MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af9fa73ff6907f77d55aac6376f3f2e73160fc97afec3656e77da8d5e0a6a488. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 12 File information Comments

SHA256 hash:	af9fa73ff6907f77d55aac6376f3f2e73160fc97afec3656e77da8d5e0a6a488
SHA3-384 hash:	fdf52f2ad53a9612ee4ca6fcbaed3eed9ac912afae8813d7f686b6e34833ba6d92859d90d8739630d01748b4c983f332
SHA1 hash:	207fc5fa07b2fcf9ac269ce550defd5e58135c07
MD5 hash:	1fe4db2d80bff33d4138d3e3f94d24f4
humanhash:	single-spaghetti-bluebird-mississippi
File name:	PO T9887 IQ-190031 CHC - CHAU HUY CUONG .exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	706'048 bytes
First seen:	2021-09-27 14:07:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:UWnAi/pRGco8cKz+zXoG+iM4MCJRfBnAc7gFqswMyriSiM3kR9daVQwgUlblEfxX:UWB/FFN+zXoG+iZR1MEnhiM3kFajhl+c
Threatray	652 similar samples on MalwareBazaar
TLSH	T1DBE4F1993A5071EFC457CD76CE145C14AAA0A4B6530BE643E88329EE9D4EBDACF011F3
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

abuse_ch

RemcosRAT C2:
31.210.20.224:22420

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
31.210.20.224:22420	https://threatfox.abuse.ch/ioc/227069/

Intelligence

File Origin

# of uploads :

# of downloads :

147

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PO T9887 IQ-190031 CHC - CHAU HUY CUONG .exe

Verdict:

Malicious activity

Analysis date:

2021-09-27 14:18:36 UTC

Tags:

rat remcos

Link:

https://app.any.run/tasks/d701db01-1c68-468e-80eb-09fd8267b861

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/192144/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file in the %temp% directory

Delayed writing of the file

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9e9e967b-c482-4e15-9c71-03a92b25ff97

Result

Threat name:

Remcos

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/859200

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Detected Remcos RAT

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/af9fa73ff6907f77d55aac6376f3f2e73160fc97afec3656e77da8d5e0a6a488/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-09-13 07:04:52 UTC

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=v6p2op7wsb7xpvk2vrrxn47s44ywb7exv7wdmvxhpwunlyfgusea._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

77ce24c903d75a340e3d5664091c7b72a2529640931e662b80b8dc3fb9226929

RemcosRAT

8378cff1c00e9259db81de361f9e5ebfc5eb1e932c0d21c5b003360c46a7eb43

RemcosRAT

860e16c192167d5dd823b8e533858cdada7aa9b3173254f2f57031af68b84e0c

RemcosRAT

87284733f84447db5f12697e7ce2fb44671cbf404e040cf85085b223eab02b95

RemcosRAT

993528adce97be31c6c1e1c01f4877f229b10e8f06b87d8cbcc2f95b46866872

RemcosRAT

a3faa214333ce59ed895410e011c4cbd44fe51b26ed5bf2a0ed54e225616f893

RemcosRAT

b2beeab94f7cbc38143e2a050c263476419bb48d2ec37470df5b1ee0da812f50

RemcosRAT

bfd45ef21e21655c921b457242c1d4e05a1e979d0051a4195192d8e17b7bed38

RemcosRAT

d83290b80bf412884168a6d24a06fad12edb578cc612ea555476b422a4499613

RemcosRAT

+ 642 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost rat

Link:

https://tria.ge/reports/210927-rfmk8shbe4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Remcos

Malware Config

C2 Extraction:

fax-joh.dyn-ip24.de:22420

Unpacked files

SH256 hash:

beeb183d5362db4890c2d3ab4f037c8d980f6f7f083803f2c8c125f82d372803

MD5 hash:

626983e0fcca8599e5ee51a91e38a2d3

SHA1 hash:

f81d54289440e8e1fca94fd48dfad7f71b53c6fd

Link:

https://www.unpac.me/results/93b44fec-f7a9-4d7d-8539-b405178a5f46/

SH256 hash:

ad4a7895d529d5164302bb88596964ab42ff125bf0f5544418c80b6d438cb587

MD5 hash:

43ababb6b0a02907aad43084f12b10d9

SHA1 hash:

b60ba705891d5a666d64300181b475a46714ffa8

Link:

https://www.unpac.me/results/93b44fec-f7a9-4d7d-8539-b405178a5f46/

SH256 hash:

d50db54d0287d66ab2d897abbf801eff7f7d947fcaba4fc47d9598aac988f85b

MD5 hash:

5374f07f10cfe91adcc2c60d5aed9044

SHA1 hash:

7c433b6330159f3ea616fab3fb381ae4e61935c4

Detections:

win_remcos_g0

Link:

https://www.unpac.me/results/93b44fec-f7a9-4d7d-8539-b405178a5f46/

Parent samples :

6f92daf1987fdbeb08911e7081215c3bf8d5241428011e635ed1c61db6230bb0
8378cff1c00e9259db81de361f9e5ebfc5eb1e932c0d21c5b003360c46a7eb43
993528adce97be31c6c1e1c01f4877f229b10e8f06b87d8cbcc2f95b46866872
af9fa73ff6907f77d55aac6376f3f2e73160fc97afec3656e77da8d5e0a6a488

SH256 hash:

af9fa73ff6907f77d55aac6376f3f2e73160fc97afec3656e77da8d5e0a6a488

MD5 hash:

1fe4db2d80bff33d4138d3e3f94d24f4

SHA1 hash:

207fc5fa07b2fcf9ac269ce550defd5e58135c07

Link:

https://www.unpac.me/results/93b44fec-f7a9-4d7d-8539-b405178a5f46/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/af9fa73ff690/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/af9fa73ff6907f77d55aac6376f3f2e73160fc97afec3656e77da8d5e0a6a488

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	INDICATOR_EXE_Packed_MPress Create hunting rule
Author:	ditekSHen
Description:	Detects executables built or packed with MPress PE compressor

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/192144/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample