9beb9e0ace
RemcosRAT
5f37b5f63e3badceb3ea40bb2a6cef92e466410bebbf6864d6d4b5100b6114eb
RemcosRAT
9ea26ea3cf4034580c0c02f1ce4627887fd5a68e069a2c4189c8f253b5919842
RemcosRAT
a805af78c614b848a5eb091882ea4d5d84a248b7183c99bf32169dc2d1d3090c
RemcosRAT
bec0e99c27a1be5e7f2ad71f8ebf6153a71ad0026c7a102db8228ad0638c37fe
RemcosRAT
c208cb83639f1b0a5bac59a310c377fb31f7d7dae0084f557461b8d4312c81a6
RemcosRAT
db5081b362e1b639dadf98a1d8e7ff79f7a9dcaee67417795bec75b8897973a0
RemcosRAT
+ 1'387 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:angiee persistence rat
Link:
https://tria.ge/reports/220624-txhdysdefm/
Behaviour
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Downloads MZ/PE file
Remcos
Malware Config
C2 Extraction:
romec.shipnotifica.com:2829
Unpacked files
SH256 hash:
a9c5050588f7b5d3a5c8806c8bf60d390b342f28c12c7bcfc58422855b02bf91
MD5 hash:
2d7258fe9164899b775d30f66207955f
SHA1 hash:
1e6131e9065458856c919588af5e0cfbcf68706b
Link:
https://www.unpac.me/results/53f33bb1-a48c-4d7f-9f36-d2c26ee0f398/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a9c5050588f7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/a9c5050588f7b5d3a5c8806c8bf60d390b342f28c12c7bcfc58422855b02bf91

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_PE_Discord_Attachment_Oct21_1
Create hunting rule
Author:Florian Roth
Description:Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:Internal Research
Rule name:SUSP_Websites
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference of suspicious sites that might be used to download further malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe a9c5050588f7b5d3a5c8806c8bf60d390b342f28c12c7bcfc58422855b02bf91

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/283119/

Comments