MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1cebdad413c58af5cdb7e0f77185381605296bd2544a8a05c7e3600a83a1ed7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c1cebdad413c58af5cdb7e0f77185381605296bd2544a8a05c7e3600a83a1ed7
SHA3-384 hash: d851928f5009832e4a141805e7fe9e9c4fe78c1a6ab9d7fadf82ab1ecf3988263d937574600600064691154e2713cbda
SHA1 hash: a087c38aa8897e52644dd4801a35e3a74148cd7f
MD5 hash: 8aab9586473e502be6050692dce19943
humanhash: muppet-football-kentucky-freddie
File name:New Parts.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'072'128 bytes
First seen:2022-12-06 14:09:05 UTC
Last seen:2022-12-06 16:31:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'643 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 24576:s4UlIzIozS13VWFk22EII8Vsjzr1MfL952kBW4MMY+YQZ:nS1lWVh/8Vsz1Mf5kkLMMV
TLSH T1DB3501C776E7DAC2D3AD1631C0F25108C3F9D9B252B7F70A291806F24E06767FA45A89
TrID 59.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.6% (.SCR) Windows screen saver (13097/50/3)
8.5% (.EXE) Win64 Executable (generic) (10523/12/4)
5.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
201
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
New Parts.exe
Verdict:
Malicious activity
Analysis date:
2022-12-06 14:09:25 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/3e224401-1612-444f-b8ba-d271975033d9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/343466/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.15686.3263.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Running batch commands
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/638f4d3c9a505ad9423da5a0/reports/f67315a9-9a64-4e93-a906-48de33b50908/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e1f5ff2f-c04a-48c1-b96c-266a02c9cb22
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1128967
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 761690 Sample: New Parts.exe Startdate: 06/12/2022 Architecture: WINDOWS Score: 100 88 Multi AV Scanner detection for domain / URL 2->88 90 Malicious sample detected (through community Yara rule) 2->90 92 Antivirus detection for dropped file 2->92 94 11 other signatures 2->94 11 New Parts.exe 6 2->11         started        15 kLqVYgoQk.exe 5 2->15         started        17 BIN.exe 2->17         started        19 2 other processes 2->19 process3 file4 74 C:\Users\user\AppData\Roaming\kLqVYgoQk.exe, PE32 11->74 dropped 76 C:\Users\user\AppData\Local\...\tmpC3B9.tmp, XML 11->76 dropped 78 C:\Users\user\AppData\...78ew Parts.exe.log, ASCII 11->78 dropped 100 Injects a PE file into a foreign processes 11->100 21 New Parts.exe 5 5 11->21         started        24 schtasks.exe 1 11->24         started        102 Machine Learning detection for dropped file 15->102 26 schtasks.exe 15->26         started        28 kLqVYgoQk.exe 15->28         started        30 schtasks.exe 17->30         started        32 BIN.exe 17->32         started        34 schtasks.exe 19->34         started        36 schtasks.exe 19->36         started        38 2 other processes 19->38 signatures5 process6 file7 68 C:\Users\user\AppData\Roaming\BIN\BIN.exe, PE32 21->68 dropped 70 C:\Users\user\...\BIN.exe:Zone.Identifier, ASCII 21->70 dropped 72 C:\Users\user\AppData\Local\...\install.vbs, data 21->72 dropped 40 wscript.exe 1 21->40         started        42 conhost.exe 24->42         started        44 conhost.exe 26->44         started        46 conhost.exe 30->46         started        48 conhost.exe 34->48         started        50 conhost.exe 36->50         started        process8 process9 52 cmd.exe 1 40->52         started        process10 54 BIN.exe 5 52->54         started        57 conhost.exe 52->57         started        signatures11 96 Machine Learning detection for dropped file 54->96 98 Injects a PE file into a foreign processes 54->98 59 BIN.exe 54->59         started        64 schtasks.exe 54->64         started        process12 dnsIp13 82 ucremcz1.ddns.net 185.216.71.149, 1823, 49704 CLOUDCOMPUTINGDE Germany 59->82 84 geoplugin.net 178.237.33.50, 49705, 80 ATOM86-ASATOM86NL Netherlands 59->84 86 192.168.2.1 unknown unknown 59->86 80 C:\Users\user\AppData\Roaming\...\logs.dat, data 59->80 dropped 104 Installs a global keyboard hook 59->104 66 conhost.exe 64->66         started        file14 signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c1cebdad413c58af5cdb7e0f77185381605296bd2544a8a05c7e3600a83a1ed7/
Threat name:
Win32.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2022-12-06 14:10:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yhhl3lkbhrmk6xg3pyhxogctqfqfffv5evckric4py3abkb2d3lq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:uc persistence rat
Link:
https://tria.ge/reports/221206-rgqz2seb69/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
ucremcz1.ddns.net:1823
Unpacked files
SH256 hash:
b10c842a2609eb938276c5981ee8b7d522bd70818cf5e39e0b10985a0a3a1ad2
MD5 hash:
3858395271c5aa9e9d6cd862ea985bba
SHA1 hash:
d467662133a77399288921acf7bdfad1ba157aa0
Link:
https://www.unpac.me/results/3b1b3b8c-ef2f-46dd-8c63-b4d8de657951/
SH256 hash:
bb016540432270c8976e9a11a2afccfd421a210c26451bb1a61e3bd6db1e4241
MD5 hash:
30dd9671cb8a9ee7217b3021f115bfb7
SHA1 hash:
c0fa007ef2afe9921f9df0cced7056e2e6258dc1
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/3b1b3b8c-ef2f-46dd-8c63-b4d8de657951/
Parent samples :
1c3b5e967fb3efae83f711802606597cfd5454deb03f8d69cb68f9fef22d6e9b
ecb9ed9d6b4967e3f0bdf5abfe253e2c3b80919272b8427f02f5c33a6e815755
f19755963c94dc74b9f91b947ed0e54f7045d07d1acaa94faab62cdcb8f3cd27
c1cebdad413c58af5cdb7e0f77185381605296bd2544a8a05c7e3600a83a1ed7
fc2bcad21d96b3e31b27f0610209f0aa33fb1aa83504e8c346d390ac2da19504
05285eb0b45ead00948244e6aa80fae084907341a3ec9eb5458b514413da0b91
c85b76b0a102f76dd2e9b5fa71d6f9e599fccc63879a666b3d019d61d8e68101
394bf9a9a60175d3d7bc71aab92df900a59f2205435196129cad78ce7460140c
SH256 hash:
a327516357b9fa1a75753b3fbd0030e13f374be7cefcdf983d0b731f278b0c59
MD5 hash:
404efdeb9931733904da07f96fabeb72
SHA1 hash:
7ce363cd612f1d9a90b33ec196c4d0a49cdaee02
Link:
https://www.unpac.me/results/3b1b3b8c-ef2f-46dd-8c63-b4d8de657951/
SH256 hash:
07866f247607c233433a6e094f9a365b882e0e93acce929d074f6db5666f50c1
MD5 hash:
1b17c3806b87b811a598f432a2aacd02
SHA1 hash:
42e75d0bf3c0c6ea4198a041b349834472706264
Link:
https://www.unpac.me/results/3b1b3b8c-ef2f-46dd-8c63-b4d8de657951/
SH256 hash:
c1cebdad413c58af5cdb7e0f77185381605296bd2544a8a05c7e3600a83a1ed7
MD5 hash:
8aab9586473e502be6050692dce19943
SHA1 hash:
a087c38aa8897e52644dd4801a35e3a74148cd7f
Link:
https://www.unpac.me/results/3b1b3b8c-ef2f-46dd-8c63-b4d8de657951/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c1cebdad413c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c1cebdad413c58af5cdb7e0f77185381605296bd2544a8a05c7e3600a83a1ed7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/343466/

Comments