MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bdbe93753f0c18ad54be34659ab9a8c3142aa591d7f0c489bbca14de5af00a7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bdbe93753f0c18ad54be34659ab9a8c3142aa591d7f0c489bbca14de5af00a7d
SHA3-384 hash: 6ad37047d33f698a3ad839bcd83a99b6682c25e65728863aaf7570986d9128652a79d5e5ae617bc7e740cc983cc92f63
SHA1 hash: 954091a3c794be2e2998839562978639610dbc48
MD5 hash: 3fad7168eb61ff9ef3770f2b613e56a2
humanhash: india-whiskey-hydrogen-iowa
File name:vbc.exe.vir
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'037'312 bytes
First seen:2022-06-23 18:01:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:8ZuTgVjEAOSrHcRGlginscjTJq99knfS2GR/KKsWTkk:8ZuajE+rH/lgiscHs9knfS2S/R/
Threatray 2'444 similar samples on MalwareBazaar
TLSH T1192512C191A145B0E82936BE8B80D5AC8F7B673E761601F717B1B745AC3668F2421ECF
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0030f8e0f0e0e000 (1 x RemcosRAT)
Reporter KdssSupport
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
208
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/282705/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %AppData% subdirectories
Creating a file
Sending a custom TCP request
Sending an HTTP GET request
Reading critical registry keys
Creating a file in the %temp% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
60%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/62b4aad9e88d6da4ffbff8a5/reports/2fdeacfc-3889-48b2-9227-f10708d30d1e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f596c350-dc22-442f-979e-a5d42c1a469b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1018813
Signature
.NET source code contains potential unpacker
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 651309 Sample: vbc.exe.vir Startdate: 23/06/2022 Architecture: WINDOWS Score: 68 22 Malicious sample detected (through community Yara rule) 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 .NET source code contains potential unpacker 2->26 28 2 other signatures 2->28 7 vbc.exe.exe 3 2->7         started        process3 dnsIp4 16 stackoverflow.com 151.101.129.69 FASTLYUS United States 7->16 18 151.101.193.69 FASTLYUS United States 7->18 20 2 other IPs or domains 7->20 10 cmd.exe 1 7->10         started        process5 process6 12 conhost.exe 10->12         started        14 timeout.exe 10->14         started       
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bdbe93753f0c18ad54be34659ab9a8c3142aa591d7f0c489bbca14de5af00a7d/
Threat name:
Win32.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2022-06-23 15:26:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
9 of 26 (34.62%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xw7jg5j7bqmk2vf6grszvoniymkcvjmr27ymjcn3zikn4wxqbj6q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1015aaf219bd6c756e9e5224d219ed551795585e383fb4a6d2a566e7c8dabad5
RemcosRAT
49bc50c3b1ff689c3cbcfcf1f7d42f29547f15f4ab990dafc27f5eb4b562d446
RemcosRAT
5f37b5f63e3badceb3ea40bb2a6cef92e466410bebbf6864d6d4b5100b6114eb
RemcosRAT
b07f08cbf908eb0d5c93679c8dca8438e4f185a70d675ad79184533dc6b4b262
RemcosRAT
c208cb83639f1b0a5bac59a310c377fb31f7d7dae0084f557461b8d4312c81a6
RemcosRAT
e04e4c474ded78364c1f802de5a653e2d495bc1a0ddb78325962778a221970e6
RemcosRAT
+ 2'434 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:standstron collection persistence rat
Link:
https://tria.ge/reports/220623-wme7yseear/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Checks computer location settings
Uses the VBS compiler for execution
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
imranmhemoodcheema.ddns.net:9830
Unpacked files
SH256 hash:
9f01d9f2ed07e630ec078efa5d760762c3c8ad3b06e9e8a9062a37d63d57b026
MD5 hash:
9fbb8cec55b2115c00c0ba386c37ce62
SHA1 hash:
e2378a1c22c35e40fd1c3e19066de4e33b50f24a
Link:
https://www.unpac.me/results/71d42b93-b9d4-4ae2-a1fb-8a4449f81114/
SH256 hash:
f991101c5c37450acee82717c8e76435028da6fb5d5840127a1023cf673e4c0d
MD5 hash:
979423ee38f063bf129dd29926e209f6
SHA1 hash:
c8ca3708f4cc3bdebec91b4ac8be703ec9808fdd
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/71d42b93-b9d4-4ae2-a1fb-8a4449f81114/
Parent samples :
93f075eb740e3e18211e298f000478d212cd15fb4e4e94d925b2a6e5c975be4d
bdbe93753f0c18ad54be34659ab9a8c3142aa591d7f0c489bbca14de5af00a7d
SH256 hash:
6c5b2f5c39989cd6dc0f064634183ac51a2b69936a6862e0c733eb5924aa03a4
MD5 hash:
1ed2036777de155b9bfd6a3e51e407da
SHA1 hash:
559220ed79b1ffe7c4c2a7dec48ff2d085160ef5
Link:
https://www.unpac.me/results/71d42b93-b9d4-4ae2-a1fb-8a4449f81114/
SH256 hash:
bdbe93753f0c18ad54be34659ab9a8c3142aa591d7f0c489bbca14de5af00a7d
MD5 hash:
3fad7168eb61ff9ef3770f2b613e56a2
SHA1 hash:
954091a3c794be2e2998839562978639610dbc48
Link:
https://www.unpac.me/results/71d42b93-b9d4-4ae2-a1fb-8a4449f81114/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bdbe93753f0c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/bdbe93753f0c18ad54be34659ab9a8c3142aa591d7f0c489bbca14de5af00a7d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_imphash
Create hunting rule
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe bdbe93753f0c18ad54be34659ab9a8c3142aa591d7f0c489bbca14de5af00a7d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2248469/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2246307/
Cape
Cape
https://www.capesandbox.com/analysis/282705/

Comments