MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b712c36526719c3be98efe901fdb86a7cc7c3a325167daaba4c4fd6a34c14d92. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b712c36526719c3be98efe901fdb86a7cc7c3a325167daaba4c4fd6a34c14d92
SHA3-384 hash: 02817c4665b6c302d02de6cb452361ae0d36986a8dbb09ca1684cc06b964caf332461e485a850c5f3ec4da922373bfe8
SHA1 hash: 1c741219940f9f22ccab75051b089296725f101c
MD5 hash: 636ec816d6b2f616c6574bf42eee77a4
humanhash: whiskey-vermont-zulu-texas
File name:vbc.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:970'752 bytes
First seen:2022-05-24 10:59:49 UTC
Last seen:2022-05-24 12:00:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:tTPOAfxBU4uEH+Z9loTu5NIKfhQMekoVuqRn64h:VGThDvrQ/GqRJ
Threatray 1'603 similar samples on MalwareBazaar
TLSH T15625128033B5AF5BE87D8BFE4454465A0371AEAC69A4E3181DD5B0FB1B72FA14582F03
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon d0d8d0c4c4c4dcd4 (12 x RemcosRAT, 3 x NanoCore, 3 x AveMariaRAT)
Reporter JAMESWT_WT
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
325
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
002_SCAN-COPY.xlsx
Verdict:
Malicious activity
Analysis date:
2022-05-24 10:00:53 UTC
Tags:
encrypted trojan opendir exploit CVE-2017-11882 loader rat remcos keylogger
Link:
https://app.any.run/tasks/d9275981-085a-4a20-a23f-b0d8df92056d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/274035/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/628cbaefdbc0312ea2aeacf7/reports/10b4c9c7-c0ef-4cdc-958d-27d8781f7438/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ca3e5c73-bcf5-461b-96af-e810585f31a3
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1000566
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Found malware configuration
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b712c36526719c3be98efe901fdb86a7cc7c3a325167daaba4c4fd6a34c14d92/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-24 11:00:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w4jmgzjgogodx2mo72ib7w4gu7ghyorskft5vk5eyt6wungbjwja._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
07a3c580cbf48fdcc0bfd313eb490b1a45690c71b5bcedf386c8e4e3f1fe0581
RemcosRAT
451ab9846f3c63a6b5f2e25ab5f58bb4180cf414062f52e280bd98eafea81963
RemcosRAT
7d86068523fe035aec83fcb57be4edc0bdca3000fa6046fb66ef246b20e15601
RemcosRAT
9ea26ea3cf4034580c0c02f1ce4627887fd5a68e069a2c4189c8f253b5919842
RemcosRAT
b69f04883131047159a3f3f13a7943ffdf43c742bc2a8994f7ef1f1a42c16eee
RemcosRAT
c32a878240bdd4de7b8ccb5a013e97fec1ddf804ab1e6481592971eddb5033f1
RemcosRAT
+ 1'593 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/220524-m3zf4aghg2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Uses the VBS compiler for execution
Remcos
Malware Config
C2 Extraction:
power22.myftp.org:6211
Unpacked files
SH256 hash:
a936419b701428167d1f2f6a35242a3d1b4be76314d370e3cc10654d2b46c700
MD5 hash:
782855252a5c7e51f82bc13df062af6a
SHA1 hash:
d1a28186aad122075734ee484adc541a6316099d
Link:
https://www.unpac.me/results/c6da74a2-3aee-474d-b6cf-b354c073e5db/
SH256 hash:
a59265b514b21e479a19cb6f843809dd1a15db132c733ece66870d58c318db61
MD5 hash:
218f5da86621cd2526a8d82237fb1c0f
SHA1 hash:
add0110ebd9e2a6f7bc1e9f18bd7cc99c44635c5
Link:
https://www.unpac.me/results/c6da74a2-3aee-474d-b6cf-b354c073e5db/
SH256 hash:
f62eaa7f37da5d1c582f31e8183eb624e28209e8d636e5fc6d3a15d3fb5c22c8
MD5 hash:
62f19febbbc4e4d9132aeedd8d5fc2dd
SHA1 hash:
30d1bfcb66a87a4aac9c9b006773eca5eae27fcc
Link:
https://www.unpac.me/results/c6da74a2-3aee-474d-b6cf-b354c073e5db/
SH256 hash:
285fa424f04aea7fb7fd723ced3c8573b95c93ba2b0535933cffeb9bf2c0a954
MD5 hash:
28722ca63496f7d82ef2966b866a0427
SHA1 hash:
29d8f70fade6e7902a91530b47cbaa943cf57c68
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/c6da74a2-3aee-474d-b6cf-b354c073e5db/
Parent samples :
a9abb10aae580e88bc19de25ff6e4c3467b90de20f21f50573ba0ed237f079ea
b712c36526719c3be98efe901fdb86a7cc7c3a325167daaba4c4fd6a34c14d92
SH256 hash:
b712c36526719c3be98efe901fdb86a7cc7c3a325167daaba4c4fd6a34c14d92
MD5 hash:
636ec816d6b2f616c6574bf42eee77a4
SHA1 hash:
1c741219940f9f22ccab75051b089296725f101c
Link:
https://www.unpac.me/results/c6da74a2-3aee-474d-b6cf-b354c073e5db/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b712c36526719c3be98efe901fdb86a7cc7c3a325167daaba4c4fd6a34c14d92

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe b712c36526719c3be98efe901fdb86a7cc7c3a325167daaba4c4fd6a34c14d92

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/274035/
  
URLhaus
https://urlhaus.abuse.ch/url/2209213/
  
Delivery method
Distributed via web download

Comments