MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b69f04883131047159a3f3f13a7943ffdf43c742bc2a8994f7ef1f1a42c16eee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b69f04883131047159a3f3f13a7943ffdf43c742bc2a8994f7ef1f1a42c16eee
SHA3-384 hash: 982f35d28dc90de8e9c1440655ce007326d5ae5a2ddf1455e48656fa8c1a1799b8a96f57c58c60eaa9093404a9b1180d
SHA1 hash: f3760eb1b4defccbf61c4c1c3efe2042866b7a09
MD5 hash: 6c37113089235ae5dd8b3e2779650323
humanhash: spaghetti-april-montana-california
File name:6c37113089235ae5dd8b3e2779650323
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:986'112 bytes
First seen:2022-05-20 14:09:02 UTC
Last seen:2022-05-20 14:47:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:jFBIca9XxOAGVCFWOuErQzEa+wYkyyMqxyn8jfYjGpHU7zBFGPD0pLeRgCwMaHK:hucOhtwOuErQlXMqoKYM0nB8PDSGr
Threatray 1'447 similar samples on MalwareBazaar
TLSH T12D25021462E8CE55E87947BAD06151F803B56D07E922F75FCEA07CDA3C323C1970AA2B
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d0d8d0c4c4c4dcd4 (12 x RemcosRAT, 3 x NanoCore, 3 x AveMariaRAT)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
311
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
6c37113089235ae5dd8b3e2779650323
Verdict:
Malicious activity
Analysis date:
2022-05-20 14:27:00 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/ba732c94-9348-4fff-9b22-fa79d7dea8fc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/273075/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/6287a14b0be8a16da4e33966/reports/eb69ce27-8388-409d-8e6b-312021cfae90/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/92b9722d-d6cd-4c0e-a6ca-d29bc482ac2b
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/998667
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 631167 Sample: UF0gQpvdNY Startdate: 20/05/2022 Architecture: WINDOWS Score: 100 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for dropped file 2->39 41 9 other signatures 2->41 7 UF0gQpvdNY.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\...\emQBzqeLWVVX.exe, PE32 7->23 dropped 25 C:\Users\...\emQBzqeLWVVX.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\Local\...\tmp8097.tmp, XML 7->27 dropped 29 C:\Users\user\AppData\...\UF0gQpvdNY.exe.log, ASCII 7->29 dropped 43 Contains functionality to steal Chrome passwords or cookies 7->43 45 Contains functionality to inject code into remote processes 7->45 47 Uses schtasks.exe or at.exe to add and modify task schedules 7->47 49 4 other signatures 7->49 11 UF0gQpvdNY.exe 3 16 7->11         started        15 powershell.exe 25 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 31 power22.myftp.org 176.111.173.57, 4202, 49757 WILWAWPL Russian Federation 11->31 33 geoplugin.net 178.237.33.50, 49758, 80 ATOM86-ASATOM86NL Netherlands 11->33 51 Tries to harvest and steal browser information (history, passwords, etc) 11->51 53 Installs a global keyboard hook 11->53 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started        signatures8 process9
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b69f04883131047159a3f3f13a7943ffdf43c742bc2a8994f7ef1f1a42c16eee/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-18 07:44:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w2pqjcbrgechcwnd6pytu6kd77puhr2cxqvitfhx54pruqwbn3xa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
2682222836b5d284955176401e14dba7b8af056ee4db520c1fc51305c192da81
RemcosRAT
288b1eab3026050ee178211ace5bf2e8cad9d85773ffc056929cd7b6fd3bd029
RemcosRAT
56400d285883e72264ab693e17d3f94bb35df61618891768c8959932b5d9f140
RemcosRAT
81b648fca4135b631044dd68aee71ee704dcc930ae635658b9438585c5dc6b90
RemcosRAT
d4729baa39aa4e1052e0999c90450a4cdcd4c4e3831c9a791fb99b94036103b4
RemcosRAT
e6a1d0c6cdb62e541492740eeabafe7f88f242d6a442fa0e2d2b4e8b1a2b1617
RemcosRAT
fafd7463254353a7e4ea4900b93f412fb84bbbddae730fc145c54331eb2533f8
RemcosRAT
+ 1'437 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/220520-rf6dcaffb7/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
power22.myftp.org:4202
Unpacked files
SH256 hash:
294628f2d18e688f6c8ffeef19c1335e073f93e35919799a6a111efd83f47942
MD5 hash:
9ff640fca0ec7393a29a409d402c5483
SHA1 hash:
f4a17cb3950ed356081a6e10340f7dd4524d6f52
Link:
https://www.unpac.me/results/b659ea5b-3c02-4102-978a-08795a7514de/
SH256 hash:
f365ff359ce15bd2ee460ed833778bd2167003c82f2d7aa1a5a5e0bf226c5237
MD5 hash:
60357adac9058123cf4cad6833f900d5
SHA1 hash:
6578e3d0de02aa44980af43d0d132a5fc25d5f12
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/b659ea5b-3c02-4102-978a-08795a7514de/
Parent samples :
2682222836b5d284955176401e14dba7b8af056ee4db520c1fc51305c192da81
b69f04883131047159a3f3f13a7943ffdf43c742bc2a8994f7ef1f1a42c16eee
SH256 hash:
858a5ea27823ff55f0af62c4243b8c6999cadd7a96fda454dc02557f12bb9c18
MD5 hash:
f032378bb70ec08d200e35a8bf41349a
SHA1 hash:
529073fb7232d90c6f5e640cc327691911d77ead
Link:
https://www.unpac.me/results/b659ea5b-3c02-4102-978a-08795a7514de/
SH256 hash:
09602efe05dc6b9738b23b91708978231d20c08329940541a086561795a6c9fd
MD5 hash:
1521132bd568891debf24b4973aaa24e
SHA1 hash:
393fafe43a177d02d2a8be164101fc2add2748dc
Link:
https://www.unpac.me/results/b659ea5b-3c02-4102-978a-08795a7514de/
SH256 hash:
b69f04883131047159a3f3f13a7943ffdf43c742bc2a8994f7ef1f1a42c16eee
MD5 hash:
6c37113089235ae5dd8b3e2779650323
SHA1 hash:
f3760eb1b4defccbf61c4c1c3efe2042866b7a09
Link:
https://www.unpac.me/results/b659ea5b-3c02-4102-978a-08795a7514de/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b69f04883131/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b69f04883131047159a3f3f13a7943ffdf43c742bc2a8994f7ef1f1a42c16eee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe b69f04883131047159a3f3f13a7943ffdf43c742bc2a8994f7ef1f1a42c16eee

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2204101/
Cape
Cape
https://www.capesandbox.com/analysis/273075/

Comments


Avatar
zbet commented on 2022-05-20 14:09:20 UTC

url : hxxp://104.243.37.55/king/NEW_ORDER.exe