MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5a1e827d96b4c4df1aad8363fe6bd7b4a83ace3f6e15b9689a0f2ddf74c8fb8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b5a1e827d96b4c4df1aad8363fe6bd7b4a83ace3f6e15b9689a0f2ddf74c8fb8
SHA3-384 hash: ca1d7f48606a1b66f361fe92a8b8cc5432cf1a5f31214600313ed65c1e94848aa917b8526fcf86d633a22189e2fb73fe
SHA1 hash: c5973275fcd61e4d52914104b464d93a7e9d8a55
MD5 hash: 7c12a559879bfc04c688fa00f83c7c89
humanhash: item-oxygen-helium-mike
File name:7c12a559879bfc04c688fa00f83c7c89
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:965'120 bytes
First seen:2022-12-02 00:53:29 UTC
Last seen:2022-12-02 02:27:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:oCy0qU+ZrZSK5WJcNgYKPYdwVcW7SJM5mu1dVlFjtle2pNx8whmDdzoa1cfN:oZltSdk6cW7Rmu1dVntldxVmDdEPf
Threatray 4'274 similar samples on MalwareBazaar
TLSH T15225D08033A6AF71F5286BF36511904827B63C6E95F1D2295EDDF0DE2AB2B4049F0B17
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d0d8d0c4c4c4dcd4 (12 x RemcosRAT, 3 x NanoCore, 3 x AveMariaRAT)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
196
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Project_New_PO.xls
Verdict:
Malicious activity
Analysis date:
2022-11-30 18:33:42 UTC
Tags:
macros opendir exploit cve-2017-11882 loader rat remcos keylogger
Link:
https://app.any.run/tasks/93a13512-d267-4f74-ab4e-7c0d57d469bf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.389.28253.21569.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63894cae6ab8d544984c5de6/reports/00e1de94-1f96-4f7c-b747-d428dcd4ace1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/835cd1f6-b99a-4dee-a3b6-8df031a3c681
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1126149
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 758898 Sample: opYYxFeG6x.exe Startdate: 02/12/2022 Architecture: WINDOWS Score: 100 46 Multi AV Scanner detection for domain / URL 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Sigma detected: Scheduled temp file as task from temp location 2->50 52 7 other signatures 2->52 7 opYYxFeG6x.exe 7 2->7         started        11 ePnxkugSsfE.exe 5 2->11         started        process3 file4 32 C:\Users\user\AppData\...\ePnxkugSsfE.exe, PE32 7->32 dropped 34 C:\Users\...\ePnxkugSsfE.exe:Zone.Identifier, ASCII 7->34 dropped 36 C:\Users\user\AppData\Local\...\tmpF1F4.tmp, XML 7->36 dropped 38 C:\Users\user\AppData\...\opYYxFeG6x.exe.log, ASCII 7->38 dropped 54 Uses schtasks.exe or at.exe to add and modify task schedules 7->54 56 Adds a directory exclusion to Windows Defender 7->56 13 opYYxFeG6x.exe 3 16 7->13         started        18 powershell.exe 21 7->18         started        20 schtasks.exe 1 7->20         started        58 Multi AV Scanner detection for dropped file 11->58 60 Contains functionalty to change the wallpaper 11->60 62 Machine Learning detection for dropped file 11->62 64 5 other signatures 11->64 22 schtasks.exe 1 11->22         started        24 ePnxkugSsfE.exe 11->24         started        signatures5 process6 dnsIp7 42 onyem.myftp.org 193.169.253.184, 3527, 49696 SPRINT-SDCPL Poland 13->42 44 geoplugin.net 178.237.33.50, 49697, 80 ATOM86-ASATOM86NL Netherlands 13->44 40 C:\ProgramData\remcos\logs.dat, data 13->40 dropped 66 Tries to harvest and steal browser information (history, passwords, etc) 13->66 68 Installs a global keyboard hook 13->68 26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b5a1e827d96b4c4df1aad8363fe6bd7b4a83ace3f6e15b9689a0f2ddf74c8fb8/
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2022-11-29 11:07:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
49
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wwq6qj6znnge34nk3a3d7zv5pnfihlhd63qvxfujudzn352mr64a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0359874ac9be35e969500ffe552298ea0c8056b51c8eac0e3e835c564ef39148
RemcosRAT
0cb9ffbc77206540a648b96e790d884f5662c114e831533e1eb31b63157e3953
RemcosRAT
139d0b13776f8fea46db2d77f0391b480cf290abcca453aacd2e003e7a618787
RemcosRAT
47884208f8a644ae2107eecef208a905e03839cb331ccf0dc6c50a72e969b17a
RemcosRAT
4f7e671c26e269961ffa6a6639a5522b66c06c8c119bdfb297797473bb7b4cbc
RemcosRAT
7a5870c5e7f9253deca223afcbf295a99ad0cc014543b26e162e56ad2f22a36e
RemcosRAT
88729c3c2f0d440cb964a0b14af9f726a961700288ea860cc8db492685ca4546
RemcosRAT
a04d627bf01f18ee5ca0d47dac132c9ae2f12973aa9c54c331170d67967deb7d
RemcosRAT
c8f7124c43eb317024e9e329f6a05b8e278b3c6ac99a2f202406b719dbb815ca
RemcosRAT
+ 4'264 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:first rat spyware stealer upx
Link:
https://tria.ge/reports/221202-a8869sge87/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Reads user/profile data of web browsers
UPX packed file
Remcos
Malware Config
C2 Extraction:
onyem.myftp.org:3527
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3d354a64-84f1-4ef7-9b75-8d1afb88e978
Unpacked files
SH256 hash:
14c8132271a71df4b6b415c359abe6eea7a2f1b1e2e64765f1c347b5df51a6b2
MD5 hash:
e50c98719a2f9ec7e0ff502a52e30cd5
SHA1 hash:
6c9cba88deb897ba25d1f7dc4eb9c36fb53c3ec5
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/103cf4b3-8949-47fe-ac55-343413bcbd1a/
SH256 hash:
3624268b1bf67fd3f560f345e5171f3a2f8968a776c23816ea76fc0ef41b0f03
MD5 hash:
1619753b625e58c25b73fbf1f0bff482
SHA1 hash:
c0d7922bdbc10ef0ee1606a40c2dedd22cb180d4
Link:
https://www.unpac.me/results/103cf4b3-8949-47fe-ac55-343413bcbd1a/
SH256 hash:
bd10d6ff92e550076e37914d3f1255e35d017c450fb32d127d1ae3d74444ec8a
MD5 hash:
9975d54585364f8719e2b6db9cc3b434
SHA1 hash:
7ede7bd03c3ed0f655d05a68f0b9a6d7a65c205d
Link:
https://www.unpac.me/results/103cf4b3-8949-47fe-ac55-343413bcbd1a/
SH256 hash:
4ab3351ef0361f94d547f91493e5992d22f6dcd5e19513a167f11e4c6e90cf52
MD5 hash:
0ccd799d03c38ed9f8edaac6c7b7d27a
SHA1 hash:
41f7f1bf7865501882f603fd98d87c179ebfba4d
Link:
https://www.unpac.me/results/103cf4b3-8949-47fe-ac55-343413bcbd1a/
SH256 hash:
340ba2312d5cdfc3d89f3f35f627187dcb406e5afea134bc76b04f52f4285df3
MD5 hash:
85f9290aa8900e9fd74b01ee23125706
SHA1 hash:
310eb5e4aea5471b74a6385f1da283b9d8e3d698
Link:
https://www.unpac.me/results/103cf4b3-8949-47fe-ac55-343413bcbd1a/
SH256 hash:
b5a1e827d96b4c4df1aad8363fe6bd7b4a83ace3f6e15b9689a0f2ddf74c8fb8
MD5 hash:
7c12a559879bfc04c688fa00f83c7c89
SHA1 hash:
c5973275fcd61e4d52914104b464d93a7e9d8a55
Link:
https://www.unpac.me/results/103cf4b3-8949-47fe-ac55-343413bcbd1a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b5a1e827d96b4c4df1aad8363fe6bd7b4a83ace3f6e15b9689a0f2ddf74c8fb8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe b5a1e827d96b4c4df1aad8363fe6bd7b4a83ace3f6e15b9689a0f2ddf74c8fb8

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/341680/
  
URLhaus
https://urlhaus.abuse.ch/url/2441285/

Comments


Avatar
zbet commented on 2022-12-02 00:53:33 UTC

url : hxxp://185.246.221.98/321/60E0G7UKRntM1TQ.exe