MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c973d3854db8fda1ff848848ab641660e20f3df01bb52426c13c01876115518f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c973d3854db8fda1ff848848ab641660e20f3df01bb52426c13c01876115518f
SHA3-384 hash: 2c698af1e596c24f2ce09f41a7a9081d416bf574fe39df65eff63132bcc1b25452c26c598a46cec4be396e0f909dad1a
SHA1 hash: 637e0572e679d61b66eca0121cae0a546489ec0c
MD5 hash: e8b98db5bf7766a3c7c693315f552dd2
humanhash: finch-alanine-mirror-speaker
File name:e8b98db5bf7766a3c7c693315f552dd2.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:696'832 bytes
First seen:2021-12-07 15:26:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:chr0P3BxLVHbwTwqsFS8M3nD+DyQ0N9C4pVZ/jzvu12UksWl:chr0PTJbwcSFSDyJs4prfUksWl
Threatray 870 similar samples on MalwareBazaar
TLSH T15BE43A0EA612C245E80CBF74FE7F3FB017909DB7DA55931FA2083EADA47B66509C1252
File icon (PE):PE icon
dhash icon 4927d969696d1200 (3 x RemcosRAT)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
203
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e8b98db5bf7766a3c7c693315f552dd2.exe
Verdict:
Malicious activity
Analysis date:
2021-12-07 21:19:16 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/3332b28b-9334-4d5c-bbb3-ea070eba58cc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/212196/
Detection(s):
Win.Dropper.Generic-7113183-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61af7d0e4d8e6f3a5e173c3b/reports/500798cf-ab78-428b-9577-a055e9ea464e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/6116e3bf-f2d5-4ff5-b13d-5e118d7107c5
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/903284
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates an undocumented autostart registry key
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 535763 Sample: ZLEA1BhNrZ.exe Startdate: 07/12/2021 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Multi AV Scanner detection for domain / URL 2->43 45 Found malware configuration 2->45 47 12 other signatures 2->47 7 ZLEA1BhNrZ.exe 8 2->7         started        process3 file4 25 C:\Users\user\AppData\Roaming\...\taskmgr.exe, PE32 7->25 dropped 27 C:\Users\user\AppData\...\ZLEA1BhNrZ.exe, PE32 7->27 dropped 29 C:\Users\user\...\taskmgr.exe:Zone.Identifier, ASCII 7->29 dropped 31 2 other malicious files 7->31 dropped 49 Creates an undocumented autostart registry key 7->49 11 ZLEA1BhNrZ.exe 7->11         started        15 powershell.exe 74 7->15         started        17 powershell.exe 7->17         started        signatures5 process6 dnsIp7 33 following.dvrlists.com 185.19.85.155, 119, 49825 DATAWIRE-ASCH Switzerland 11->33 51 Multi AV Scanner detection for dropped file 11->51 53 Contains functionalty to change the wallpaper 11->53 55 Machine Learning detection for dropped file 11->55 57 5 other signatures 11->57 19 wscript.exe 11->19         started        35 google.com 142.250.184.206 GOOGLEUS United States 15->35 21 conhost.exe 15->21         started        37 yahoo.com 74.6.231.20 YAHOO-NE1US United States 17->37 39 192.168.2.1 unknown unknown 17->39 23 conhost.exe 17->23         started        signatures8 process9
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c973d3854db8fda1ff848848ab641660e20f3df01bb52426c13c01876115518f/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-12-07 13:56:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
19 of 28 (67.86%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zfz5hbknxd62d74erbekwzawmdra6ppqdo2sijwbhqayoyivkghq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
18f51c19c22914e634d9cfcd86018e676e91d1c4a9293c247a3c9da84dce3f60
RemcosRAT
4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81
RemcosRAT
7a25e7868a967540a3dc4c8fa89f07444c4b714c4d2f3add235a7f0c33099c57
RemcosRAT
af171290cc03d72c2c1272b039193cb71fdec5b612330f832dad2220753cb406
RemcosRAT
f30ea3e5ea06e9cb3ea8e6d219f3857f8e0d9bd1664476b9b5665aed0a167bda
RemcosRAT
+ 860 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/211207-st7n1adga2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Remcos
Malware Config
C2 Extraction:
following.dvrlists.com:119
Unpacked files
SH256 hash:
bd1aca887a28fd40ef174c839ad1603468a0b4e8a4a9dd66a64531a40449f6c3
MD5 hash:
ab5c4c909ffa508e7a36576a71fffa6b
SHA1 hash:
e389574db9e32b83fe71fd1d7349d158f336c2c1
Detections:
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/6b71c7fc-24b7-441e-a23a-d311ccf591c5/
Parent samples :
af171290cc03d72c2c1272b039193cb71fdec5b612330f832dad2220753cb406
c973d3854db8fda1ff848848ab641660e20f3df01bb52426c13c01876115518f
SH256 hash:
e41ce73c5b6f425179e747ad12cc94d9c38fae9f1b7943f870ee59efd4ec1890
MD5 hash:
cb42d02c2827455c1f124f416cae5eb6
SHA1 hash:
aa4585bd28a8741575773eee8c51998cfff58494
Link:
https://www.unpac.me/results/6b71c7fc-24b7-441e-a23a-d311ccf591c5/
SH256 hash:
c83170a12fefe768b59cc907bdf3f9b9b244b0b7131801c3e80142036a5666b3
MD5 hash:
c5323a6c2bea668a7799d69ee6dcfdd4
SHA1 hash:
42aa188fa498943057c1c38e9f2c3bb12e9ceddf
Link:
https://www.unpac.me/results/6b71c7fc-24b7-441e-a23a-d311ccf591c5/
SH256 hash:
c973d3854db8fda1ff848848ab641660e20f3df01bb52426c13c01876115518f
MD5 hash:
e8b98db5bf7766a3c7c693315f552dd2
SHA1 hash:
637e0572e679d61b66eca0121cae0a546489ec0c
Link:
https://www.unpac.me/results/6b71c7fc-24b7-441e-a23a-d311ccf591c5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c973d3854db8fda1ff848848ab641660e20f3df01bb52426c13c01876115518f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/212196/

Comments