MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 baea1e30a52ec0ae882f09ea035829dc1a68a65495e0ad953a5235d3a448f19e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: baea1e30a52ec0ae882f09ea035829dc1a68a65495e0ad953a5235d3a448f19e
SHA3-384 hash: aab1176a56961a24dcac1a54efa44c4f5f680644e917ea82a5140b64f8800ecb552f98e6103c49efed539711edd611d5
SHA1 hash: 4f7efdf3aa9a83153098b69b6e625132b7f3a92f
MD5 hash: 45a7c49918481a1a4035811b99c6c9ad
humanhash: nine-vegan-sodium-august
File name:45a7c49918481a1a4035811b99c6c9ad
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:348'160 bytes
First seen:2022-01-19 16:38:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 6144:irjt2yrl7DvbBEG2e9QjLk8/0menOOCYjIIN+G0PamrcUAJ6O0gTdTcuLF:cjtzVVN2Qbv1eIIJHcUAJXzhTF
Threatray 3'863 similar samples on MalwareBazaar
TLSH T13974F1641BEDC624DAAE5BFCE97A015003B5E2123192F70D27D5B1E93E63750CA123BB
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
223
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/220709/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.24687.26009.24302.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Creating a file
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe obfuscated packed racealer remcos remote.exe replace.exe update.exe
Link:
https://www.filescan.io/uploads/61e83eb00f8c757253cd0e01/reports/5991a60b-bd09-433f-96df-bae98d48408d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ba4ae04d-43a7-428d-94c6-9da83d4e7643
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/923648
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Detected Remcos RAT
Found malware configuration
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 556130 Sample: p0frVn0yvC Startdate: 19/01/2022 Architecture: WINDOWS Score: 100 54 xp19.ddns.net 2->54 70 Found malware configuration 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Multi AV Scanner detection for submitted file 2->74 76 8 other signatures 2->76 10 p0frVn0yvC.exe 3 2->10         started        14 nnjk.exe 2 2->14         started        16 nnjk.exe 2 2->16         started        signatures3 process4 file5 52 C:\Users\user\AppData\...\p0frVn0yvC.exe.log, ASCII 10->52 dropped 78 Contains functionality to detect virtual machines (IN, VMware) 10->78 80 Contains functionality to steal Chrome passwords or cookies 10->80 82 Contains functionality to capture and log keystrokes 10->82 84 3 other signatures 10->84 18 p0frVn0yvC.exe 1 4 10->18         started        22 p0frVn0yvC.exe 10->22         started        24 nnjk.exe 14->24         started        26 nnjk.exe 14->26         started        28 nnjk.exe 16->28         started        signatures6 process7 dnsIp8 56 192.168.2.1 unknown unknown 18->56 48 C:\Users\user\AppData\Roaming\nnjk.exe, PE32 18->48 dropped 50 C:\Users\user\...\nnjk.exe:Zone.Identifier, ASCII 18->50 dropped 30 cmd.exe 1 18->30         started        file9 process10 signatures11 88 Uses ping.exe to sleep 30->88 90 Uses ping.exe to check the status of other devices and networks 30->90 33 nnjk.exe 3 30->33         started        37 PING.EXE 1 30->37         started        40 conhost.exe 30->40         started        process12 dnsIp13 46 C:\Users\user\AppData\Local\...\nnjk.exe.log, ASCII 33->46 dropped 62 Multi AV Scanner detection for dropped file 33->62 64 Machine Learning detection for dropped file 33->64 66 Found stalling execution ending in API Sleep call 33->66 68 3 other signatures 33->68 42 nnjk.exe 1 1 33->42         started        58 127.0.0.1 unknown unknown 37->58 file14 signatures15 process16 dnsIp17 60 xp19.ddns.net 195.133.18.234, 1996, 49689, 49690 AS-REGRU Russian Federation 42->60 86 Installs a global keyboard hook 42->86 signatures18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/baea1e30a52ec0ae882f09ea035829dc1a68a65495e0ad953a5235d3a448f19e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-19 03:54:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
25 of 43 (58.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xlvb4mfff3ak5cbpbhvagwbj3qngrjsusxqk3fj2ki25hjci6gpa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
200c65040041056006600f5a6ed2bbc3281a6e440a12d24a84544d65e157288e
RemcosRAT
3f2c710a97bb42579ee2f9956437ff160a68bd787439fbc025ab3d6b46076d34
RemcosRAT
5454ec6037767c7c675551dafd7c023e8bd974f7fce965aa94505b19151895f2
RemcosRAT
5b474ca6fc8158bd6f14d53bca8962f25db3392dfe324f49ddf376610bd785e4
RemcosRAT
5f4e4a43a01b235d781c6888198b18750529dda9fc4727727940115090e06a6d
RemcosRAT
753cc07b3d3e9d5cc44061f9f5b2933d2e1f7f18155f9c17346592e254eab0c2
RemcosRAT
a415a8e3922c0026ce33f3663d90894e209ef6dea4e30de47018cdd58a6b2fbc
RemcosRAT
b9ca965db145fcc16ad0b97a3232fac27d2cdcbce9122a9a2bc613835b490369
RemcosRAT
d72b99be6c28cec8f3672df1ef58a69cb08524e181fb7ba53edbdab73f3ccf44
RemcosRAT
fcdb09f9b63c86b92059cb0c636da21a2daee289a120cff346a7d73b02bdff4e
RemcosRAT
+ 3'853 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:host persistence rat suricata
Link:
https://tria.ge/reports/220119-t5yqxabefp/
Behaviour
Runs ping.exe
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Remcos
suricata: ET MALWARE Remcos RAT Checkin 23
Malware Config
C2 Extraction:
xp19.ddns.net:1996
Unpacked files
SH256 hash:
d22fcf6316de67424c61df0049423718455d15290a32f46cbe55e3d1add9ced2
MD5 hash:
f5cf73cec1017663c306e89882136728
SHA1 hash:
faaecba67cf4a36a70223b8a5b95605f3df425f9
Link:
https://www.unpac.me/results/0bda4d22-bbef-4270-98b0-8f183314a4e6/
SH256 hash:
f26f875ed3423144ef29c27da8d68ba37cd43f1c8035ba9ad3ecf222a7a98d75
MD5 hash:
c0b8b53a2f0195f74b3293ca56f0875f
SHA1 hash:
f924ca6ea669f803b50cd7f01cd5ccc5f5d48797
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/0bda4d22-bbef-4270-98b0-8f183314a4e6/
Parent samples :
159eaa619cfdce86df2897be4607ef0ac18917d7568411715847d4d8a93fdb49
ab7afaef1907cf72be47573572c6836923a3f336fa4d9607c00080f4241cbeb3
baea1e30a52ec0ae882f09ea035829dc1a68a65495e0ad953a5235d3a448f19e
SH256 hash:
aab2f89239f9a7a2d6bfd4fd64405a4ea0a65e83ed6938133f547e32f1cc56e1
MD5 hash:
a6db24806f365a897a068c49a536ad74
SHA1 hash:
8de1085c2fa70106b93e11d9d9dcd32088dccd5a
Link:
https://www.unpac.me/results/0bda4d22-bbef-4270-98b0-8f183314a4e6/
SH256 hash:
baea1e30a52ec0ae882f09ea035829dc1a68a65495e0ad953a5235d3a448f19e
MD5 hash:
45a7c49918481a1a4035811b99c6c9ad
SHA1 hash:
4f7efdf3aa9a83153098b69b6e625132b7f3a92f
Link:
https://www.unpac.me/results/0bda4d22-bbef-4270-98b0-8f183314a4e6/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/baea1e30a52e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/baea1e30a52ec0ae882f09ea035829dc1a68a65495e0ad953a5235d3a448f19e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe baea1e30a52ec0ae882f09ea035829dc1a68a65495e0ad953a5235d3a448f19e

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/220709/
  
URLhaus
https://urlhaus.abuse.ch/url/1989890/

Comments


Avatar
zbet commented on 2022-01-19 16:38:55 UTC

url : hxxp://212.192.241.46/XAW.exe