MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aecb74252f3ae4e3d912c1983de70c06ac29c69b287b31e45d29fbee0ccb5772. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aecb74252f3ae4e3d912c1983de70c06ac29c69b287b31e45d29fbee0ccb5772
SHA3-384 hash: c4f240753f2d26cfa0b7c82b1cbac8f0231ce73edc7c79720d74c2e8fd429c24bcd82258582c4d30829e3d1b2823dd63
SHA1 hash: b82fd7fc19665c17bef8f198b35cc867b990b322
MD5 hash: a2ed6ebe9a320464660946cd8b712a4c
humanhash: chicken-fanta-hot-march
File name:PO 001, 002, 003,.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'149'952 bytes
First seen:2023-02-03 12:26:24 UTC
Last seen:2023-02-08 21:53:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:seSqG4yPahfXlKdDxt3rJb8tyxD99PihBT0EKlV6F0xM:LRfXQdDxxeEK7YNyWi
Threatray 5'664 similar samples on MalwareBazaar
TLSH T15F35BFA337B095B2F78720B10438BA885BF07503BE56E2979BB737C46785DB77298142
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter lowmal3
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
4
# of downloads :
200
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
PO 001, 002, 003,.exe
Verdict:
Malicious activity
Analysis date:
2023-02-03 12:27:50 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/664d1f09-99ec-4d50-82f7-98c4e5a7edb4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/359876/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.8422.25620.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63dcfd96416d38777a7a7c5d/reports/5a299c75-6b9d-4f16-b18f-fa540cd3f542/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/aecb74252f3ae4e3d912c1983de70c06ac29c69b287b31e45d29fbee0ccb5772
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/beacc8f3-568c-46ed-bfa4-d62b466ef47d
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1165056
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionalty to change the wallpaper
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 797827 Sample: PO 001, 002, 003,.exe Startdate: 03/02/2023 Architecture: WINDOWS Score: 100 50 Malicious sample detected (through community Yara rule) 2->50 52 Sigma detected: Scheduled temp file as task from temp location 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 10 other signatures 2->56 7 PO 001, 002, 003,.exe 7 2->7         started        11 gkuNeC.exe 5 2->11         started        process3 file4 36 C:\Users\user\AppData\Roaming\gkuNeC.exe, PE32 7->36 dropped 38 C:\Users\user\...\gkuNeC.exe:Zone.Identifier, ASCII 7->38 dropped 40 C:\Users\user\AppData\Local\...\tmpEE81.tmp, XML 7->40 dropped 42 C:\Users\user\...\PO 001, 002, 003,.exe.log, ASCII 7->42 dropped 58 Adds a directory exclusion to Windows Defender 7->58 13 PO 001, 002, 003,.exe 2 16 7->13         started        18 powershell.exe 21 7->18         started        20 MpCmdRun.exe 1 7->20         started        22 schtasks.exe 1 7->22         started        60 Multi AV Scanner detection for dropped file 11->60 62 Machine Learning detection for dropped file 11->62 64 Contains functionality to register a low level keyboard hook 11->64 24 gkuNeC.exe 15 11->24         started        26 schtasks.exe 1 11->26         started        signatures5 process6 dnsIp7 46 149.202.24.70, 1960, 49692, 49699 OVHFR France 13->46 48 geoplugin.net 178.237.33.50, 49696, 49700, 80 ATOM86-ASATOM86NL Netherlands 13->48 44 C:\ProgramData\remcos\logs.dat, data 13->44 dropped 66 Installs a global keyboard hook 13->66 28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        32 conhost.exe 22->32         started        34 conhost.exe 26->34         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aecb74252f3ae4e3d912c1983de70c06ac29c69b287b31e45d29fbee0ccb5772/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-02-03 12:27:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
25
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=v3fxijjphlsohwisygmd3zyma2wctru3fb5tdzc5fh564dglk5za._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
032f8672b774c3a0edd3b84b0f809e1901319a2b0a4a60704e75f92bdac4f7bb
RemcosRAT
03541b2cf3bf022eda584b9ead6b6edeb7a47e8ccaa99b2415ee56694c9868cb
RemcosRAT
23dd65161a7f297125c40f5c9e12d9c0bc9c314021a74de9d47ec8bc13146b18
RemcosRAT
62f4359aef9d0d604c03c099da375debd0d98f20cf4f673a5a32bd64989076ca
RemcosRAT
69b7150f7be7cfd685c50328e9554d28d99e9f7babdf19eb10ea350a3658f2ac
RemcosRAT
a06b22bc855434e422e2361ed4e07e88c5958b5bebecc34020c3c011b0ce03b2
RemcosRAT
c98bf80d5e23903e4934015e75f6c036130296519548b6014575207d2d296201
RemcosRAT
+ 5'654 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost server 2 rat
Link:
https://tria.ge/reports/230203-pmqv5afb87/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
149.202.24.70:1960
Unpacked files
SH256 hash:
178cc7474b323b0ae6b3095ff67127726530d9d44be5cb58ba7315ef3a1199ad
MD5 hash:
159af9cf7f94d64c8120c80268965306
SHA1 hash:
fb41ab37af2c83e96d97e9cd066f90e72d4887ea
Link:
https://www.unpac.me/results/f76a0f5e-76d2-4d0c-913a-9444702bea28/
SH256 hash:
880f79bdfdd188e27b42a79455ec8e906a4bd807e3075033b473bcfb2a457ad8
MD5 hash:
43d38d73dafd1f88d2d9264438c3f3eb
SHA1 hash:
dd3c6eebc8be611ab418301cbfb5baf7008fb616
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/f76a0f5e-76d2-4d0c-913a-9444702bea28/
Parent samples :
aecb74252f3ae4e3d912c1983de70c06ac29c69b287b31e45d29fbee0ccb5772
9172e039e1e9412067ba121f93ec85c4883992eefe71438b6b02e0635152732d
SH256 hash:
ff1b42ea7d56a37eae801adbddb7116f52a4664c0b41302736f522852edc2747
MD5 hash:
89ac57478044c57c7195943116a521e0
SHA1 hash:
1ff2bafeed795423e3538d810bda8e1e3fcdcfa5
Link:
https://www.unpac.me/results/f76a0f5e-76d2-4d0c-913a-9444702bea28/
SH256 hash:
ffbe4ea16f798d95012a1e006c20add18cc04e357f5e8ccd5653c1e9c1cadf85
MD5 hash:
a9544a14c9b859aae2154483211b6e2a
SHA1 hash:
1435a4966fd88b8cf2f8ddef772a688fdc574349
Link:
https://www.unpac.me/results/f76a0f5e-76d2-4d0c-913a-9444702bea28/
SH256 hash:
818f2100d64928e40b95d9ad98774ce7de6986fb7d94decce0ca43dec8de589e
MD5 hash:
df47ac48f84b760f140ed2dd62f9e48d
SHA1 hash:
01bfe8e05c9db7df108bb30a314b5f35ce12dafa
Link:
https://www.unpac.me/results/f76a0f5e-76d2-4d0c-913a-9444702bea28/
SH256 hash:
aecb74252f3ae4e3d912c1983de70c06ac29c69b287b31e45d29fbee0ccb5772
MD5 hash:
a2ed6ebe9a320464660946cd8b712a4c
SHA1 hash:
b82fd7fc19665c17bef8f198b35cc867b990b322
Link:
https://www.unpac.me/results/f76a0f5e-76d2-4d0c-913a-9444702bea28/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aecb74252f3a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/aecb74252f3ae4e3d912c1983de70c06ac29c69b287b31e45d29fbee0ccb5772

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:pe_imphash
Create hunting rule
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe aecb74252f3ae4e3d912c1983de70c06ac29c69b287b31e45d29fbee0ccb5772

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/359876/

Comments