MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bcef8700452c0969ddfd3f6634567761ed2dfcb8bbc51fe6fde903b1bbf41a66. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bcef8700452c0969ddfd3f6634567761ed2dfcb8bbc51fe6fde903b1bbf41a66
SHA3-384 hash: e766f33bd0546d2383a2762f195bb6cc2321864c80a5cbfef43d1aa819173c83fdc4994e4de8bb4bdd59da78b967bac8
SHA1 hash: cbb33ac1c62ec26b4011101a15c665952d97930d
MD5 hash: 9559f7c7e8817a7dfc52c2a0d52a4462
humanhash: texas-august-alaska-muppet
File name:bcef8700452c0969ddfd3f6634567761ed2dfcb8bbc51fe6fde903b1bbf41a66.bin
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'461'688 bytes
First seen:2021-08-30 09:43:52 UTC
Last seen:2021-09-15 06:48:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'003 x AgentTesla, 19'911 x Formbook, 12'332 x SnakeKeylogger)
ssdeep 24576:nMwSQ9PXxgJCWHt0r6EeLU2nANSbm+IU2wh2zrzcv1SWmSUu1d5KHBBFj3RB:nMwXrov1SvUKBBF3T
Threatray 2'347 similar samples on MalwareBazaar
TLSH T125659D0033FC0617E2FF0BB566B542018A75F9622696D71E725CA20E1FE2B944DB27B7
dhash icon b271e8cccccccc70 (3 x RemcosRAT)
Reporter JAMESWT_WT
Tags:Afia Wave Enterprises Oy exe RemcosRAT signed

Code Signing Certificate

Organisation:Afia Wave Enterprises Oy
Issuer:Sectigo Public Code Signing CA R36
Algorithm:sha384WithRSAEncryption
Valid from:2021-07-08T00:00:00Z
Valid to:2022-07-08T23:59:59Z
Serial number: 69ad1e8b5941c93d5017b7c3fdb8e7b6
Intelligence: 53 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 999bbf99f3b3c1a894340918d8f2c6a358e7ec6299bab5d8fd6b9e7570abf929
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bcef8700452c0969ddfd3f6634567761ed2dfcb8bbc51fe6fde903b1bbf41a66.bin
Verdict:
Malicious activity
Analysis date:
2021-08-30 09:49:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9ae3f785-2890-4dcf-8cea-b115e0e5ffbd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
spynet
Create hunting rule
Link:
https://www.capesandbox.com/analysis/183698/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46884673.18148.9283.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a window
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/b0b445da-7382-463c-ae80-e3a3ee5c10b4
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/841442
Signature
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
Detected Remcos RAT
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the startup folder
Drops PE files with benign system names
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell adding suspicious path to exclusion list
Sigma detected: Powershell Defender Exclusion
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 473873 Sample: yYablG1w47.bin Startdate: 30/08/2021 Architecture: WINDOWS Score: 100 54 127.0.0.1 unknown unknown 2->54 56 192.168.0.133, 2404 unknown unknown 2->56 58 192.168.2.1 unknown unknown 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Multi AV Scanner detection for dropped file 2->62 64 Sigma detected: Powershell adding suspicious path to exclusion list 2->64 66 11 other signatures 2->66 8 yYablG1w47.exe 9 11 2->8         started        12 svchost.exe 2->12         started        14 B2DAD187.exe 2->14         started        16 2 other processes 2->16 signatures3 process4 file5 42 C:\Windows\Microsoft.NET\...\svchost.exe, PE32 8->42 dropped 44 C:\Users\user\AppData\...\B2DAD187.exe, PE32 8->44 dropped 46 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 8->46 dropped 52 2 other files (1 malicious) 8->52 dropped 70 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->70 72 Creates autostart registry keys with suspicious names 8->72 74 Drops PE files to the startup folder 8->74 82 2 other signatures 8->82 18 B2DAD187.exe 8->18         started        22 powershell.exe 26 8->22         started        24 AdvancedRun.exe 1 8->24         started        26 8 other processes 8->26 48 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 12->48 dropped 76 Multi AV Scanner detection for dropped file 12->76 78 Adds a directory exclusion to Windows Defender 12->78 80 Tries to delay execution (extensive OutputDebugStringW loop) 12->80 50 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 14->50 dropped signatures6 process7 file8 40 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 18->40 dropped 68 Adds a directory exclusion to Windows Defender 18->68 28 conhost.exe 22->28         started        30 AdvancedRun.exe 24->30         started        32 conhost.exe 26->32         started        34 conhost.exe 26->34         started        36 conhost.exe 26->36         started        38 4 other processes 26->38 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bcef8700452c0969ddfd3f6634567761ed2dfcb8bbc51fe6fde903b1bbf41a66/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-08-26 21:07:51 UTC
File Type:
PE (.Net Exe)
Extracted files:
40
AV detection:
15 of 46 (32.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xtxyoacffqewtxp5h5tdivtxmhws37fyxpcr7zx55eb3do7udjta._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1cbde001232b05773813dca161a55e63f8e082b7b53f900a4e235d2753bd1957
RemcosRAT
34540a51780e487ff9426db2ea9e2ed985e6c46130439de2e434b4a804446566
RemcosRAT
379ce884ab2a4e39bb56560bc8772b7ea44dcd3678d6fabaf62eb3352b1b6018
RemcosRAT
37a9969f1c0394c3899ffcd2fcebf9c9393bc712da4c80d4cdb2b19adec5334f
RemcosRAT
4c11b7fb217b3675e60d659ce0a2c3eee1bdbd3e3ddba1ad6d762878f62534d1
RemcosRAT
6654c75acd136f37aad63d828eea396361326bb422a91563998ff0302de2bd20
RemcosRAT
ce4962d3126223b4bd68704159cbdc7479fb2df4263fb9f3d57492e770b74a94
RemcosRAT
d45d40989488d330e82db097aa2d857ea5d620526171cd8fb145ef62cb4ea701
RemcosRAT
ed3a96630761ee25131c40b747f50fc55aa85d5e8f631f71bbfc901dd96bac13
RemcosRAT
+ 2'337 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan
Link:
https://tria.ge/reports/210830-nn8jq9fvra/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Maps connected drives based on registry
Checks BIOS information in registry
Drops startup file
Loads dropped DLL
Windows security modification
Executes dropped EXE
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Nirsoft
Modifies Windows Defender Real-time Protection settings
Turns off Windows Defender SpyNet reporting
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
b97ad6e9b56bf10e76b01fb69db58a231dd54b5b8103726c7559dafc2d8da2fc
MD5 hash:
bf1fb9b82c705725baf34810601a7afb
SHA1 hash:
30ad4209d9bc5c0c299fa138dfbf33e15e797594
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/28369a1b-cace-465b-8901-1bdea993f1c9/
Parent samples :
bcef8700452c0969ddfd3f6634567761ed2dfcb8bbc51fe6fde903b1bbf41a66
51f5b830fb0da1abe98f445889d9cf12a5d2c175c8f8b5d30df220b11113756d
SH256 hash:
c385d87df8f0fd199aff656f9270b393de8b461351665260c81d00d4c0339786
MD5 hash:
e362f1d69cafa968aba126d544dba6e0
SHA1 hash:
909fe987d855f928d4eb5bf13b9c95b9a486bfe0
Link:
https://www.unpac.me/results/28369a1b-cace-465b-8901-1bdea993f1c9/
SH256 hash:
3da80bd8e18bf2ef5e28f5e2e0d2095b0d4e65391800ce18f9a18859d7beb220
MD5 hash:
5dbed7594d4c8d71c1882692e6776bf0
SHA1 hash:
8552a2f2afca501945fe57c1875970b6f777f709
Link:
https://www.unpac.me/results/28369a1b-cace-465b-8901-1bdea993f1c9/
SH256 hash:
8063623fd33585184e865ac1f8685446c819841d212bc6c848f8dc4a137960be
MD5 hash:
4abff34e351e4e95514aecb515e8aea3
SHA1 hash:
742702e8c78e7cf19f19e56a6cdb2d1811759710
Link:
https://www.unpac.me/results/28369a1b-cace-465b-8901-1bdea993f1c9/
SH256 hash:
bcef8700452c0969ddfd3f6634567761ed2dfcb8bbc51fe6fde903b1bbf41a66
MD5 hash:
9559f7c7e8817a7dfc52c2a0d52a4462
SHA1 hash:
cbb33ac1c62ec26b4011101a15c665952d97930d
Link:
https://www.unpac.me/results/28369a1b-cace-465b-8901-1bdea993f1c9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/bcef8700452c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bcef8700452c0969ddfd3f6634567761ed2dfcb8bbc51fe6fde903b1bbf41a66

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/183698/

Comments