MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf6ce67191cc8560c728cef61aa68026540656dc1eb22ce646fc67280bbb7316. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf6ce67191cc8560c728cef61aa68026540656dc1eb22ce646fc67280bbb7316
SHA3-384 hash: 397be9ebe6c0b36ecbce6fad13367d9b9979147579d06b9811094d3ef02fb63f35602d4614ee77c2dd3c303b870356cc
SHA1 hash: 8a236fe3412ff272e1b43ef58a2a9f7b7c04e658
MD5 hash: d51f8036b14a72ad278e0c0d1202ebbe
humanhash: mirror-sodium-sad-cardinal
File name:d51f8036b14a72ad278e0c0d1202ebbe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:997'376 bytes
First seen:2021-09-29 16:59:40 UTC
Last seen:2021-09-29 19:51:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:8D4VHfQe6ZyWshg+qbZxTZZWunAWvGPSg0Q0ctsT0h0acLJfLWaJHCZ/L:cmag0Q0ctGa2f71eL
Threatray 665 similar samples on MalwareBazaar
TLSH T15B25BF6DF61CE29EFD0903B122297CC415E80C6D197CFA17BEA6B5E230AED7651F0096
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PI_0012834.xlsx
Verdict:
Malicious activity
Analysis date:
2021-09-29 15:37:34 UTC
Tags:
exploit CVE-2017-11882 loader rat remcos keylogger
Link:
https://app.any.run/tasks/159a5fe7-01fd-4f4f-b47a-7a350e899d0e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/193242/
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.15480.22601.19913.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/97d4f4d6-50c2-4e9e-b7f2-c22a09ea5593
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/861275
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 493701 Sample: lXQtTCd6Ql Startdate: 29/09/2021 Architecture: WINDOWS Score: 100 61 Multi AV Scanner detection for domain / URL 2->61 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 12 other signatures 2->67 10 lXQtTCd6Ql.exe 3 2->10         started        14 win32.exe 2 2->14         started        16 win32.exe 2 2->16         started        process3 file4 47 C:\Users\user\AppData\...\lXQtTCd6Ql.exe.log, ASCII 10->47 dropped 71 Contains functionality to steal Chrome passwords or cookies 10->71 73 Contains functionality to inject code into remote processes 10->73 75 Contains functionality to steal Firefox passwords or cookies 10->75 77 Delayed program exit found 10->77 18 lXQtTCd6Ql.exe 4 4 10->18         started        21 lXQtTCd6Ql.exe 10->21         started        79 Injects a PE file into a foreign processes 14->79 23 win32.exe 14->23         started        25 win32.exe 16->25         started        signatures5 process6 file7 41 C:\Users\user\AppData\Roaming\win32.exe, PE32 18->41 dropped 43 C:\Users\user\...\win32.exe:Zone.Identifier, ASCII 18->43 dropped 45 C:\Users\user\AppData\Local\...\install.vbs, data 18->45 dropped 27 wscript.exe 1 18->27         started        process8 dnsIp9 51 192.168.2.1 unknown unknown 27->51 30 cmd.exe 1 27->30         started        process10 process11 32 win32.exe 3 30->32         started        35 conhost.exe 30->35         started        signatures12 53 Multi AV Scanner detection for dropped file 32->53 55 Detected unpacking (changes PE section rights) 32->55 57 Detected unpacking (overwrites its own PE header) 32->57 59 2 other signatures 32->59 37 win32.exe 2 1 32->37         started        process13 dnsIp14 49 jamaru1444.myftp.biz 103.133.111.149, 2019, 49739, 49741 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 37->49 69 Installs a global keyboard hook 37->69 signatures15
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cf6ce67191cc8560c728cef61aa68026540656dc1eb22ce646fc67280bbb7316/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-29 17:00:10 UTC
AV detection:
17 of 45 (37.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=z5wom4mrzscwbrziz33bvjuaezkamvw4d2zczzsg7rtsqc53omla._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
5000f900d0d52fb1b6634d0437711ab10c9184d080c852f17b2fb114a35446a8
RemcosRAT
77ce24c903d75a340e3d5664091c7b72a2529640931e662b80b8dc3fb9226929
RemcosRAT
8378cff1c00e9259db81de361f9e5ebfc5eb1e932c0d21c5b003360c46a7eb43
RemcosRAT
860e16c192167d5dd823b8e533858cdada7aa9b3173254f2f57031af68b84e0c
RemcosRAT
87284733f84447db5f12697e7ce2fb44671cbf404e040cf85085b223eab02b95
RemcosRAT
993528adce97be31c6c1e1c01f4877f229b10e8f06b87d8cbcc2f95b46866872
RemcosRAT
a3faa214333ce59ed895410e011c4cbd44fe51b26ed5bf2a0ed54e225616f893
RemcosRAT
af9fa73ff6907f77d55aac6376f3f2e73160fc97afec3656e77da8d5e0a6a488
RemcosRAT
bfd45ef21e21655c921b457242c1d4e05a1e979d0051a4195192d8e17b7bed38
RemcosRAT
d83290b80bf412884168a6d24a06fad12edb578cc612ea555476b422a4499613
RemcosRAT
+ 655 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:grace_2021 persistence rat
Link:
https://tria.ge/reports/210929-vh1gnafch7/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
jamaru1444.myftp.biz:2019
Unpacked files
SH256 hash:
f7d272daf3522f99ca67b99bfe557564baba239104c7f20cef842f2e870bdf28
MD5 hash:
cceaca53d81061c0f1c6cf35ca7bf34b
SHA1 hash:
23ba45b249e0e4bdc5a8d4b4b07e2f7509cf85be
Link:
https://www.unpac.me/results/8d98e633-c8fa-470c-abbe-b7ba5feff4a6/
SH256 hash:
ce6eaf82420c2d9cfebf8342e954da7ce8cd3c601a6c79262d1499f3a2def23d
MD5 hash:
42fc10723d1e8b645e3ba414799d7c5f
SHA1 hash:
306189ef9573001fc230fd7509d024294b4682e0
Link:
https://www.unpac.me/results/8d98e633-c8fa-470c-abbe-b7ba5feff4a6/
SH256 hash:
6fef8420a8bd6a90cfe7ac8aeb0e3811422b9b6cb9e0b14ea03f5236438f72ba
MD5 hash:
10c7772f435231d58046e0dc34def127
SHA1 hash:
38c8f9ffb5136848d62582ef41bab6c810121c74
Link:
https://www.unpac.me/results/8d98e633-c8fa-470c-abbe-b7ba5feff4a6/
SH256 hash:
4e73a6f84431392b3e7fe00068db1971acf4fc2a4dfac06874d4cbc49dfe0389
MD5 hash:
d034f5a4ac7a03ee2e6320e5a598650e
SHA1 hash:
6f60892fdd4c981a1c73d5d8227f776fa24a32de
Link:
https://www.unpac.me/results/8d98e633-c8fa-470c-abbe-b7ba5feff4a6/
SH256 hash:
f0a56de5178af8021a366b347bd4c9bbb636cc962247ba340566f746283935fa
MD5 hash:
88f67ff5027c53f5d376f9588e5decb2
SHA1 hash:
f81b3863a23881c71edc5fe141dd3896a5b06391
Detections:
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/8d98e633-c8fa-470c-abbe-b7ba5feff4a6/
Parent samples :
cf6ce67191cc8560c728cef61aa68026540656dc1eb22ce646fc67280bbb7316
16b336fb7a05c893f87e958181e474d78fdd8d5e42b321622b3f1b25e5394c43
c348a860fa571902a6226ba5b5153b5b5937e3181103ed895f4a78d0454451f8
803e708406a0ea106f897896aa58a9715b7d1a06cb93c61ba9ccb44745724b38
SH256 hash:
cf6ce67191cc8560c728cef61aa68026540656dc1eb22ce646fc67280bbb7316
MD5 hash:
d51f8036b14a72ad278e0c0d1202ebbe
SHA1 hash:
8a236fe3412ff272e1b43ef58a2a9f7b7c04e658
Link:
https://www.unpac.me/results/8d98e633-c8fa-470c-abbe-b7ba5feff4a6/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/cf6ce67191cc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/cf6ce67191cc8560c728cef61aa68026540656dc1eb22ce646fc67280bbb7316

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe cf6ce67191cc8560c728cef61aa68026540656dc1eb22ce646fc67280bbb7316

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/193242/
  
URLhaus
https://urlhaus.abuse.ch/url/1648143/

Comments


Avatar
zbet commented on 2021-09-29 16:59:41 UTC

url : hxxp://136.144.41.96/ABG.exe