MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cfb4e7b08343010cf746149e718c8737e4293390d02bc5bf30d46c5e73871651. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cfb4e7b08343010cf746149e718c8737e4293390d02bc5bf30d46c5e73871651
SHA3-384 hash: d2fc09ce49546446691f897a2f470a41667dfa2b8c584139d614a8a1836915088d67c8b60d1bc561a15f7fead7ee4d2e
SHA1 hash: c27ea516aed7e051fcd206ad3606bd8574cfecb7
MD5 hash: c3564bf107406c43b36f5e9e4c5af650
humanhash: triple-lamp-violet-ink
File name:MT103.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:482'304 bytes
First seen:2021-08-10 19:58:48 UTC
Last seen:2021-08-11 04:52:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:+rFicDmVT0o7MqCH4z7492xGyxLoYRzFH8XKKEqQZWIY2FxHCum96oxVnNr9zpCo:+rFz/q7PmyxL7tF4z+xY2if96oxVnF
Threatray 2'975 similar samples on MalwareBazaar
TLSH T198A49D3A5458922BF53BC27891180346F3F199D2F0C9DA7BF8D3658A883236566C937F
dhash icon 080100040c4a0108 (2 x Formbook, 1 x RemcosRAT, 1 x NanoCore)
Reporter cocaman
Tags:exe RemcosRAT SWIFT

Intelligence

File Origin
# of uploads :
3
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MT103.exe
Verdict:
Malicious activity
Analysis date:
2021-08-10 20:01:04 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/fb6c038f-0843-4e06-b95c-51b29b791884

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/178057/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.ACJF.22843.16253.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file
Creating a file in the %temp% directory
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
Unauthorized injection to a recently created process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b82ff8d5-0938-4fd0-b926-432a952d3488
Result
Threat name:
Remcos AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/830500
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Detected Remcos RAT
Drops PE files with benign system names
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Installs a global keyboard hook
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 462931 Sample: MT103.exe Startdate: 10/08/2021 Architecture: WINDOWS Score: 100 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->73 75 13 other signatures 2->75 9 MT103.exe 3 2->9         started        12 mstsc.exe 2->12         started        14 mstsc.exe 2->14         started        process3 file4 61 C:\Users\user\AppData\Local\...\MT103.exe.log, ASCII 9->61 dropped 16 MT103.exe 3 9->16         started        process5 file6 51 C:\Users\user\AppData\Local\Temp\BB.exe, PE32 16->51 dropped 53 C:\Users\user\AppData\Local\Temp\Ab.exe, PE32 16->53 dropped 19 BB.exe 1 4 16->19         started        24 Ab.exe 7 16->24         started        process7 dnsIp8 67 192.168.2.1 unknown unknown 19->67 55 C:\Users\user\AppData\Roaming\...\mstsc.exe, PE32 19->55 dropped 87 Antivirus detection for dropped file 19->87 89 Multi AV Scanner detection for dropped file 19->89 91 Machine Learning detection for dropped file 19->91 95 5 other signatures 19->95 26 cmd.exe 1 19->26         started        57 C:\Users\user\AppData\Roaming\svchost.exe, PE32 24->57 dropped 59 C:\Users\user\AppData\...\tmpDC06.tmp.bat, DOS 24->59 dropped 93 Drops PE files with benign system names 24->93 29 cmd.exe 1 24->29         started        31 cmd.exe 1 24->31         started        file9 signatures10 process11 signatures12 97 Uses ping.exe to sleep 26->97 99 Uses schtasks.exe or at.exe to add and modify task schedules 26->99 101 Uses ping.exe to check the status of other devices and networks 26->101 33 mstsc.exe 1 3 26->33         started        37 PING.EXE 1 26->37         started        39 conhost.exe 26->39         started        41 svchost.exe 3 29->41         started        43 conhost.exe 29->43         started        45 timeout.exe 1 29->45         started        47 conhost.exe 31->47         started        49 schtasks.exe 1 31->49         started        process13 dnsIp14 63 194.5.98.81, 2510, 49715, 49716 DANILENKODE Netherlands 33->63 77 Antivirus detection for dropped file 33->77 79 Machine Learning detection for dropped file 33->79 81 Contains functionality to steal Chrome passwords or cookies 33->81 85 3 other signatures 33->85 65 127.0.0.1 unknown unknown 37->65 83 Multi AV Scanner detection for dropped file 41->83 signatures15
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cfb4e7b08343010cf746149e718c8737e4293390d02bc5bf30d46c5e73871651/
Threat name:
ByteCode-MSIL.Backdoor.Crysan
Create hunting rule
Status:
Malicious
First seen:
2021-08-10 15:17:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=z62opmedimaqz52gcsphddehg7scsm4q2av4lpzq2rwf444hcziq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
asyncrat
Create hunting rule
Similar samples:
4c11b7fb217b3675e60d659ce0a2c3eee1bdbd3e3ddba1ad6d762878f62534d1
RemcosRAT
5b474ca6fc8158bd6f14d53bca8962f25db3392dfe324f49ddf376610bd785e4
RemcosRAT
5f4e4a43a01b235d781c6888198b18750529dda9fc4727727940115090e06a6d
RemcosRAT
885e34ff7befbdcdb027a017843cbacdba7eebb34d3df2e3113cceb9adafe8b5
RemcosRAT
ac7d008a3ac44bc8dfe3edbbc8542ed5b51bcf911b67eb8e9a715ebb5250ad27
RemcosRAT
ce4962d3126223b4bd68704159cbdc7479fb2df4263fb9f3d57492e770b74a94
RemcosRAT
d2a1375e9e0c3c8fbc3496cb6c1690e2c47d167a5cac476b528ad2c051f85a52
RemcosRAT
ed3a96630761ee25131c40b747f50fc55aa85d5e8f631f71bbfc901dd96bac13
RemcosRAT
eeddb4eb1252a45f5a8246d68dc6557f3e0c6f264a0a6f42e81d041c53864a48
RemcosRAT
ff91b720363ded7601beba0c3b9f73c4cd677c79e88f9b82113073d0691df7a9
RemcosRAT
+ 2'965 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:remcos botnet:host persistence rat
Link:
https://tria.ge/reports/210810-cg13ztvv9s/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Async RAT payload
AsyncRat
Remcos
Malware Config
C2 Extraction:
127.0.0.1:2510
194.5.98.81:2510
194.5.98.81:7123
Unpacked files
SH256 hash:
527b85836a9d6cdc8e6f68894ca85ead752d249bc6f68be5a81913ef64d5057a
MD5 hash:
75e8e9980ce7829300d7759124dd9217
SHA1 hash:
2a7f3342902b755bf90e558ce2ec7cef349d12a5
Detections:
win_asyncrat_w0
Create hunting rule
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/35365255-9146-4a0f-81b4-ff0b7831f477/
SH256 hash:
c362729899c5956cfa9fc3bcf9b21ac72066a1b84a497ceb1281f76e2f55c54b
MD5 hash:
0327d1374a5ce015ad9c83c5de76e823
SHA1 hash:
e521349d9e96a4191248747c42c78b6f88fc8f63
Link:
https://www.unpac.me/results/35365255-9146-4a0f-81b4-ff0b7831f477/
SH256 hash:
4198c9bed56ffaa15d7660514c8ff685865b1cc4491288b55de86a8ec5e9d5e1
MD5 hash:
deb7a764781de911e39db045f2bb393e
SHA1 hash:
b37c755d0e203c8434b01ff30c6a2f0098b02d1f
Link:
https://www.unpac.me/results/35365255-9146-4a0f-81b4-ff0b7831f477/
SH256 hash:
ab63fbbedf5b5ad5be373fb11ee84284efca4a58f6a34e0c3d6b885c16a81fbe
MD5 hash:
855075698e4f11e8089f881c4b0237f8
SHA1 hash:
972785092ec9ba946fa90ad50198bc6f7bf5b234
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/35365255-9146-4a0f-81b4-ff0b7831f477/
Parent samples :
5647b223088d5f7055db455ce7c82de9a1f762126af37635e29b7ef84963ebf5
74615bedcd52ff089b0ed9dede11c46cd27de39b0b52c309ad71175e79e53868
cfb4e7b08343010cf746149e718c8737e4293390d02bc5bf30d46c5e73871651
SH256 hash:
1d99246378ccf15778bd36cc3d85b09a6e53581c4cff5f441cc520dfb99896df
MD5 hash:
c8b3a05b20c5bdc2909cd4ec7e8509f3
SHA1 hash:
4797b824d0729d77b7d949e69819c36fa0bc0c15
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/35365255-9146-4a0f-81b4-ff0b7831f477/
Parent samples :
74615bedcd52ff089b0ed9dede11c46cd27de39b0b52c309ad71175e79e53868
cfb4e7b08343010cf746149e718c8737e4293390d02bc5bf30d46c5e73871651
61f086d38f23fedd3ed01281c6dc43901d0dda54c38e2160aec66840993e12c4
SH256 hash:
cfb4e7b08343010cf746149e718c8737e4293390d02bc5bf30d46c5e73871651
MD5 hash:
c3564bf107406c43b36f5e9e4c5af650
SHA1 hash:
c27ea516aed7e051fcd206ad3606bd8574cfecb7
Link:
https://www.unpac.me/results/35365255-9146-4a0f-81b4-ff0b7831f477/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/cfb4e7b08343/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cfb4e7b08343010cf746149e718c8737e4293390d02bc5bf30d46c5e73871651

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip d0732aedbe65944a77b053e11532b7df88b8ae0f96ed29d0f93683ff578c5357

RemcosRAT

Executable exe cfb4e7b08343010cf746149e718c8737e4293390d02bc5bf30d46c5e73871651

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 d0732aedbe65944a77b053e11532b7df88b8ae0f96ed29d0f93683ff578c5357
Cape
Cape
https://www.capesandbox.com/analysis/178057/

Comments