MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad3dc7a0c6ce33a7e45775b3452343eb748fab8823311df58d4599d6a203ff80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad3dc7a0c6ce33a7e45775b3452343eb748fab8823311df58d4599d6a203ff80
SHA3-384 hash: 05da3a0ca6f39471efa2d4774223910a76dde2f6a49a3fdba2afaeb3022051da6a54776b20e1e099d4351148b45584f3
SHA1 hash: 0be9416d3ca3ab36ffa1f2da9f3d20d4841bb468
MD5 hash: 5e9770c2b22b03e5726285900afab954
humanhash: johnny-robin-carpet-happy
File name:remcos.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:448'512 bytes
First seen:2023-02-22 08:52:02 UTC
Last seen:2023-02-22 10:51:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:UcvQhDq4/JyZZekWNM2awjIuEOnPmpK0Gg/s5pCuH5qnA4vZaTKVeiauV9arNqfk:WYnekQVawrwn/s5ptqHRveiFaruk
Threatray 1'486 similar samples on MalwareBazaar
TLSH T11A949D87A54C4E56F13A57FE3BA3E611C357492E6742C086847CA1BDE7E225E0D32B8C
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
dhash icon f8d888c898a89098 (8 x Loki, 4 x NanoCore, 4 x AgentTesla)
Reporter fkdk11347112
Tags:exe RAT RemcosRAT remocs

Intelligence

File Origin
# of uploads :
3
# of downloads :
255
Origin country :
EG EG
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
remcos.infected.bin
Verdict:
Malicious activity
Analysis date:
2022-06-21 19:29:15 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/6513502d-5271-4e91-a781-5f2865996769

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/368877/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Basic.3.Gen.32756.7678.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
glupteba packed remcos
Link:
https://www.filescan.io/uploads/63f5d7b942bf85850e3ee402/reports/e9d190cd-909b-4190-8a27-a81297879acb/overview
Verdict:
Malicious
Labled as:
Trojan.MSIL.Basic.3
Link:
https://www.hybrid-analysis.com/sample/ad3dc7a0c6ce33a7e45775b3452343eb748fab8823311df58d4599d6a203ff80
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d69f791c-db4e-4181-8709-f7feb7c2dca3
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1180362
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Detected Remcos RAT
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected Costura Assembly Loader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 813193 Sample: remcos.exe Startdate: 22/02/2023 Architecture: WINDOWS Score: 100 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus detection for dropped file 2->51 53 Antivirus / Scanner detection for submitted sample 2->53 55 7 other signatures 2->55 10 remcos.exe 3 2->10         started        14 VLC.exe 2 2->14         started        16 VLC.exe 2 2->16         started        process3 file4 43 C:\Users\user\AppData\...\remcos.exe.log, ASCII 10->43 dropped 57 Contains functionality to steal Chrome passwords or cookies 10->57 59 Contains functionality to capture and log keystrokes 10->59 61 Contains functionality to inject code into remote processes 10->61 63 Contains functionality to steal Firefox passwords or cookies 10->63 18 remcos.exe 4 5 10->18         started        65 Injects a PE file into a foreign processes 14->65 21 VLC.exe 14->21         started        23 VLC.exe 16->23         started        signatures5 process6 file7 37 C:\Users\user\AppData\Roaming\VLC\VLC.exe, PE32 18->37 dropped 39 C:\Users\user\...\VLC.exe:Zone.Identifier, ASCII 18->39 dropped 41 C:\Users\user\AppData\Local\...\install.vbs, data 18->41 dropped 25 wscript.exe 1 18->25         started        process8 process9 27 cmd.exe 1 25->27         started        process10 29 VLC.exe 3 27->29         started        32 conhost.exe 27->32         started        signatures11 67 Antivirus detection for dropped file 29->67 69 Multi AV Scanner detection for dropped file 29->69 71 Machine Learning detection for dropped file 29->71 73 Injects a PE file into a foreign processes 29->73 34 VLC.exe 2 4 29->34         started        process12 dnsIp13 45 192.168.2.1 unknown unknown 34->45 47 bekleyen.myq-see.com 34->47
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ad3dc7a0c6ce33a7e45775b3452343eb748fab8823311df58d4599d6a203ff80/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-04-22 03:08:52 UTC
File Type:
PE (.Net Exe)
Extracted files:
29
AV detection:
22 of 25 (88.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vu64piggzyz2pzcxowzuki2d5n2i7k4iemyr35mniwm5niqd76aa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0f307822855aabba644e0f79751eeb5f26e0575ae5ade7c6507c6d1ea7a64725
RemcosRAT
18aae95253ffa453609ef3e1150cf9c2b167a1b1c59ae1270e279f8d5e070c27
RemcosRAT
3b13ea61e91a0312f8c187096e435168cee2d2277c46373d01899497345bd0e9
RemcosRAT
667d35d2cff2979ca84df0afe1eca6c164e1d919b989e16b97166c7a30c77a87
RemcosRAT
93c327b46d6354a91a9b20311a2f1e1873e132765816ec26443eb1971ccd2946
RemcosRAT
b8a03fd14b3a3695af8b6c781eb946214a98986279678c6b2a477f22ba1ac3cf
RemcosRAT
c0a656a2f73c254ed2f1e73630083849890b7c1e36161e89fe29d2fd014f9fff
RemcosRAT
de45e137eeda4de58d4840e499559e36ee01256b6180e87249ec035525db6b9c
RemcosRAT
eee72be9b19c5e0fa5fd1b5404798a7ccd5b73830249562f9465583004980a18
RemcosRAT
f9441d3651d67748ec1a2fd325ea1aa9d914208c7fae0853e5b769e52e66ccb8
RemcosRAT
+ 1'476 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat
Link:
https://tria.ge/reports/230222-ksr8xscc8z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Remcos
Malware Config
C2 Extraction:
bekleyen.myq-see.com:2424
Unpacked files
SH256 hash:
023efddb6456fd7b9862de350dadd9e0f910efd8fdc32534c2eedae37304983c
MD5 hash:
441176f973d3e92524dd67b577d8900b
SHA1 hash:
23d686b10e2dc3129e112eccf4b26e25f5dc9701
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/49842e9e-2e11-4673-9113-18fd84aaf672/
SH256 hash:
cb0bd98d9d0cc7dddf7ec5b0fc904ed456f986c20cccd9b5d5eb7bf7589ce25b
MD5 hash:
46b0773c9ada3033125e4cd9c73a81f4
SHA1 hash:
ece5ca551a3ffdef75ad7df0b08285a8e9d76ead
Link:
https://www.unpac.me/results/49842e9e-2e11-4673-9113-18fd84aaf672/
SH256 hash:
f9b2067d99d2bac7fabc24deb65a47937f57ad4423db9c1fc4a434fdc8c979f3
MD5 hash:
c43fa04b58f051bfeadb5ebd1c1163b8
SHA1 hash:
c25d60bb0655ce66f5768505716fbe4bbe269a8b
Link:
https://www.unpac.me/results/49842e9e-2e11-4673-9113-18fd84aaf672/
SH256 hash:
0e40aaf45c3768bb3a86e8a212edab1abb9259ddb14ff37f125d88a9c21cb6cb
MD5 hash:
381280d1054840c4cde129a4d8ce8e4f
SHA1 hash:
2035f7807660d6510328c24d8261eee12eb38958
Link:
https://www.unpac.me/results/49842e9e-2e11-4673-9113-18fd84aaf672/
SH256 hash:
cbfcd7dbb7244751b44007d7e7e67e362946da20fc2a2ebc8d242bb52ca8c8a4
MD5 hash:
06bd2c0097e3cfc03b530ba1391846e3
SHA1 hash:
006ca486d95be69b20ad40418e70ac190d885bd1
Link:
https://www.unpac.me/results/49842e9e-2e11-4673-9113-18fd84aaf672/
SH256 hash:
ad3dc7a0c6ce33a7e45775b3452343eb748fab8823311df58d4599d6a203ff80
MD5 hash:
5e9770c2b22b03e5726285900afab954
SHA1 hash:
0be9416d3ca3ab36ffa1f2da9f3d20d4841bb468
Link:
https://www.unpac.me/results/49842e9e-2e11-4673-9113-18fd84aaf672/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ad3dc7a0c6ce/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ad3dc7a0c6ce33a7e45775b3452343eb748fab8823311df58d4599d6a203ff80

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe ad3dc7a0c6ce33a7e45775b3452343eb748fab8823311df58d4599d6a203ff80

(this sample)

  
Dropping
RAT
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/368877/

Comments