MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b81b2885828a95d83e21c5e30ada433fc502c76e469229136a588dc21f047ec8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b81b2885828a95d83e21c5e30ada433fc502c76e469229136a588dc21f047ec8
SHA3-384 hash: 2a03cf695c159ed4942855c788bc0c3832d660df5283345c8c91e417815728f6ff9b5d8c1a4b3c58ca5127e8fc74ee2a
SHA1 hash: 9ccc6ca0a2a0a478cce9ed0f0f68551f4da115a4
MD5 hash: 06b1736affad254acd1bb07792a08370
humanhash: football-muppet-magnesium-spaghetti
File name:06b1736affad254acd1bb07792a08370.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:745'472 bytes
First seen:2022-10-01 07:40:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:zGS4c/TmbIgZcutEHHGei9ZXKJpqesQE8PJqfr6l:94KFu6nG1QJced
TLSH T16BF4BF2A3BE5664FC017E97985D0DDB4E798EC21D21BC28366C71D1FF44E5A6CF202A2
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon ce9c9496e4949c9c (73 x AgentTesla, 51 x SnakeKeylogger, 30 x Formbook)
Reporter abuse_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
267
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/315428/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.389.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Launching cmd.exe command interpreter
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Launching a process
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6337ef16d089a0c15dd327c2/reports/b57c2a05-74dd-4868-92d2-651251d8ed6a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c13dea85-1c2b-48c6-904e-101c877acb9c
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1081411
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates an autostart registry key pointing to binary in C:\Windows
Detected Remcos RAT
Disables UAC (registry)
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 713969 Sample: CrDh8HPKRW.exe Startdate: 01/10/2022 Architecture: WINDOWS Score: 100 78 arttronova23.duckdns.org 2->78 86 Malicious sample detected (through community Yara rule) 2->86 88 Antivirus detection for dropped file 2->88 90 Antivirus / Scanner detection for submitted sample 2->90 92 10 other signatures 2->92 12 CrDh8HPKRW.exe 3 2->12         started        16 Microsoft Security Start.exe 2 2->16         started        18 Microsoft Security Start.exe 2 2->18         started        signatures3 process4 file5 76 C:\Users\user\AppData\...\CrDh8HPKRW.exe.log, ASCII 12->76 dropped 116 Injects a PE file into a foreign processes 12->116 20 CrDh8HPKRW.exe 1 5 12->20         started        24 CrDh8HPKRW.exe 12->24         started        26 Microsoft Security Start.exe 2 16->26         started        29 Microsoft Security Start.exe 16->29         started        31 Microsoft Security Start.exe 16->31         started        33 Microsoft Security Start.exe 16->33         started        118 Drops executables to the windows directory (C:\Windows) and starts them 18->118 35 Microsoft Security Start.exe 18->35         started        signatures6 process7 dnsIp8 72 C:\Windows\...\Microsoft Security Start.exe, PE32 20->72 dropped 74 Microsoft Security...exe:Zone.Identifier, ASCII 20->74 dropped 94 Creates an autostart registry key pointing to binary in C:\Windows 20->94 37 cmd.exe 1 20->37         started        40 cmd.exe 1 20->40         started        80 arttronova23.duckdns.org 91.192.100.38, 4045, 49702, 49703 AS-SOFTPLUSCH Switzerland 26->80 82 192.168.2.1 unknown unknown 26->82 96 Installs a global keyboard hook 26->96 42 cmd.exe 26->42         started        file9 signatures10 process11 signatures12 98 Uses ping.exe to sleep 37->98 44 Microsoft Security Start.exe 3 37->44         started        47 PING.EXE 1 37->47         started        50 conhost.exe 37->50         started        100 Uses cmd line tools excessively to alter registry or file data 40->100 102 Uses ping.exe to check the status of other devices and networks 40->102 52 reg.exe 1 40->52         started        54 conhost.exe 40->54         started        56 conhost.exe 42->56         started        58 reg.exe 42->58         started        process13 dnsIp14 104 Injects a PE file into a foreign processes 44->104 60 Microsoft Security Start.exe 2 1 44->60         started        84 127.0.0.1 unknown unknown 47->84 106 Disables UAC (registry) 52->106 signatures15 process16 signatures17 108 Detected Remcos RAT 60->108 110 Writes to foreign memory regions 60->110 112 Allocates memory in foreign processes 60->112 114 Injects a PE file into a foreign processes 60->114 63 cmd.exe 60->63         started        66 iexplore.exe 60->66         started        process18 signatures19 120 Uses cmd line tools excessively to alter registry or file data 63->120 68 conhost.exe 63->68         started        70 reg.exe 1 63->70         started        process20
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b81b2885828a95d83e21c5e30ada433fc502c76e469229136a588dc21f047ec8/
Threat name:
Win32.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2022-09-30 09:16:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
20 of 26 (76.92%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xansrbmcrkk5qprbyxrqvwsdh7cqfr3oi2jcse3klcg4ehyep3ea._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:27th sept brand:microsoft evasion persistence phishing rat trojan
Link:
https://tria.ge/reports/221001-jh493agfhl/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Modifies registry key
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Detected potential entity reuse from brand microsoft.
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Remcos
UAC bypass
Malware Config
C2 Extraction:
arttronova23.duckdns.org:4045
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/54889fc4-d6e7-43bc-a4d0-bb58fd7f634a
Unpacked files
SH256 hash:
191ee4b09303b317220e6b1d7e3f9d2389524aae61e6a2521a88694d91b1a49e
MD5 hash:
246645ba7ae4ee0bc934aa80339f8ea4
SHA1 hash:
1b85826cb20aa655950c6002dee92194b9ccd43e
Detections:
win_remcos_auto
Create hunting rule
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/d92beb34-bd62-448c-9efc-c63645750fdc/
SH256 hash:
e95495fe0614e1a95d53ad7c4e4fb194709f162fa89c3ee5187ad7c567259a35
MD5 hash:
cd44a5636bcd4c7047a739e68267b758
SHA1 hash:
7bd7e66ec67a1376974f797e6529245594da5d36
Link:
https://www.unpac.me/results/d92beb34-bd62-448c-9efc-c63645750fdc/
SH256 hash:
2470b39032f6182252039c88199016566b0de30c6aa02163a143427afedd12af
MD5 hash:
c3a1924684ca30ed22234ce1d9111dfc
SHA1 hash:
7347706241422758c06440fd6044ae4e042b456b
Link:
https://www.unpac.me/results/d92beb34-bd62-448c-9efc-c63645750fdc/
SH256 hash:
389e24fa7d2f33449745069e9fb4fd13990e41993bff4397125d4542aca8e556
MD5 hash:
c8503354c2928ebffb174dc2c301ad54
SHA1 hash:
1f14e0e51075aa1638e16999a396f4ac61eeccbf
Link:
https://www.unpac.me/results/d92beb34-bd62-448c-9efc-c63645750fdc/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/d92beb34-bd62-448c-9efc-c63645750fdc/
SH256 hash:
b81b2885828a95d83e21c5e30ada433fc502c76e469229136a588dc21f047ec8
MD5 hash:
06b1736affad254acd1bb07792a08370
SHA1 hash:
9ccc6ca0a2a0a478cce9ed0f0f68551f4da115a4
Link:
https://www.unpac.me/results/d92beb34-bd62-448c-9efc-c63645750fdc/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b81b2885828a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b81b2885828a95d83e21c5e30ada433fc502c76e469229136a588dc21f047ec8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe b81b2885828a95d83e21c5e30ada433fc502c76e469229136a588dc21f047ec8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2272201/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/315428/

Comments