MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa6646da5d47bbfffce88075205a5e6c1af6107a9dae7dec98b14e7c3d022219. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa6646da5d47bbfffce88075205a5e6c1af6107a9dae7dec98b14e7c3d022219
SHA3-384 hash: c4c8f631493a4e3ccd151c0db5ac3934b12909240b184863530d3bf4cf75ebc33c23b69aeff5392376870bd5f9bb502f
SHA1 hash: 5895b3f88e335c9884d740bcf8f2965d8aba286c
MD5 hash: 582bd6f5d1720c34d07ea51b37b0a15d
humanhash: autumn-oven-ceiling-carbon
File name:SecuriteInfo.com.Variant.MSILHeracles.84870.1065.31623
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:8'704 bytes
First seen:2023-06-06 12:29:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 192:DyqfXcLYLbPdblLgdSOpoKL49Xi2q1AULmAFTIx:DxfXcLYLbPdblLgdSOpoDPYJRI
Threatray 2'018 similar samples on MalwareBazaar
TLSH T124025C15A7588737CDB207B2B87393801631A34D296BC76F4844902F9F533918AE2BF1
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter SecuriteInfoCom
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
272
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Variant.MSILHeracles.84870.1065.31623
Verdict:
Malicious activity
Analysis date:
2023-06-06 12:32:01 UTC
Tags:
keylogger remcos
Link:
https://app.any.run/tasks/94716618-d931-4238-a83f-6f393bddcf72

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/396118/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.84870.1065.31623.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed phishing
Link:
https://www.filescan.io/uploads/647f2698d9e80ec751eb49b1/reports/11403c4e-6902-42b6-8e22-540e3a4f5224/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/aa6646da5d47bbfffce88075205a5e6c1af6107a9dae7dec98b14e7c3d022219
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/cefe6de3-b76d-4f18-9348-5d9d8430b959
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1249531
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Encrypted powershell cmdline option found
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 882548 Sample: SecuriteInfo.com.Variant.MS... Startdate: 06/06/2023 Architecture: WINDOWS Score: 100 48 Multi AV Scanner detection for domain / URL 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 10 other signatures 2->54 7 SecuriteInfo.com.Variant.MSILHeracles.84870.1065.31623.exe 16 7 2->7         started        12 Pzkyjinfb.exe 14 4 2->12         started        14 Pzkyjinfb.exe 3 2->14         started        process3 dnsIp4 44 akdental.ro 192.185.129.86, 49693, 49716, 49717 UNIFIEDLAYER-AS-1US United States 7->44 34 C:\Users\user\AppData\...\Pzkyjinfb.exe, PE32 7->34 dropped 36 C:\Users\...\Pzkyjinfb.exe:Zone.Identifier, ASCII 7->36 dropped 38 SecuriteInfo.com.V....1065.31623.exe.log, ASCII 7->38 dropped 56 Encrypted powershell cmdline option found 7->56 58 Writes to foreign memory regions 7->58 60 Injects a PE file into a foreign processes 7->60 16 InstallUtil.exe 3 15 7->16         started        20 powershell.exe 16 7->20         started        62 Multi AV Scanner detection for dropped file 12->62 64 Machine Learning detection for dropped file 12->64 22 powershell.exe 12->22         started        24 InstallUtil.exe 12->24         started        26 powershell.exe 14->26         started        file5 signatures6 process7 dnsIp8 40 45.12.253.190, 35789, 49714 CMCSUS Germany 16->40 42 geoplugin.net 178.237.33.50, 49715, 80 ATOM86-ASATOM86NL Netherlands 16->42 46 Installs a global keyboard hook 16->46 28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        32 conhost.exe 26->32         started        signatures9 process10
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/aa6646da5d47bbfffce88075205a5e6c1af6107a9dae7dec98b14e7c3d022219/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2023-06-06 12:30:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vjtenws5i65777hiqb2saws6nqnpmed2twxh33eywfhhypiceimq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
093211c83f13bdaa0ab037352beee293ce3d1e2c023d865c87bd86b61509f3f4
RemcosRAT
2357715c5efe498cf7fa970768a04ba8fbb4f4f6dee530aba9c719681cbc90a7
RemcosRAT
3e6ec18ecee467ac76807198be9c02531fd7091545056260ef164354846e59a6
RemcosRAT
3f07585c2ab00f3f8cb68b6c3a461c0b267c52531a5bca15d59a6cad1cbbc6f7
RemcosRAT
4424663695e9749f70cf73c587c910202344b18aa86144ca748aede28239a13f
RemcosRAT
6e3cf5c7cccc4369fbed86c4de5bb59d7bb40c1ced10cab8b0bc733299d45ea1
RemcosRAT
a4a9151dee1026abcaec06ec7596983a05cc7df43c37d5646e17ae02e2902445
RemcosRAT
c1bcaa3723fd87f8a0a537c14ecf7e5852a69d33995333b40a7a475eb2e1696c
RemcosRAT
c1ccc7e57074fb432d2de187fca944ac480e5b2ad68ad7cc52388e3381990396
RemcosRAT
ea2f8aca010aba1f0ebb0b5af2de53b2a4106d5feb147f34e0a8e615eccd77c1
RemcosRAT
+ 2'008 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:crypted persistence rat
Link:
https://tria.ge/reports/230606-pnyblaeb31/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
45.12.253.190:35789
Unpacked files
SH256 hash:
aa6646da5d47bbfffce88075205a5e6c1af6107a9dae7dec98b14e7c3d022219
MD5 hash:
582bd6f5d1720c34d07ea51b37b0a15d
SHA1 hash:
5895b3f88e335c9884d740bcf8f2965d8aba286c
Link:
https://www.unpac.me/results/d2299802-d896-4c5a-a1ee-8e4d3cff1c9e/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aa6646da5d47/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aa6646da5d47bbfffce88075205a5e6c1af6107a9dae7dec98b14e7c3d022219

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe aa6646da5d47bbfffce88075205a5e6c1af6107a9dae7dec98b14e7c3d022219

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/396118/
  
URLhaus
https://urlhaus.abuse.ch/url/2653749/
  
Delivery method
Distributed via web download

Comments