MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b09cafd97a01e079b28616295179f5ee5269b5f24b8bb25e4fa15625729077f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b09cafd97a01e079b28616295179f5ee5269b5f24b8bb25e4fa15625729077f7
SHA3-384 hash: fdef8c0cf6cd8ab92c34cac8a19cf39ffaec7efa813e030e86a09e1096540bbf180cd7f9f4567c6424b7163e27135204
SHA1 hash: d53b7f8fb9d94f9d7c3e0bb25e568c7d45085cc7
MD5 hash: ab8c37489dc40216f3246179d4289bb5
humanhash: red-east-friend-zulu
File name:ab8c37489dc40216f3246179d4289bb5
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:432'128 bytes
First seen:2021-07-01 15:00:51 UTC
Last seen:2021-07-01 17:48:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:Ddn7pFQ46n3YmKXXxifA8KvnbpHXuC+WnyM56:NQ46noVio8Kng9I
Threatray 1'855 similar samples on MalwareBazaar
TLSH F09447E595D8FFD7D1BB22712EE4B6004B634B5928148644ABCC651F3B226CF2782F27
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ab8c37489dc40216f3246179d4289bb5
Verdict:
Malicious activity
Analysis date:
2021-07-01 15:09:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/72ba5eef-5a7d-436d-8f6d-839103f29a77

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/169192/
Detection(s):
SecuriteInfo.com.W32.MSIL_Dropper.A.genEldorado.774.6895.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3a482214-e7b4-475a-8921-313edf4a62cd
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/810668
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 443080 Sample: uQBk1InXEc Startdate: 01/07/2021 Architecture: WINDOWS Score: 100 102 Found malware configuration 2->102 104 Malicious sample detected (through community Yara rule) 2->104 106 Multi AV Scanner detection for submitted file 2->106 108 5 other signatures 2->108 14 uQBk1InXEc.exe 8 2->14         started        18 microsoft.exe 4 2->18         started        20 microsoft.exe 2->20         started        process3 file4 92 C:\Users\user\AppData\...\uQBk1InXEc.exe, PE32 14->92 dropped 94 C:\Users\...\uQBk1InXEc.exe:Zone.Identifier, ASCII 14->94 dropped 96 C:\Users\user\AppData\...\uQBk1InXEc.exe.log, ASCII 14->96 dropped 140 Writes to foreign memory regions 14->140 142 Injects a PE file into a foreign processes 14->142 22 uQBk1InXEc.exe 1 5 14->22         started        26 microsoft.exe 18->26         started        28 microsoft.exe 20->28         started        signatures5 process6 file7 88 C:\Users\user\AppData\...\microsoft.exe, PE32 22->88 dropped 90 C:\Users\...\microsoft.exe:Zone.Identifier, ASCII 22->90 dropped 124 Multi AV Scanner detection for dropped file 22->124 126 Machine Learning detection for dropped file 22->126 128 Contains functionality to detect virtual machines (IN, VMware) 22->128 130 4 other signatures 22->130 30 cmd.exe 1 22->30         started        33 cmd.exe 26->33         started        36 cmd.exe 28->36         started        signatures8 process9 dnsIp10 136 Uses ping.exe to sleep 30->136 138 Uses ping.exe to check the status of other devices and networks 30->138 38 microsoft.exe 8 30->38         started        41 PING.EXE 1 30->41         started        44 conhost.exe 30->44         started        98 192.168.2.1 unknown unknown 33->98 46 microsoft.exe 33->46         started        48 conhost.exe 33->48         started        50 PING.EXE 33->50         started        52 microsoft.exe 36->52         started        54 conhost.exe 36->54         started        56 PING.EXE 36->56         started        signatures11 process12 dnsIp13 116 Multi AV Scanner detection for dropped file 38->116 118 Machine Learning detection for dropped file 38->118 120 Writes to foreign memory regions 38->120 58 microsoft.exe 38->58         started        100 127.0.0.1 unknown unknown 41->100 122 Injects a PE file into a foreign processes 46->122 61 microsoft.exe 46->61         started        signatures14 process15 signatures16 132 Multi AV Scanner detection for dropped file 58->132 134 Machine Learning detection for dropped file 58->134 63 cmd.exe 58->63         started        66 cmd.exe 61->66         started        process17 signatures18 144 Uses ping.exe to sleep 63->144 68 microsoft.exe 63->68         started        71 conhost.exe 63->71         started        73 PING.EXE 63->73         started        75 conhost.exe 66->75         started        77 PING.EXE 66->77         started        79 microsoft.exe 66->79         started        process19 signatures20 112 Writes to foreign memory regions 68->112 114 Injects a PE file into a foreign processes 68->114 81 microsoft.exe 68->81         started        process21 process22 83 cmd.exe 81->83         started        signatures23 110 Uses ping.exe to sleep 83->110 86 conhost.exe 83->86         started        process24
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b09cafd97a01e079b28616295179f5ee5269b5f24b8bb25e4fa15625729077f7/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-07-01 15:01:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
15 of 29 (51.72%)
Threat level:
  3/5
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0b21cb47c8a19319e7a3ea04878670d09a51e7b377fdcb9e0009f1cb0700348b
RemcosRAT
34540a51780e487ff9426db2ea9e2ed985e6c46130439de2e434b4a804446566
RemcosRAT
3a222c1cf4a6781bec3be666c9093c809f80be4f1d4760805aba6f6827e1d278
RemcosRAT
4c11b7fb217b3675e60d659ce0a2c3eee1bdbd3e3ddba1ad6d762878f62534d1
RemcosRAT
657cf5b353228351f20b758886ed20ea09b2f2ad0740ab826e8ffdf2df8ab947
RemcosRAT
6654c75acd136f37aad63d828eea396361326bb422a91563998ff0302de2bd20
RemcosRAT
753883fa972dda966abb3adad3cfc94f0a82ca128d1908df58bac3ba93e60bd3
RemcosRAT
ce4962d3126223b4bd68704159cbdc7479fb2df4263fb9f3d57492e770b74a94
RemcosRAT
d45d40989488d330e82db097aa2d857ea5d620526171cd8fb145ef62cb4ea701
RemcosRAT
f19b2e31a0bc55cb5d4ab540605cfeffca6dd241cbe4e96e065d403a7273534a
RemcosRAT
+ 1'845 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:host persistence rat
Link:
https://tria.ge/reports/210701-y48bxb6xy6/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
oklahama.ydns.eu:7533
Unpacked files
SH256 hash:
961a4ff801c9e0b514f29e89488a82fb1fcdc573d36523bedadc868efbffbd21
MD5 hash:
ac113c7b3b316adfd1a51aa47c8f5ea6
SHA1 hash:
0eda272aafaebf22074f07d6dbab4b8462a9ee34
Link:
https://www.unpac.me/results/3c9b7077-34a1-4449-82b4-1309ea146e47/
SH256 hash:
ef4ea4afa0383f32b444da7c11c736e73af04b1b354446eae51e63a1696a66a6
MD5 hash:
7a27271fb20faea2595d763173bd1122
SHA1 hash:
6e3467b8973a2679f9a9a7bc586adc5db08a010e
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/3c9b7077-34a1-4449-82b4-1309ea146e47/
SH256 hash:
8e2e72df90b65fb518f5688488169abbb3485daf2bd834b28bf6261905c07a35
MD5 hash:
595353790e2015ed29d1123c02e44644
SHA1 hash:
7c1cd783afd37eb84d3cbfdce8681e2fddc0a9d3
Link:
https://www.unpac.me/results/3c9b7077-34a1-4449-82b4-1309ea146e47/
SH256 hash:
b09cafd97a01e079b28616295179f5ee5269b5f24b8bb25e4fa15625729077f7
MD5 hash:
ab8c37489dc40216f3246179d4289bb5
SHA1 hash:
d53b7f8fb9d94f9d7c3e0bb25e568c7d45085cc7
Link:
https://www.unpac.me/results/3c9b7077-34a1-4449-82b4-1309ea146e47/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b09cafd97a01e079b28616295179f5ee5269b5f24b8bb25e4fa15625729077f7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe b09cafd97a01e079b28616295179f5ee5269b5f24b8bb25e4fa15625729077f7

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1416565/
Cape
Cape
https://www.capesandbox.com/analysis/169192/

Comments


Avatar
zbet commented on 2021-07-01 15:00:52 UTC

url : hxxp://okcupid.ydns.eu/AppData.exe