MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c06ba0d73edee0ae9eb7cd4631273d6afb5608b0ebf669cb250b51dfc644cb85. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c06ba0d73edee0ae9eb7cd4631273d6afb5608b0ebf669cb250b51dfc644cb85
SHA3-384 hash: 19e3564987c1870c790eb6a269a52556e3fc9a257b089ed1435e9b4cda883d8676469074374d359c43c7d309a8509820
SHA1 hash: 5ff6d81d9703396e8fa9b3f2a0a79526574c69f5
MD5 hash: ac1c7f7bec227f36d5ceb980f5f19e7b
humanhash: king-twenty-oxygen-juliet
File name:Mvbfxocaqxhjpmdefrgdajzhvoqtjcjpib.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:815'616 bytes
First seen:2022-01-06 21:09:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3b6a2f72022738defeb0f4d2200e22a0 (1 x Formbook, 1 x AveMariaRAT, 1 x RemcosRAT)
ssdeep 12288:PPnSCqHwtibQJ8OWxswCtnN+ziM96wDoMJaLrg8UujFfGBA+:PPnIQhxEswCtnNcJT8MZ83jSA
Threatray 195 similar samples on MalwareBazaar
TLSH T142059D13B6928837E1732A7C9C9F96A59C2EBF003E34F8466FE51C484F7529439391A7
File icon (PE):PE icon
dhash icon 63311c0e4f3bfeea (1 x Formbook, 1 x AveMariaRAT, 1 x RemcosRAT)
Reporter James_inthe_box
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Mvbfxocaqxhjpmdefrgdajzhvoqtjcjpib.exe
Verdict:
Malicious activity
Analysis date:
2022-01-06 21:11:37 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/e576937d-30f1-461a-8f28-2e3890b5a44a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/217610/
Detection(s):
SecuriteInfo.com.Trojan.Siggen16.26184.1319.562.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
packed
Link:
https://www.filescan.io/uploads/61d75ab11c0d769df9d3e36d/reports/970dfaf5-0ed7-4d8b-a596-a111e5a7d758/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cac2f97c-1035-466e-98b1-3178267bb9f5
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/916529
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 549007 Sample: Mvbfxocaqxhjpmdefrgdajzhvoq... Startdate: 06/01/2022 Architecture: WINDOWS Score: 100 49 Multi AV Scanner detection for domain / URL 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 6 other signatures 2->55 8 Mvbfxocaqxhjpmdefrgdajzhvoqtjcjpib.exe 1 23 2->8         started        13 Mvbfxocaqx.exe 14 2->13         started        15 Mvbfxocaqx.exe 13 2->15         started        process3 dnsIp4 43 cdn.discordapp.com 162.159.135.233, 443, 49755, 49756 CLOUDFLARENETUS United States 8->43 33 C:\Users\user\Contacts\propsys.dll, PE32+ 8->33 dropped 35 C:\Users\user\Contacts\Mvbfxocaqx.exe, PE32 8->35 dropped 37 C:\Users\...\Mvbfxocaqx.exe:Zone.Identifier, ASCII 8->37 dropped 39 C:\Users\user\Contacts\ComputerDefaults.exe, PE32+ 8->39 dropped 65 Writes to foreign memory regions 8->65 67 Creates a thread in another existing process (thread injection) 8->67 69 Injects a PE file into a foreign processes 8->69 17 logagent.exe 2 2 8->17         started        21 cmd.exe 1 8->21         started        45 162.159.129.233, 443, 49761 CLOUDFLARENETUS United States 13->45 23 DpiScaling.exe 13->23         started        47 162.159.133.233, 443, 49760 CLOUDFLARENETUS United States 15->47 71 Multi AV Scanner detection for dropped file 15->71 73 Machine Learning detection for dropped file 15->73 25 logagent.exe 15->25         started        file5 signatures6 process7 dnsIp8 41 latua.nsupdate.info 20.115.34.57, 49757, 7722 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 17->41 57 Contains functionality to steal Chrome passwords or cookies 17->57 59 Contains functionality to inject code into remote processes 17->59 61 Contains functionality to steal Firefox passwords or cookies 17->61 27 cmd.exe 1 21->27         started        29 conhost.exe 21->29         started        63 Delayed program exit found 23->63 signatures9 process10 process11 31 conhost.exe 27->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c06ba0d73edee0ae9eb7cd4631273d6afb5608b0ebf669cb250b51dfc644cb85/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2022-01-06 19:08:23 UTC
File Type:
PE (Exe)
Extracted files:
71
AV detection:
25 of 43 (58.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ybv2bvz633qk5hvxzvddcjz5nl5vmcfq5p3gtszfbni57rsezocq._file
Verdict:
malicious
Similar samples:
44e3a5d07ad41e0c1e023eeb97798f0822d706abb3406b61466d32a7d29c8726
RemcosRAT
460834ec55aa694ab0d984921534e5b7111bcb024abb36f7bace052fdeb448e5
RemcosRAT
9092a8499f245641da71311b2f4dcafac1b61c30f1f5d5808fed38f5125cbc57
RemcosRAT
9325090b7a2b8058a946f11388db15813a8927708aa54bf9aa6b5925f2b22d1d
RemcosRAT
964a32e3b4170aa8a5d45ce250e3abbbd424ee0a9d956ca872d405bdf5abe88d
RemcosRAT
bd1a32d919982c93f90c87338d43be0ba26245407a00c3ddb897eb806d561256
RemcosRAT
c2f1660c8591d5975eb025aba06a188739dc8be2f9308cba2a319dc8603c0b15
RemcosRAT
d5a3ea57e5b06d762dac32cf4c4296643a552803e9ff9e80f801f7085b4b891a
RemcosRAT
dc8c2ca84a7c5468cfb7b6bf59396e0333c8d145dc08fd1efbbebd9fa0082dd7
RemcosRAT
+ 185 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:tls persistence rat
Link:
https://tria.ge/reports/220106-zz242abfc5/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
latua.nsupdate.info:7722
goldie.nsupdate.info:7722
coke.nsupdate.info:7722
fanta.nsupdate.info:7722
Unpacked files
SH256 hash:
5852f167948b3cf3fcd175ed0acc3cd43456ab0aecae4ac68121bde1906bcf39
MD5 hash:
bb66163c0a181098d801f3d6b775f73f
SHA1 hash:
fe4adcf4bf6146cac5b4eb192c99fc0cebba323b
Detections:
win_dbatloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/88560ea9-9f9a-4442-b683-fc033794bdf1/
Parent samples :
8865c82943ba3a6479fca40222a730e22e3d1cd279c6c6e0915c5c47f893636a
71cf991b9060d1fcefd467162ecfe99c89c47da31d29489e299f7bec73d56a83
dc8c2ca84a7c5468cfb7b6bf59396e0333c8d145dc08fd1efbbebd9fa0082dd7
9092a8499f245641da71311b2f4dcafac1b61c30f1f5d5808fed38f5125cbc57
4cdb484aff91fc4c74a8f2750296212dd12af808fee3e01bf9b8d0feafbd8fc1
c06ba0d73edee0ae9eb7cd4631273d6afb5608b0ebf669cb250b51dfc644cb85
40a298c96e7be4f585a294ae8453cae3ba5628702462d5101ea607963041c9ad
92cee18d0c9e246f28b38a8d35442d44f8cc8eab883b5e3e0c3a09ae96de846c
1dfdb77409e4402860f9a644890b904f68d377cc5f9320828aa320b7e835e207
65c55c73382e84ea8a229ba4c65ce12c956b3e86916e343ed6e933a10735e9b1
84e9426e79655328d7e51384cd16697772d5fa8043ef793e4777ec7e3c38c6d0
778fb400067e1de625dfa7e62e7091cc28e75fc44673562dc193f4b486fdcef0
a84d4b61bab51a5eaf7d9b1a96ab450a5057ddbebb4a38617755b6286d19e9a1
83f6940a0fadd38a9a73e859f46173631822ee985037994c6c55b328721d76bf
70d04c9ec5f8c5f8a5c1cd82ad19eee2ddd26145848bc2ffe90d1b51645cac2e
f31ca1220140f0489ddef71cf10ef3636537422acaefd6dd8d9199a942feb128
e98006424a36e34271488f8a584b535b0bdf1650d2da228ec4c2a94e24ca20bb
a2948f7e3c13f7c9a54e44a6bd601ca6b8a3c2d97b7c8d6b28d1475f0caf81b8
80bee5948290fe93aa9aba9789c364c3e71f4d9039ec68a56dc05a4af7b0a502
ad2910f066744846d0233c9eb6643a71fe1643e5a107646b95c88608cddf1ed8
fdf39d043cc55d6a72b1fe01c9067bb7591d5c379798499148521e6158afeea0
c7014edceec0fbe638312dcec8b8d1f0a5bf88dd282fc8ae9ec5d375820d270d
dbb93c60e5e74632af64452fe9ec5acd788140d0eb3231655a47203e86ef6b55
feb40c343aa65f5f5c0a32443535effa22652067c576416857e4d7280ce85e11
cab5f50e805b3a36e0ea6cf84c40b4b90e372fcd2f3f1024664af5440282d496
SH256 hash:
c06ba0d73edee0ae9eb7cd4631273d6afb5608b0ebf669cb250b51dfc644cb85
MD5 hash:
ac1c7f7bec227f36d5ceb980f5f19e7b
SHA1 hash:
5ff6d81d9703396e8fa9b3f2a0a79526574c69f5
Link:
https://www.unpac.me/results/88560ea9-9f9a-4442-b683-fc033794bdf1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c06ba0d73ede/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c06ba0d73edee0ae9eb7cd4631273d6afb5608b0ebf669cb250b51dfc644cb85

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/217610/

Comments