MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6ef9315154feca08a0c4e65b650af9cb30fba63be8739507d9cc76ad034ef55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 28 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b6ef9315154feca08a0c4e65b650af9cb30fba63be8739507d9cc76ad034ef55
SHA3-384 hash: 8401feaf1212b3296b4a5f0ca612588bfd383f1c8634817ff800955a22abf33e2187ebae72bc9090b9e5f2acb2ba5c39
SHA1 hash: c51e9b32b39ab0bdc06055eaef3b38fc789844eb
MD5 hash: 87aca91fc9b0ce5a4bc495b90133319e
humanhash: sixteen-leopard-double-batman
File name:87ACA91FC9B0CE5A4BC495B90133319E.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:845'824 bytes
First seen:2024-05-27 21:35:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fc6683d30d9f25244a50fd5357825e79 (92 x Formbook, 52 x AgentTesla, 23 x SnakeKeylogger)
ssdeep 24576:oBXu9HGaVHwqf4Xabh4SqgjBKgBRlWbAL:ow9VHwqf4WeSxdKA
TLSH T1670512632BF29FCEC05F01F374E7AAA0EC4A49B6411D2654B4767E80E9759D890C23F9
TrID 31.3% (.EXE) UPX compressed Win32 Executable (27066/9/6)
30.7% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
12.1% (.EXE) Win64 Executable (generic) (10523/12/4)
7.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 92aca6aaaaa6acd0 (3 x AgentTesla, 2 x Formbook, 2 x RemcosRAT)
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
91.92.249.107:85

Intelligence

File Origin
# of uploads :
1
# of downloads :
367
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b6ef9315154feca08a0c4e65b650af9cb30fba63be8739507d9cc76ad034ef55.exe
Verdict:
Malicious activity
Analysis date:
2024-05-27 21:35:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e6f3d46d-ba39-4d5a-a092-ce93c4464c4e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6654fccf02ef56c532bc5451win7simulatehigh_evasion
Tags:
Encryption Network Stealth Malware
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Launching a process
Сreating synchronization primitives
Connecting to a non-recommended domain
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
AutoIt lolbin packed packed packed shell32 upx
Link:
https://www.filescan.io/uploads/6654fcc432eca5b280001518/reports/f5fccc39-8bdf-4ea4-9875-2a77ac490eb0/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/b6ef9315154feca08a0c4e65b650af9cb30fba63be8739507d9cc76ad034ef55
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/80679675-9b98-46ee-80ee-80660be5b14a
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1448135
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1448135 Sample: haXZhKNNHO.exe Startdate: 27/05/2024 Architecture: WINDOWS Score: 100 34 geoplugin.net 2->34 36 18.31.95.13.in-addr.arpa 2->36 42 Snort IDS alert for network traffic 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 11 other signatures 2->48 9 haXZhKNNHO.exe 4 2->9         started        signatures3 process4 signatures5 56 Binary is likely a compiled AutoIt script file 9->56 12 haXZhKNNHO.exe 2 9->12         started        15 svchost.exe 9->15         started        17 MpCmdRun.exe 1 9->17         started        process6 signatures7 64 Binary is likely a compiled AutoIt script file 12->64 66 Writes to foreign memory regions 12->66 68 Maps a DLL or memory area into another process 12->68 19 svchost.exe 3 13 12->19         started        70 Contains functionality to bypass UAC (CMSTPLUA) 15->70 72 Tries to steal Mail credentials (via file registry) 15->72 74 Contains functionalty to change the wallpaper 15->74 76 5 other signatures 15->76 23 conhost.exe 17->23         started        process8 dnsIp9 38 91.92.249.107, 49730, 49731, 85 THEZONEBG Bulgaria 19->38 40 geoplugin.net 178.237.33.50, 49732, 80 ATOM86-ASATOM86NL Netherlands 19->40 50 System process connects to network (likely due to code injection or exploit) 19->50 52 Detected Remcos RAT 19->52 54 Maps a DLL or memory area into another process 19->54 25 svchost.exe 1 19->25         started        28 svchost.exe 1 19->28         started        30 svchost.exe 2 19->30         started        32 svchost.exe 19->32         started        signatures10 process11 signatures12 58 Tries to steal Instant Messenger accounts or passwords 25->58 60 Tries to steal Mail credentials (via file / registry access) 25->60 62 Tries to harvest and steal browser information (history, passwords, etc) 28->62
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b6ef9315154feca08a0c4e65b650af9cb30fba63be8739507d9cc76ad034ef55
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b6ef9315154feca08a0c4e65b650af9cb30fba63be8739507d9cc76ad034ef55/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-05-22 12:41:17 UTC
File Type:
PE (Exe)
Extracted files:
24
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w3xzgfivj7wkbcqmjzs3mufptszq7otdx2dtsud5ttdwvubu55kq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost collection rat upx
Link:
https://tria.ge/reports/240527-1fwnksca38/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
AutoIT Executable
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
UPX packed file
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
91.92.249.107:85
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/57540f33-f488-4942-973e-3e02ee9ebbae
Unpacked files
SH256 hash:
c81a2f95296ad97c4cbbf2d7650ee50332b0276a8b5819eadc6ebbc43bf09d21
MD5 hash:
5411f541fec5f1eec813fef6666ff644
SHA1 hash:
ce52920745c4604787b849eb66f339e2e001cc00
Detections:
Remcos
Create hunting rule
win_remcos_w0
Create hunting rule
win_remcos_auto
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Link:
https://www.unpac.me/results/58ba4ea6-ee1a-43ff-953a-7600105ed3ce/
Parent samples :
b6ef9315154feca08a0c4e65b650af9cb30fba63be8739507d9cc76ad034ef55
866f001abb38ad9d6f308804eedbcbb5a86e2847babbc275a6883726d96cc0be
SH256 hash:
4a7bbcda17d919ae9ef15995b5d29fb9d7e5d2df4190bb187596cd517bf4506a
MD5 hash:
3cd534d438c9bda0ced0a0d89415405f
SHA1 hash:
18807723feed2f1094aa67c116b02296e5f06b8e
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/58ba4ea6-ee1a-43ff-953a-7600105ed3ce/
SH256 hash:
b6ef9315154feca08a0c4e65b650af9cb30fba63be8739507d9cc76ad034ef55
MD5 hash:
87aca91fc9b0ce5a4bc495b90133319e
SHA1 hash:
c51e9b32b39ab0bdc06055eaef3b38fc789844eb
Detections:
SUSP_Imphash_Mar23_3
Create hunting rule
Link:
https://www.unpac.me/results/58ba4ea6-ee1a-43ff-953a-7600105ed3ce/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/b6ef9315154feca08a0c4e65b650af9cb30fba63be8739507d9cc76ad034ef55

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research
Rule name:TeslaCryptPackedMalware
Create hunting rule
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.
Rule name:win_remcos_w0
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:yarahub_win_remcos_rat_unpacked_aug_2023
Create hunting rule
Author:Matthew @ Embee_Research
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::GetAce
MULTIMEDIA_APICan Play MultimediaWINMM.dll::timeGetTime
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetUseConnectionW

Comments