MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c29ac11a91f5f0d9af18e4c5845abb6e024fe682e1287e76ccd6efc218240269. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 13 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c29ac11a91f5f0d9af18e4c5845abb6e024fe682e1287e76ccd6efc218240269
SHA3-384 hash: b01589539f52fbf8fbbce12f93536b6c5e918a4ef79e9f505e7a6a90307376faf41f03a497ad013cca689338e8986da4
SHA1 hash: 82a9f8709042a0b3eb9e7aae5b2342bbfbca3e28
MD5 hash: 0d6f619554c6de06992c444d8b3c9a74
humanhash: solar-nitrogen-uranus-hydrogen
File name:0d6f619554c6de06992c444d8b3c9a74
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'949'112 bytes
First seen:2023-03-17 08:04:17 UTC
Last seen:2023-03-17 10:29:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5044024844498395d0e63ba22bbd9978 (2 x Adware.Generic, 1 x RemcosRAT, 1 x RedLineStealer)
ssdeep 49152:mzJAxzft/ePFG/o0b6AWXP/mfmeWQiN42uky4ZEzS9KXZ:mFAxDVePFG/o0bPWXPupPiPuky40QKJ
TLSH T18895F1473115B9FDC4B201B9E82AAF918DBE7AB0673583B37250EB5E6560EF7643C102
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 44cc8890cc61b244 (1 x RedLineStealer, 1 x RemcosRAT)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
226
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
86fc671549dae9122a212b2d0866518d
Verdict:
Malicious activity
Analysis date:
2023-03-17 03:00:08 UTC
Tags:
opendir exploit cve-2017-11882 loader
Link:
https://app.any.run/tasks/3709b665-1ada-4163-9f3a-570cf26b2dab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/374975/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65963586.3879.23988.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Creating a file
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/73498/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/64141f2fe6d26a096f56f23e/reports/e12fa2fd-4d21-4c86-9491-6f96879e01a6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/c29ac11a91f5f0d9af18e4c5845abb6e024fe682e1287e76ccd6efc218240269
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5c7e4ce3-caf0-4f4d-a162-bf48728c11b7
Result
Threat name:
Remcos, RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1195591
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Self deletion via cmd or bat file
Sigma detected: Remcos
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected RHADAMANTHYS Stealer
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 828488 Sample: SqL8zCX9vz.exe Startdate: 17/03/2023 Architecture: WINDOWS Score: 100 78 Snort IDS alert for network traffic 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 Antivirus detection for URL or domain 2->82 84 11 other signatures 2->84 7 SqL8zCX9vz.exe 10 2->7         started        12 jave vokavo koca.exe 9 2->12         started        process3 dnsIp4 62 411h9gmjsf7azu3f6wf2wyv9c.lerrj0u3u7vbft4 7->62 48 C:\Users\user\...\jave vokavo koca.exe, PE32 7->48 dropped 50 C:\...\jave vokavo koca.exe:Zone.Identifier, ASCII 7->50 dropped 86 Self deletion via cmd or bat file 7->86 88 Uses schtasks.exe or at.exe to add and modify task schedules 7->88 14 jave vokavo koca.exe 7 7->14         started        19 cmd.exe 1 7->19         started        21 schtasks.exe 1 7->21         started        64 411h9gmjsf7azu3f6wf2wyv9c.lerrj0u3u7vbft4 12->64 52 C:\Users\user\AppData\Local\...\5862796.dll, PE32 12->52 dropped 90 Writes to foreign memory regions 12->90 92 Allocates memory in foreign processes 12->92 94 Injects a PE file into a foreign processes 12->94 23 WerFault.exe 23 9 12->23         started        25 WerFault.exe 9 12->25         started        27 fontview.exe 12->27         started        29 ngentask.exe 12->29         started        file5 signatures6 process7 dnsIp8 66 411h9gmjsf7azu3f6wf2wyv9c.lerrj0u3u7vbft4 14->66 68 192.168.2.1 unknown unknown 14->68 54 C:\Users\user\AppData\Local\...\5857234.dll, PE32 14->54 dropped 70 Writes to foreign memory regions 14->70 72 Allocates memory in foreign processes 14->72 74 Injects a PE file into a foreign processes 14->74 31 fontview.exe 14->31         started        34 ngentask.exe 2 16 14->34         started        76 Uses ping.exe to check the status of other devices and networks 19->76 38 PING.EXE 1 19->38         started        40 conhost.exe 19->40         started        42 chcp.com 1 19->42         started        44 conhost.exe 21->44         started        file9 signatures10 process11 dnsIp12 96 Query firmware table information (likely to detect VMs) 31->96 98 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 31->98 100 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 31->100 104 4 other signatures 31->104 56 vcv.mastercoa.co 192.30.89.27, 49712, 8489 CLOUDSINGULARITYCA Canada 34->56 58 geoplugin.net 178.237.33.50, 49713, 80 ATOM86-ASATOM86NL Netherlands 34->58 46 C:\ProgramData\remcos\logs.dat, data 34->46 dropped 102 Installs a global keyboard hook 34->102 60 127.0.0.1 unknown unknown 38->60 file13 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c29ac11a91f5f0d9af18e4c5845abb6e024fe682e1287e76ccd6efc218240269/
Threat name:
Win32.Trojan.Fugrafa
Create hunting rule
Status:
Malicious
First seen:
2023-03-16 15:04:43 UTC
AV detection:
12 of 38 (31.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yknmcgur6xyntlyy4tcyiwv3nybe7zuc4euh45wm23x4egbeajuq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:remcos family:rhadamanthys botnet:remotehost rat stealer
Link:
https://tria.ge/reports/230317-jyvessha9x/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detect rhadamanthys stealer shellcode
Remcos
Rhadamanthys
Malware Config
C2 Extraction:
vcv.mastercoa.co:8489
Unpacked files
SH256 hash:
981d390a9c2204bcf53e210885c0a01104d9ab00af1c6ebdc0c90183bd024fde
MD5 hash:
254f8e313e6ae57b7cbf86e52d00d21e
SHA1 hash:
05cfdadced748f4691fe9fc949cad923f73e8f43
Link:
https://www.unpac.me/results/8072f52c-06e7-4f0d-b9b1-ea388319d9c3/
SH256 hash:
c29ac11a91f5f0d9af18e4c5845abb6e024fe682e1287e76ccd6efc218240269
MD5 hash:
0d6f619554c6de06992c444d8b3c9a74
SHA1 hash:
82a9f8709042a0b3eb9e7aae5b2342bbfbca3e28
Link:
https://www.unpac.me/results/8072f52c-06e7-4f0d-b9b1-ea388319d9c3/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c29ac11a91f5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c29ac11a91f5f0d9af18e4c5845abb6e024fe682e1287e76ccd6efc218240269

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe c29ac11a91f5f0d9af18e4c5845abb6e024fe682e1287e76ccd6efc218240269

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/374975/
  
URLhaus
https://urlhaus.abuse.ch/url/2574555/

Comments


Avatar
zbet commented on 2023-03-17 08:04:24 UTC

url : hxxp://34.238.244.174/68/vbc.exe