MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b66c50211263d233738e04d25bc0d59bdcdb522d2178bf94d95094df6d329aec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b66c50211263d233738e04d25bc0d59bdcdb522d2178bf94d95094df6d329aec
SHA3-384 hash: 9f2121465ac32ab2623c49582ca7b8b95d398bc15276dd80630de838c3502908cccedf0d52edbc02fbe661ec9de25997
SHA1 hash: 830d70f1d1ed270b04e172b5d308b7161fc846f1
MD5 hash: a132b66d18edcb449168da14eae57dc2
humanhash: eight-zebra-artist-venus
File name:a132b66d18edcb449168da14eae57dc2.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'123'328 bytes
First seen:2023-03-01 19:05:06 UTC
Last seen:2023-03-01 20:29:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:ZUOWShbopAJkP3Pg/Mo4bF67E7cvDa+SJT+ppknX52zEw/ugJs8rktlQAI/D1azX:+AWgl4bg75MJThXsXlCLQ7D1qCIV
Threatray 20 similar samples on MalwareBazaar
TLSH T1AA356B4136F9D111EDCF327D091C958A7D79A607A152F22A9B7636C2931BBF7B2CC082
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
chungzx.bin
Verdict:
Malicious activity
Analysis date:
2023-03-01 06:59:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fab472d4-70c0-4756-9367-d75d9c50cbd1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/370947/
Detection(s):
SecuriteInfo.com.Trojan.Siggen19.61127.26594.31100.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching cmd.exe command interpreter
Launching a process
Running batch commands
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed remcos
Link:
https://www.filescan.io/uploads/63ffa21c2ea6b3696630403f/reports/10a6824f-ee3e-473e-b8ef-68a2b91d8765/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b66c50211263d233738e04d25bc0d59bdcdb522d2178bf94d95094df6d329aec
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dc212855-a19d-446e-b684-91d2e37c2ed0
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1185157
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates an autostart registry key pointing to binary in C:\Windows
Detected Remcos RAT
Disables UAC (registry)
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 818018 Sample: 8OK7E0tYfD.exe Startdate: 01/03/2023 Architecture: WINDOWS Score: 100 79 Malicious sample detected (through community Yara rule) 2->79 81 Multi AV Scanner detection for dropped file 2->81 83 Multi AV Scanner detection for submitted file 2->83 85 7 other signatures 2->85 11 8OK7E0tYfD.exe 3 2->11         started        15 Windows Audio Service.exe 2 2->15         started        17 Windows Audio Service.exe 2 2->17         started        process3 file4 71 C:\Users\user\AppData\...\8OK7E0tYfD.exe.log, ASCII 11->71 dropped 105 Contains functionality to detect virtual machines (IN, VMware) 11->105 107 Contains functionality to steal Chrome passwords or cookies 11->107 109 Contains functionality to capture and log keystrokes 11->109 115 2 other signatures 11->115 19 8OK7E0tYfD.exe 1 5 11->19         started        111 Injects a PE file into a foreign processes 15->111 23 Windows Audio Service.exe 2 15->23         started        113 Drops executables to the windows directory (C:\Windows) and starts them 17->113 26 Windows Audio Service.exe 17->26         started        signatures5 process6 dnsIp7 67 C:\Windows\...\Windows Audio Service.exe, PE32 19->67 dropped 69 Windows Audio Serv...exe:Zone.Identifier, ASCII 19->69 dropped 99 Creates an autostart registry key pointing to binary in C:\Windows 19->99 28 cmd.exe 1 19->28         started        31 cmd.exe 1 19->31         started        75 arttronova124.duckdns.org 79.134.225.119, 3030, 49715, 49716 FINK-TELECOM-SERVICESCH Switzerland 23->75 77 192.168.2.1 unknown unknown 23->77 101 Installs a global keyboard hook 23->101 33 cmd.exe 23->33         started        file8 signatures9 process10 signatures11 117 Uses ping.exe to sleep 28->117 35 Windows Audio Service.exe 3 28->35         started        38 PING.EXE 1 28->38         started        41 conhost.exe 28->41         started        119 Uses cmd line tools excessively to alter registry or file data 31->119 121 Uses ping.exe to check the status of other devices and networks 31->121 43 reg.exe 1 31->43         started        45 conhost.exe 31->45         started        47 conhost.exe 33->47         started        49 reg.exe 33->49         started        process12 dnsIp13 87 Injects a PE file into a foreign processes 35->87 51 Windows Audio Service.exe 2 1 35->51         started        73 127.0.0.1 unknown unknown 38->73 54 MpCmdRun.exe 41->54         started        89 Disables UAC (registry) 43->89 signatures14 process15 signatures16 91 Detected Remcos RAT 51->91 93 Writes to foreign memory regions 51->93 95 Allocates memory in foreign processes 51->95 97 Injects a PE file into a foreign processes 51->97 56 cmd.exe 51->56         started        59 iexplore.exe 51->59         started        61 conhost.exe 54->61         started        process17 signatures18 103 Uses cmd line tools excessively to alter registry or file data 56->103 63 conhost.exe 56->63         started        65 reg.exe 1 56->65         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b66c50211263d233738e04d25bc0d59bdcdb522d2178bf94d95094df6d329aec/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-03-01 08:20:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wzwfaiismpjdg44oatjfxqgvtponwurnef4l7fgzkckn63jstlwa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
06075b49f2b94cccbd7ffadc3fd0db2d2e47a4888f749cbb3685904146ff613a
RemcosRAT
0c839aeb24cb1891e0e811643a0c1c59f4ed376c4160c7d40dcd20fd750dac0f
RemcosRAT
1004c0413336aec1c5d34dc6cfe493d6928b1550874454efe7355d0c011f44df
RemcosRAT
9235e70ae950a3b47729b9cd33bd38b37a0f89b855f4d171ff04a907815b3c65
RemcosRAT
b239f9dd0c75dd4d7fa96c4c16aa35e159dc1832f5e86b2178201d353ae40f42
RemcosRAT
be5cbf5518ebb028042f1339131a2955d248c63e05123e44adb751ec9366f299
RemcosRAT
d519e342f95c5d96e84a3cca2fc999fedc3f0ee24133806a07f59a4688a22f99
RemcosRAT
e49f4942afa894a6907ed4cfb3333664fde60d1b756109d8e8b22cd4bb0f5fad
RemcosRAT
f70bfb83ca80a3a2af60a293e9842c87c36592b3bd5eb861e10496a8faf9376c
RemcosRAT
f922f6da9231801f5b01d8750a3b13444508e089ee1745cb617450f6ff541371
RemcosRAT
+ 10 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:happy new month brand:microsoft evasion persistence phishing rat trojan
Link:
https://tria.ge/reports/230301-xr4lsahg52/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Modifies registry key
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Detected potential entity reuse from brand microsoft.
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Remcos
UAC bypass
Malware Config
C2 Extraction:
arttronova124.duckdns.org:3030
Unpacked files
SH256 hash:
b039cf2902096fc22343ce1d20f41412e44a40b6b83f2e05991b8ca4f963f78f
MD5 hash:
a4f483c7dfaa217bcea1fe82eb2f2c16
SHA1 hash:
d8ead54bad392830f175f59111b2e9bcc51176b6
Link:
https://www.unpac.me/results/7545379e-4f23-4c4a-8d3f-a2e4e4b9a551/
SH256 hash:
e73bfdb9f5a8ae04fcc1dc19acfb3b491ea9f9979d47a36d08d0eba546b42eef
MD5 hash:
a96ff5f080029bda912f21b8d5386650
SHA1 hash:
9f50742a569ba555d1781833bc31bddcf411f045
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/7545379e-4f23-4c4a-8d3f-a2e4e4b9a551/
Parent samples :
96d0368486de7d7dff9a894fde1ecc2138fe2cd4835b52d5e03a890d174f29fe
b66c50211263d233738e04d25bc0d59bdcdb522d2178bf94d95094df6d329aec
9367f2fed062c994290b2eff35d3560ead41338e9879d15ec49df4c7e8acd358
SH256 hash:
60fdbe80b3ef80c5f26114c112a78a72ae1df64489960f94902eb91909250b64
MD5 hash:
34305dcdbccf22849c80a10edb29227b
SHA1 hash:
742661f297f4bea3a277626f81506ec45fd17b73
Link:
https://www.unpac.me/results/7545379e-4f23-4c4a-8d3f-a2e4e4b9a551/
SH256 hash:
8617cea503c2a3961120a9c503d853bc21d38d1fca7143d6b1ef4f388bc5cec7
MD5 hash:
7f225c69df031bf0560aed3847a1221a
SHA1 hash:
4d5f3ccdb2c6015d2b2a73326c0f32b173af2819
Link:
https://www.unpac.me/results/7545379e-4f23-4c4a-8d3f-a2e4e4b9a551/
SH256 hash:
219a6c7ea5bb974cc9fdf265d13d843e6ba83f2a1ec07744d4b9ca3a6ca90f38
MD5 hash:
88dd74207f3882979e21e26bf33a0e9c
SHA1 hash:
02a2db1bcbdb700f16c730a45d6ca62f805af8d4
Link:
https://www.unpac.me/results/7545379e-4f23-4c4a-8d3f-a2e4e4b9a551/
SH256 hash:
b66c50211263d233738e04d25bc0d59bdcdb522d2178bf94d95094df6d329aec
MD5 hash:
a132b66d18edcb449168da14eae57dc2
SHA1 hash:
830d70f1d1ed270b04e172b5d308b7161fc846f1
Link:
https://www.unpac.me/results/7545379e-4f23-4c4a-8d3f-a2e4e4b9a551/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b66c50211263/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.99
Link:
https://yomi.yoroi.company/submissions/b66c50211263d233738e04d25bc0d59bdcdb522d2178bf94d95094df6d329aec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe b66c50211263d233738e04d25bc0d59bdcdb522d2178bf94d95094df6d329aec

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2272201/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/370947/

Comments