MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b67741cbd39464c7526c9cda83175c342aaba91fb990dd96d60083d028f00228. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b67741cbd39464c7526c9cda83175c342aaba91fb990dd96d60083d028f00228
SHA3-384 hash: b27eff3b35e4a5fc00694ef6d61dcd22755b3b6ac7094255fb6ab3ef7810731e1dbd16d6d15dbb501d6143a575e2e5af
SHA1 hash: 111d788bd77f9f951788230760aac2a4e3fd4528
MD5 hash: 09abff7fd37311b306d557540ecbb5c0
humanhash: pip-mars-golf-lemon
File name:09abff7fd37311b306d557540ecbb5c0
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:18'944 bytes
First seen:2021-09-10 05:41:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f0cc030bb7973df4137d34f314ff314a (1 x AgentTesla, 1 x NanoCore, 1 x Loki)
ssdeep 384:HX8bO2AEgXhjXsm4sm4sm4sm3BqjbW6Y33VjXjXjXV3VjXXjXO7OjXjQ4X4MjMc5:HXtwwCz12kkhycyrsR2vZ
Threatray 582 similar samples on MalwareBazaar
TLSH T1178230836F99F490F45502B874766B815B7F2EF6DB24A8C7E3F2294D54A24C30D32D86
dhash icon 64f4d4d4ecf4d4d4 (82 x SnakeKeylogger, 34 x AgentTesla, 24 x Formbook)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ab.xlsx
Verdict:
Malicious activity
Analysis date:
2021-09-09 13:04:33 UTC
Tags:
encrypted exploit CVE-2017-11882 opendir rat remcos
Link:
https://app.any.run/tasks/5f80ee06-27f9-46a7-a9fd-8b0bb5095199

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/186773/
Detection(s):
SecuriteInfo.com.Variant.Razy.921709.22256.24789.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Sending a UDP request
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0350577c-a021-442e-8fc8-305d7b714964
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/848577
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b67741cbd39464c7526c9cda83175c342aaba91fb990dd96d60083d028f00228/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-09-09 11:44:49 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
13e6341cacb27fdd36b2ce19395dbb02947f0c917b6fd10447f1d6381d51b7d4
RemcosRAT
2eb44403d1de2a792569f63907f746809e3d4e35fccf689c2e637f77df79254c
RemcosRAT
4f189abe24a0c0b6689720f3b3d4b56288b0c92bb889520dcdf8dd44d33dfe1a
RemcosRAT
7eb677c1c5c60d34da90cab2b4ea019c500b5c3db6964cc14849dbe2f9f5fa30
RemcosRAT
91e8ea3e431c0ad9faf6dfe01eb29e4834940054379deb8b657d9cbe23e91682
RemcosRAT
a737c6bf1fe3e63d6d187d114d887c6c1e722579fc9caab72ce4451564e165f6
RemcosRAT
b56242ce9875402fca36f6d831072462bcf7b0996c2a98d048455459485ade1d
RemcosRAT
e6930000e13aa3deafe16f78fcfca8e6276e18ba6a252b8045dfaf570f044328
RemcosRAT
+ 572 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/210910-gd354acehm/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Remcos
Malware Config
C2 Extraction:
45.137.22.77:5888
Unpacked files
SH256 hash:
b67741cbd39464c7526c9cda83175c342aaba91fb990dd96d60083d028f00228
MD5 hash:
09abff7fd37311b306d557540ecbb5c0
SHA1 hash:
111d788bd77f9f951788230760aac2a4e3fd4528
Link:
https://www.unpac.me/results/d1124b5c-8bed-4b2a-a9c1-37a93351e69f/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b67741cbd394/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/b67741cbd39464c7526c9cda83175c342aaba91fb990dd96d60083d028f00228

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe b67741cbd39464c7526c9cda83175c342aaba91fb990dd96d60083d028f00228

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1607192/
Cape
Cape
https://www.capesandbox.com/analysis/186773/

Comments


Avatar
zbet commented on 2021-09-10 05:41:51 UTC

url : hxxp://192.3.146.254/glob/vbc.exe