MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd4a8ac403fa5890139b9471739220d3e68773bc6c87c77d424f35f11a58c05c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd4a8ac403fa5890139b9471739220d3e68773bc6c87c77d424f35f11a58c05c
SHA3-384 hash: c4f8e6abac3c89d2e76889663898d65f337a9eff02cabb5e3a17ea8acb4821b797ca5857be1cb3265788d14f62f6ab75
SHA1 hash: 63d57d6f5771598ea6aa1135c76891e5c2f382e5
MD5 hash: 16acb1ca44e4a9069656e72e3fbcd571
humanhash: wisconsin-magazine-zulu-blossom
File name:16acb1ca44e4a9069656e72e3fbcd571.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:714'752 bytes
First seen:2022-08-18 06:40:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:XPlPU1t11R/5Pe6nlatyx0G68GkDW7dQazTFh6Rzt99GZIVBgN1ck:NPU1NPrlatyl68A6IORcIVBC+k
TLSH T166E4CF0077F89914E7BB8F3ACA70511059F6BDDA6A27D35F269122ED0D767980C2332B
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon ce9c9496e4949c9c (73 x AgentTesla, 51 x SnakeKeylogger, 30 x Formbook)
Reporter abuse_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
301
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
16acb1ca44e4a9069656e72e3fbcd571.exe
Verdict:
Malicious activity
Analysis date:
2022-08-18 06:42:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/751238ac-d063-4221-b81f-26f2a11d3902

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/299510/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1496.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching cmd.exe command interpreter
Running batch commands
Creating a process with a hidden window
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive fareit packed wacatac
Link:
https://www.filescan.io/uploads/62fddf798adad7d7739e0b4d/reports/501ab1b3-f66e-4615-8bf9-d9fe8467c6e3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4a54d71c-765a-4028-b149-952a6ecc1153
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1053595
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates an autostart registry key pointing to binary in C:\Windows
Detected Remcos RAT
Disables UAC (registry)
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 686110 Sample: q7mkhU88LJ.exe Startdate: 18/08/2022 Architecture: WINDOWS Score: 100 87 Snort IDS alert for network traffic 2->87 89 Malicious sample detected (through community Yara rule) 2->89 91 Multi AV Scanner detection for submitted file 2->91 93 9 other signatures 2->93 11 q7mkhU88LJ.exe 3 2->11         started        15 Windows Health Check.exe 2 2->15         started        17 Windows Health Check.exe 2 2->17         started        process3 file4 75 C:\Users\user\AppData\...\q7mkhU88LJ.exe.log, ASCII 11->75 dropped 111 Injects a PE file into a foreign processes 11->111 19 q7mkhU88LJ.exe 1 5 11->19         started        23 Windows Health Check.exe 15->23         started        113 Drops executables to the windows directory (C:\Windows) and starts them 17->113 26 Windows Health Check.exe 17->26         started        28 Windows Health Check.exe 17->28         started        30 Windows Health Check.exe 17->30         started        signatures5 process6 dnsIp7 71 C:\Windows\...\Windows Health Check.exe, PE32 19->71 dropped 73 Windows Health Check.exe:Zone.Identifier, ASCII 19->73 dropped 95 Creates an autostart registry key pointing to binary in C:\Windows 19->95 32 cmd.exe 1 19->32         started        35 cmd.exe 1 19->35         started        37 MpCmdRun.exe 19->37         started        77 referantsa12.duckdns.org 194.5.97.155, 4045, 49756 DANILENKODE Netherlands 23->77 97 Installs a global keyboard hook 23->97 39 cmd.exe 23->39         started        file8 signatures9 process10 signatures11 81 Uses ping.exe to sleep 32->81 41 Windows Health Check.exe 3 32->41         started        44 PING.EXE 1 32->44         started        47 conhost.exe 32->47         started        83 Uses cmd line tools excessively to alter registry or file data 35->83 85 Uses ping.exe to check the status of other devices and networks 35->85 49 reg.exe 1 35->49         started        51 conhost.exe 35->51         started        53 conhost.exe 37->53         started        55 conhost.exe 39->55         started        57 reg.exe 39->57         started        process12 dnsIp13 99 Injects a PE file into a foreign processes 41->99 59 Windows Health Check.exe 2 1 41->59         started        79 127.0.0.1 unknown unknown 44->79 101 Disables UAC (registry) 49->101 signatures14 process15 signatures16 103 Detected Remcos RAT 59->103 105 Writes to foreign memory regions 59->105 107 Allocates memory in foreign processes 59->107 109 Injects a PE file into a foreign processes 59->109 62 cmd.exe 1 59->62         started        65 iexplore.exe 59->65         started        process17 signatures18 115 Uses cmd line tools excessively to alter registry or file data 62->115 67 conhost.exe 62->67         started        69 reg.exe 62->69         started        process19
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cd4a8ac403fa5890139b9471739220d3e68773bc6c87c77d424f35f11a58c05c/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-08-18 06:41:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zvfivrad7jmjae43sryxhera2ptio454nsd4o7kcj427cgsyyboa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:18th aug brand:microsoft evasion persistence phishing rat trojan
Link:
https://tria.ge/reports/220818-hfr2aaafep/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Modifies registry key
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Detected potential entity reuse from brand microsoft.
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Remcos
UAC bypass
Malware Config
C2 Extraction:
referantsa12.duckdns.org:4045
Unpacked files
SH256 hash:
f81a536be5c0577f7b57d761f1194adbd2b9d206c68a35c9b207f3328fc18fe4
MD5 hash:
526d3c834936af671e75b80f140204ba
SHA1 hash:
0608b3a46e648abe4819a9aa00cb946c548c525e
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/208d4761-47bb-483b-bbc4-36b31be3e9fa/
SH256 hash:
551ef0181260a5ab5728a618c2e86443753aaeb425e6c3b1346dfb0a661c73af
MD5 hash:
3c7205139e6aabd7de040b15021c24ed
SHA1 hash:
e4c66e4ca1bb3b5488d7c4ba7fddc8cac118955f
Link:
https://www.unpac.me/results/208d4761-47bb-483b-bbc4-36b31be3e9fa/
SH256 hash:
21b3b2c88999b63c472bf83b7fc820be7f89d52cb56479718b7a163d31fc7a6b
MD5 hash:
854b47ed5f6ef43c2d5f68a7463f4301
SHA1 hash:
69e5d1940b495e76e4e6041fa9dca62752d30ad2
Link:
https://www.unpac.me/results/208d4761-47bb-483b-bbc4-36b31be3e9fa/
SH256 hash:
fdd80634265c0ea9f907cc29735bd50b5000751cfaf4bea286cb0d5aec984132
MD5 hash:
3a29d936ea2f1aec5c2ce857b602dd36
SHA1 hash:
5d887c69dde9517cd9226ba157e55231a227c8b1
Link:
https://www.unpac.me/results/208d4761-47bb-483b-bbc4-36b31be3e9fa/
SH256 hash:
9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034
MD5 hash:
93c6391d23c1aa1ed66fb13f82f2ee31
SHA1 hash:
220098c3047c32b51ae13a5cc1e9beeef3da6e18
Link:
https://www.unpac.me/results/208d4761-47bb-483b-bbc4-36b31be3e9fa/
SH256 hash:
cd4a8ac403fa5890139b9471739220d3e68773bc6c87c77d424f35f11a58c05c
MD5 hash:
16acb1ca44e4a9069656e72e3fbcd571
SHA1 hash:
63d57d6f5771598ea6aa1135c76891e5c2f382e5
Link:
https://www.unpac.me/results/208d4761-47bb-483b-bbc4-36b31be3e9fa/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cd4a8ac403fa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cd4a8ac403fa5890139b9471739220d3e68773bc6c87c77d424f35f11a58c05c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe cd4a8ac403fa5890139b9471739220d3e68773bc6c87c77d424f35f11a58c05c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2272201/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/299510/

Comments