MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7a99feac21b0b8954a435f3ffa5e816dc3ea0342ec0899357cf352732a5fa57. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7a99feac21b0b8954a435f3ffa5e816dc3ea0342ec0899357cf352732a5fa57
SHA3-384 hash: 5e7c44168a6d9f25665232b299b67541b9641a825e00441f9e4cc2fb9c90c9ab3c6e81415eb11bd6e10961ff2b6c87d2
SHA1 hash: 1d80a416f31f19f3b1c8fdec34f37a4a82573651
MD5 hash: 7d34e417de9811fc2a26df6d9c08caff
humanhash: equal-montana-mango-pizza
File name:7d34e417de9811fc2a26df6d9c08caff.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'098'240 bytes
First seen:2022-02-11 07:24:36 UTC
Last seen:2022-02-11 08:38:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:xqbDAWlK1uCtZIE1fzZiPqB8Dd5a0TCPCYCe3wGG:x6DrCtZIE9gQKLa0TCPCjUwGG
Threatray 1'082 similar samples on MalwareBazaar
TLSH T18D3502AC7221769FC893C67AC9A92C60AA606177631FB207D01340EDAE4DAD7DF141F7
File icon (PE):PE icon
dhash icon b3b3333969693b3b (69 x Formbook, 63 x AgentTesla, 26 x Loki)
Reporter abuse_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/240856/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.GNU.genEldorado.24942.11350.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Running batch commands
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/62060f56289e2f3e4fc13d6e/reports/dc70a2af-b940-4462-9726-d4567402c880/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c997013f-d6a9-44db-a328-13e9186868c0
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/938329
Signature
.NET source code contains potential unpacker
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates an undocumented autostart registry key
Delayed program exit found
Detected Remcos RAT
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 570807 Sample: KxjDPBYVOK.exe Startdate: 11/02/2022 Architecture: WINDOWS Score: 100 35 accounts.google.com 142.250.203.109, 443, 49756 GOOGLEUS United States 2->35 37 googlehosted.l.googleusercontent.com 172.217.168.33, 443, 49966 GOOGLEUS United States 2->37 39 13 other IPs or domains 2->39 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Detected Remcos RAT 2->47 49 7 other signatures 2->49 10 KxjDPBYVOK.exe 3 2->10         started        14 microservices.exe 2 2->14         started        signatures3 process4 file5 33 C:\Users\user\AppData\...\KxjDPBYVOK.exe.log, ASCII 10->33 dropped 53 Contains functionality to steal Chrome passwords or cookies 10->53 55 Contains functionality to inject code into remote processes 10->55 57 Contains functionality to steal Firefox passwords or cookies 10->57 59 Delayed program exit found 10->59 16 KxjDPBYVOK.exe 6 5 10->16         started        signatures6 process7 file8 29 C:\Users\user\AppData\...\microservices.exe, PE32 16->29 dropped 31 C:\Users\user\AppData\Local\...\install.vbs, data 16->31 dropped 41 Creates an undocumented autostart registry key 16->41 20 wscript.exe 1 16->20         started        signatures9 process10 process11 22 cmd.exe 1 20->22         started        process12 24 microservices.exe 3 22->24         started        27 conhost.exe 22->27         started        signatures13 51 Multi AV Scanner detection for dropped file 24->51
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c7a99feac21b0b8954a435f3ffa5e816dc3ea0342ec0899357cf352732a5fa57/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-11 07:25:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
18f51c19c22914e634d9cfcd86018e676e91d1c4a9293c247a3c9da84dce3f60
RemcosRAT
6862cf51b5546665e90e27a0a188ea8c468097f86b8b5d68fa0521f4cd3a9550
RemcosRAT
68bcb49a4f5f2491ef6606a57d1713362478e18edc2197c5daeaf1e887533999
RemcosRAT
7a25e7868a967540a3dc4c8fa89f07444c4b714c4d2f3add235a7f0c33099c57
RemcosRAT
c6d5c5389f6a7d7fadca1c538b5408898454aaf5011910e90549e81fb03c0a1c
RemcosRAT
d04e92c836e2332eb7140720eef09fb85e0a797880a8afbff729244f69c8b46d
RemcosRAT
+ 1'072 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:microservices brand:microsoft persistence phishing rat
Link:
https://tria.ge/reports/220211-h8z8cscce6/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Detected potential entity reuse from brand microsoft.
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Adds policy Run key to start application
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
15.237.137.33:2404
Unpacked files
SH256 hash:
f365b92b11041eed57b6f7534e83e04167fce1cfacc570e79335292f3c0ea8aa
MD5 hash:
9147a2ef317fe384182d1281e5af8110
SHA1 hash:
bbe360e6eca29a32e1f787e1416ddad4d35dcf1a
Link:
https://www.unpac.me/results/d2d79a10-5ac4-4681-bee6-59735b4efe5c/
SH256 hash:
c99e51847332b1c0a4c1c9826da023565bb42f429a97342adf4d8123d5dfe10a
MD5 hash:
4d8bfb885ed553bdaa287d6ebbb02c1a
SHA1 hash:
4693a4cdab6272dfd2cce570d3a01499aa2c59b2
Link:
https://www.unpac.me/results/d2d79a10-5ac4-4681-bee6-59735b4efe5c/
SH256 hash:
23113e576475b8bd15fcd2c6a11d8926f211cfaf7ff20987c3bd5ecec1ffe390
MD5 hash:
67fb919cfabc3cefd01176883f8d1d7d
SHA1 hash:
115a28bf0b0712d14aa09808d9b83b0e26f12b65
Detections:
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/d2d79a10-5ac4-4681-bee6-59735b4efe5c/
SH256 hash:
927235ada3c38dd07a0e0a67404db7440d4ead5f9909802f2ca3b37a27f150f6
MD5 hash:
9b5325228b67caec87721e5f226b7c2d
SHA1 hash:
00b7e87eed07393e85d84ceee03d815f160ff7fa
Link:
https://www.unpac.me/results/d2d79a10-5ac4-4681-bee6-59735b4efe5c/
SH256 hash:
c7a99feac21b0b8954a435f3ffa5e816dc3ea0342ec0899357cf352732a5fa57
MD5 hash:
7d34e417de9811fc2a26df6d9c08caff
SHA1 hash:
1d80a416f31f19f3b1c8fdec34f37a4a82573651
Link:
https://www.unpac.me/results/d2d79a10-5ac4-4681-bee6-59735b4efe5c/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exec_macros
Create hunting rule
Author:ddvvmmzz
Description:exec macros
Rule name:obfuscate_macros
Create hunting rule
Author:ddvvmmzz
Description:obfuscate macros
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe c7a99feac21b0b8954a435f3ffa5e816dc3ea0342ec0899357cf352732a5fa57

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/240856/
  
URLhaus
https://urlhaus.abuse.ch/url/2035678/
  
Delivery method
Distributed via web download

Comments