MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d230efa209c7d8ade947d5d253b8bc16df1b4aef7059c7b617ac02b435aab47f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 15

Intelligence 15 IOCs YARA 9 File information Comments

SHA256 hash:	d230efa209c7d8ade947d5d253b8bc16df1b4aef7059c7b617ac02b435aab47f
SHA3-384 hash:	da65846ea8958acd0305d5ee417e986ee75cca9f0e1ea8315c9bb41bfc1c231e12da27f49853736d57fe37f494fd0c53
SHA1 hash:	89d7e8c11fd9b630744cdec3c8be6b7cb07d3674
MD5 hash:	ca4b73473282b7aad58dad02f87d510c
humanhash:	berlin-uranus-echo-happy
File name:	SecuriteInfo.com.Variant.Strictor.271096.5167.23264
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	652'800 bytes
First seen:	2022-04-12 17:57:28 UTC
Last seen:	2022-04-12 18:37:44 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	6144:IUTpvvQFgGnFfi3a625mbRrckh84AAwGo1SZZeXm/5pmnjT6rlDM7fmcGpVq3TD+:lwGckO+f8m/5p0eeugK7MH+3qiD
Threatray	1'153 similar samples on MalwareBazaar
TLSH	T13DD4F11073DE4F16E36F4775C472A1945B3ABD15A1DAEB0E00463AFA78B27D0E6027A3
File icon (PE):
dhash icon	851a98b4909864c4 (58 x AgentTesla, 43 x Formbook, 34 x RedLineStealer)
Reporter	SecuriteInfoCom
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

402

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

SecuriteInfo.com.Variant.Strictor.271096.5167.23264

Verdict:

Malicious activity

Analysis date:

2022-04-12 22:46:43 UTC

Tags:

rat remcos

Link:

https://app.any.run/tasks/b005e7fd-2252-463d-96f8-19be477a0673

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/263206/

Detection(s):

SecuriteInfo.com.Variant.Strictor.271096.5167.23264.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Сreating synchronization primitives

Sending a custom TCP request

Query of malicious DNS domain

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe obfuscated packed replace.exe

Link:

https://www.filescan.io/uploads/6255bdac482f2f41caa16059/reports/2dc5c30e-19bc-4e44-a9d3-9646e6e0e201/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b4402133-f19c-497a-aad3-62702a8f65c1

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/975664

Signature

.NET source code contains potential unpacker

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Detected Remcos RAT

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/d230efa209c7d8ade947d5d253b8bc16df1b4aef7059c7b617ac02b435aab47f/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-04-12 16:12:34 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 42 (61.90%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2iyo7iqjy7mk32kh2xjfhof4c3prwsxpobm4pnqxvqblinnkwr7q._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

41ab72f9ce1e64f569029d8b3f8c2fdf680fb75113b8d7451bc8d988cd5f6bd2

RemcosRAT

5000f900d0d52fb1b6634d0437711ab10c9184d080c852f17b2fb114a35446a8

RemcosRAT

5191e0986f9d1886402809cdee8aa3b8f50bac0c36813efc602e3d5e59b9d1ec

RemcosRAT

62960caf3d007638be89631e502733f30c42a9ba0269e8c00457c9dec10e9136

RemcosRAT

70921226f4c6dd8d21672150cc0115b107c395f848aa89975ed3bb42c7eccd69

RemcosRAT

77ce24c903d75a340e3d5664091c7b72a2529640931e662b80b8dc3fb9226929

RemcosRAT

860e16c192167d5dd823b8e533858cdada7aa9b3173254f2f57031af68b84e0c

RemcosRAT

87284733f84447db5f12697e7ce2fb44671cbf404e040cf85085b223eab02b95

RemcosRAT

f5502d660f4b1f1110b7ba4fd0eab36ec5b44ff97c12b146a48ff8e38efa4745

RemcosRAT

+ 1'143 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:ogb rat

Link:

https://tria.ge/reports/220412-wj5y7shfh3/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Uses the VBS compiler for execution

Remcos

Malware Config

C2 Extraction:

boysgoblow.hopto.org:7838

Unpacked files

SH256 hash:

ae2633e24ce36fc7c3706446fc26f74e4679ab0a30af0c2a39d55c778d249ef6

MD5 hash:

1aa49fc5320c0712ccd2bb5fd3064c36

SHA1 hash:

78d5e764eabc8cef6a95d0edc17fe341f9d744e2

Link:

https://www.unpac.me/results/9eb03207-d343-4fb8-a5fc-f2a8763e8d67/

SH256 hash:

ef29c183994e72323d3f6660b53ec791489ec7effe456ffee03cafcda45b91ae

MD5 hash:

5d13995fc480582ca2ae41e9f6159010

SHA1 hash:

4f78281aa40572e381fbd93f3b8f2d4124636639

Detections:

win_remcos_g0

win_remcos_auto

Link:

https://www.unpac.me/results/9eb03207-d343-4fb8-a5fc-f2a8763e8d67/

Parent samples :

d230efa209c7d8ade947d5d253b8bc16df1b4aef7059c7b617ac02b435aab47f
5a0bfd7008d6c49f7fd1abb8f7771bb9bdcad23ddddef284ae37eacac4d63afb

SH256 hash:

d230efa209c7d8ade947d5d253b8bc16df1b4aef7059c7b617ac02b435aab47f

MD5 hash:

ca4b73473282b7aad58dad02f87d510c

SHA1 hash:

89d7e8c11fd9b630744cdec3c8be6b7cb07d3674

Link:

https://www.unpac.me/results/9eb03207-d343-4fb8-a5fc-f2a8763e8d67/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	INDICATOR_EXE_Packed_SmartAssembly Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with SmartAssembly

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	pe_imphash Create hunting rule

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/263206/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample