MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af29d510ddce0ac43c2eafa794d8ff147b4da2917c7f2fad0a770e376d6ce4cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af29d510ddce0ac43c2eafa794d8ff147b4da2917c7f2fad0a770e376d6ce4cf
SHA3-384 hash: 59b7cf86d53b5fb50789e7593241ec1fbd5bf6337c8fd90585679bbfe4701d55845794abb52e70ed13fab04ad025e5bc
SHA1 hash: d55cb02313727444569c213fa0d8b173c9b35d2e
MD5 hash: 08e9247eb0fe99e7234bef53b9b3d7e0
humanhash: north-rugby-mars-jupiter
File name:Quote order#098799.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:618'564 bytes
First seen:2022-05-11 11:24:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 12288:POdJmd2dntOCa0rCT193uAYUZAy84ph4W1YsMXms2WQLS1A:PODhdwCieV9CXigLS1A
Threatray 1'211 similar samples on MalwareBazaar
TLSH T1F0D4120035E8F4A3D5961576DEBA87FA47EAFD52E8211E132340BF69BD32D10F81B246
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 8000ccb2b2463000 (1 x RemcosRAT)
Reporter GovCERT_CH
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
256
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/269671/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.9782.7161.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Sending a custom TCP request
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/17124/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe overlay packed remcos shell32.dll
Link:
https://www.filescan.io/uploads/627b9cdabd5c76586e2d69e9/reports/66705233-0256-49cb-88fd-52e95cab8c11/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/2262c333-912c-4236-af14-f8f81de52581
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/991786
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/af29d510ddce0ac43c2eafa794d8ff147b4da2917c7f2fad0a770e376d6ce4cf/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-05-11 10:13:24 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=v4u5keg5zyfmipbov6tzjwh7cr5u3iurpr7s7liko4hdo3lm4thq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1ccf09551ed031fa0755e2d2c22e05f8136cce389c5b6585d3f3395041637389
RemcosRAT
6d21985a34efde10ae60b32f3d1f309da2707f6421bdb78f1da14ec1341b22ec
RemcosRAT
6ea504859dafb477ac16b815e303fc121472298e1cbde707bf292b3432ec20e1
RemcosRAT
81a08b163648f4a09fbba230dc34b1b2c7e7e979fedc23c6bf89af0f39f32cff
RemcosRAT
b8df890fac057175f86dc5f301f1e1f6d45b2a1b36598934c3fc0144cf433137
RemcosRAT
e2957cb5fb3bc6646533495ea0e907b852d768839e39cd49f362b2cb1ab53df9
RemcosRAT
f75fd5ce522743fe012bdf743efc66e481d72d92b6eb0465621a77a4600ff6b5
RemcosRAT
+ 1'201 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat
Link:
https://tria.ge/reports/220511-nhq5nabahl/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
172.111.234.100:5888
Unpacked files
SH256 hash:
8096b61989d6e3434c46dfce6d8b192b68853e21fea715dd9c0afd95a41191ae
MD5 hash:
e874ca178dd5bd3ec646ef28c6747fcc
SHA1 hash:
d41fc59648ae1b3ac6506fab7989ae4febf512ff
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/356f9d86-dd5d-4ff2-9060-fa0d02392f5d/
Parent samples :
2f17cd40cf8a6520415e48e9c34f34b51a2a518a92a6de312313ee6b2a9c4154
17e38f89882ee17379ea43d23f0bfafe3b6427beb83003de47569734d1d2891f
e2957cb5fb3bc6646533495ea0e907b852d768839e39cd49f362b2cb1ab53df9
f75fd5ce522743fe012bdf743efc66e481d72d92b6eb0465621a77a4600ff6b5
af29d510ddce0ac43c2eafa794d8ff147b4da2917c7f2fad0a770e376d6ce4cf
SH256 hash:
1b179c13c25937d3dff4a617e7e344ab8996022bb0e7ec31596afda7e9e56720
MD5 hash:
ef74dfadf1d96226467efcd01d6756ee
SHA1 hash:
63a762993e44cb53f3c41e1c85d01954a16b5992
Link:
https://www.unpac.me/results/356f9d86-dd5d-4ff2-9060-fa0d02392f5d/
SH256 hash:
af29d510ddce0ac43c2eafa794d8ff147b4da2917c7f2fad0a770e376d6ce4cf
MD5 hash:
08e9247eb0fe99e7234bef53b9b3d7e0
SHA1 hash:
d55cb02313727444569c213fa0d8b173c9b35d2e
Link:
https://www.unpac.me/results/356f9d86-dd5d-4ff2-9060-fa0d02392f5d/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/af29d510ddce/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/af29d510ddce0ac43c2eafa794d8ff147b4da2917c7f2fad0a770e376d6ce4cf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe af29d510ddce0ac43c2eafa794d8ff147b4da2917c7f2fad0a770e376d6ce4cf

(this sample)

  
Dropped by
RemcosRAT
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/269671/

Comments