MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac2002a2d151a85bf5e48e8f7acc3c6c3992798b0d1fb08ac6c90131a0990a7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac2002a2d151a85bf5e48e8f7acc3c6c3992798b0d1fb08ac6c90131a0990a7a
SHA3-384 hash: d00759f9463784c2298dca709b64d74c55d219377fbc8c2fc67ee80183d357c07f6478f2b5a54e53e7a14663325e98cf
SHA1 hash: 98a67a75c46d17dcc676d4984eb9e13ebd164e9b
MD5 hash: 5845057831b78a3ccc9ba00270d6be46
humanhash: hotel-winner-kilo-lamp
File name:lol.scr
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:464'896 bytes
First seen:2021-09-09 08:35:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:BQzKfyAV4e6WyzpY8xk9z7Qx75hXpogHxdoGrAdE4BZAhT1KV5SwXMXCD0EBMMv7:H16WytYGAID5V/X+iJ1KTdpDR4exM
Threatray 641 similar samples on MalwareBazaar
TLSH T141A401147992C026D1617EB5F92FB5F01BE8AD0BEA07D62F1D487FCE387128681C6E52
dhash icon 4927d969696d1200 (3 x RemcosRAT)
Reporter ankit_anubhav
Tags:exe remcos RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
175
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
lol.scr
Verdict:
Malicious activity
Analysis date:
2021-09-09 08:38:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7e3abccc-fbec-4b2f-95c4-07a324760a2d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/186546/
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0dd1970d-b82f-4edb-85a1-52bc70b6e8dc
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/847934
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates an undocumented autostart registry key
Delayed program exit found
Detected Remcos RAT
Drops executable to a common third party application directory
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Wscript starts Powershell (via cmd or directly)
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 480365 Sample: lol.scr Startdate: 09/09/2021 Architecture: WINDOWS Score: 100 52 time.google.com 2->52 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 7 other signatures 2->74 9 lol.exe 3 10 2->9         started        signatures3 process4 file5 44 C:\Users\user\AppData\...\photoshop.exe, PE32 9->44 dropped 46 C:\Users\user\AppData\Local\Temp\lol.exe, PE32 9->46 dropped 48 C:\Users\user\...\lol.exe:Zone.Identifier, ASCII 9->48 dropped 50 2 other malicious files 9->50 dropped 82 Creates an undocumented autostart registry key 9->82 84 Drops executable to a common third party application directory 9->84 13 lol.exe 9->13         started        17 wscript.exe 9->17         started        19 powershell.exe 17 9->19         started        21 4 other processes 9->21 signatures6 process7 dnsIp8 54 rebekauk.duckdns.org 185.140.53.216, 3814, 49812, 49813 DAVID_CRAIGGG Sweden 13->54 86 Tries to steal Mail credentials (via file registry) 13->86 88 Contains functionality to steal Chrome passwords or cookies 13->88 90 Contains functionality to inject code into remote processes 13->90 94 4 other signatures 13->94 23 lol.exe 13->23         started        26 lol.exe 13->26         started        28 lol.exe 13->28         started        92 Wscript starts Powershell (via cmd or directly) 17->92 30 powershell.exe 17->30         started        56 8.8.8.8.in-addr.arpa 19->56 58 4.4.8.8.in-addr.arpa 19->58 60 time.google.com 19->60 32 conhost.exe 19->32         started        62 8.8.8.8.in-addr.arpa 21->62 64 8.8.8.8.in-addr.arpa 21->64 66 12 other IPs or domains 21->66 34 conhost.exe 21->34         started        36 conhost.exe 21->36         started        38 conhost.exe 21->38         started        40 conhost.exe 21->40         started        signatures9 process10 signatures11 76 Tries to steal Instant Messenger accounts or passwords 23->76 78 Tries to steal Mail credentials (via file access) 23->78 80 Tries to harvest and steal browser information (history, passwords, etc) 26->80 42 conhost.exe 30->42         started        process12
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ac2002a2d151a85bf5e48e8f7acc3c6c3992798b0d1fb08ac6c90131a0990a7a/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-09 08:36:08 UTC
AV detection:
11 of 41 (26.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vqqafiwrkgufx5per2hxvtb4nq4ze6mlbup3bcwgzeatdiezbj5a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0b1970568987b6e2a949dde9d4e249d704cbfaf622c80741db02dd711838abff
RemcosRAT
1974f2f3c94bc79af6872802cae45f9113ce6b708635930a77aa73db92898852
RemcosRAT
4a8ae1e4845f9d27041cef35528f245961cd8b25399096d661d0d93df97375ce
RemcosRAT
5541f9d1656fe9d24b9048afc1dd005bf25d9aacac4e57f932bbdb19919776dd
RemcosRAT
6575fa393fb6628051e380e29e2933ceceb9099e1d6378ac2b137478b732ab5a
RemcosRAT
6b4a57c6eb6a005e9641a19c161334890128dfd6b15477f1add890041b7c8bf8
RemcosRAT
6eed5350c18b26f6aadaf28e5ceb48ca742db7fbee28fbe9aa7f3c552651e048
RemcosRAT
cbe42b277b9e2d8ad915917a6c9a6cca9858efb70c342462a0a6701b39dda1fc
RemcosRAT
f980b2377c9cd2ff4415608fff97031062be1788bfd981ae55f9e92c4985ada4
RemcosRAT
+ 631 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/210909-khlndsfgg2/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Remcos
Malware Config
C2 Extraction:
rebekauk.duckdns.org:3814
Unpacked files
SH256 hash:
a65d906ff922ce6433d4e336c7282213123d29b4a60360bd006b474fa073b1b6
MD5 hash:
38a15584e4237f862a8442fcbad40583
SHA1 hash:
5f0b4b26c8638d9dacf65d9c2708be9036d59d99
Link:
https://www.unpac.me/results/1adcbc6b-f905-4df6-8919-352caacefeb8/
SH256 hash:
485a3966aa0bd841d878878dd5a88c1f8096f262f98701062a19b790659dcd5b
MD5 hash:
5f2f4d162d83ba06413b5cbe313561b0
SHA1 hash:
069237c0bea5e2acae22a5f301a5df64a63cf538
Link:
https://www.unpac.me/results/1adcbc6b-f905-4df6-8919-352caacefeb8/
SH256 hash:
ac2002a2d151a85bf5e48e8f7acc3c6c3992798b0d1fb08ac6c90131a0990a7a
MD5 hash:
5845057831b78a3ccc9ba00270d6be46
SHA1 hash:
98a67a75c46d17dcc676d4984eb9e13ebd164e9b
Link:
https://www.unpac.me/results/1adcbc6b-f905-4df6-8919-352caacefeb8/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ac2002a2d151/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ac2002a2d151a85bf5e48e8f7acc3c6c3992798b0d1fb08ac6c90131a0990a7a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/186546/

Comments