MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2d9b66c9aad0e6cc20a786a89299a8b4a65a5a344db369dfd7bfbad3fb40b55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d2d9b66c9aad0e6cc20a786a89299a8b4a65a5a344db369dfd7bfbad3fb40b55
SHA3-384 hash: 3dbdc9e5e2eb86cc671a06beae7db0483821f334f64e53524614ae34b5fd310febc5c6d73c1a619b1840e88d18683e54
SHA1 hash: 61ab2c43d19c6441e394561e0441890168b9a9ab
MD5 hash: b201aa5242dd9b32ec9c38e1f999c723
humanhash: mars-johnny-butter-angel
File name:Appraisal.vbs
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:706 bytes
First seen:2021-04-26 09:35:34 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 12:jaiugaiuTfhUZDiwgAwrO+WcAtTCX4OpFvOFrhxFEbWFFiw/5JTxz/iuw:jpuwuTSZDirAwrOtcKTCNpF2FrhDrFFQ
Threatray 286 similar samples on MalwareBazaar
TLSH 8E01E123B6259F0A54139602B8307057DDC258C7567BB228F2DC917258DCFCF0618BE1
Reporter abuse_ch
Tags:RAT RemcosRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
174
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/144275/
Detection(s):
SecuriteInfo.com.Downloader.Agent8.B23TOPIS.E0.gQY4aF1oHGN.28628.25946.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Sending a UDP request
Creating a file
Launching a process
Enabling the 'hidden' option for recently created files
Deleting a recently created file
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Using obfuscated Powershell scripts
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/697672
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates an undocumented autostart registry key
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Obfuscated command line found
Sigma detected: Remcos
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected BrowsingHistoryView browser history reader tool
Yara detected MSILLoadEncryptedAssembly
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 397756 Sample: Appraisal.vbs Startdate: 26/04/2021 Architecture: WINDOWS Score: 100 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Detected Remcos RAT 2->56 58 6 other signatures 2->58 9 wscript.exe 1 2->9         started        process3 signatures4 68 VBScript performs obfuscated calls to suspicious functions 9->68 70 Wscript starts Powershell (via cmd or directly) 9->70 72 Obfuscated command line found 9->72 12 powershell.exe 14 21 9->12         started        process5 dnsIp6 42 ia601404.us.archive.org 207.241.227.124, 443, 49724 INTERNET-ARCHIVEUS United States 12->42 44 ia601406.us.archive.org 207.241.227.126, 443, 49712 INTERNET-ARCHIVEUS United States 12->44 46 ia801400.us.archive.org 207.241.228.140, 443, 49723 INTERNET-ARCHIVEUS United States 12->46 38 C:\Users\Public\ Microsoft.ps1, ASCII 12->38 dropped 78 Creates an undocumented autostart registry key 12->78 17 powershell.exe 20 12->17         started        20 conhost.exe 12->20         started        file7 signatures8 process9 signatures10 48 Writes to foreign memory regions 17->48 50 Injects a PE file into a foreign processes 17->50 22 aspnet_compiler.exe 2 2 17->22         started        process11 dnsIp12 40 185.19.85.168, 1723, 49729, 49739 DATAWIRE-ASCH Switzerland 22->40 36 C:\Users\user\AppData\Roaming\...\logs.dat, data 22->36 dropped 60 Contains functionalty to change the wallpaper 22->60 62 Contains functionality to steal Chrome passwords or cookies 22->62 64 Contains functionality to inject code into remote processes 22->64 66 4 other signatures 22->66 27 aspnet_compiler.exe 13 22->27         started        30 aspnet_compiler.exe 2 22->30         started        32 aspnet_compiler.exe 1 22->32         started        34 aspnet_compiler.exe 22->34         started        file13 signatures14 process15 signatures16 74 Tries to harvest and steal browser information (history, passwords, etc) 27->74 76 Tries to steal Instant Messenger accounts or passwords 32->76
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d2d9b66c9aad0e6cc20a786a89299a8b4a65a5a344db369dfd7bfbad3fb40b55/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2lm3m3e2vuhgzqqkpbviskm2rnfgljnditntnhp5pp522p5ubnkq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
12bbe24de7cb5efda944526935ce54a013d93d99b366b9f74a19828ddc987ebc
RemcosRAT
1ac6d1275df2a3c1c7331666e29259aaecc303f6be32f9248c3c6bc5d2638e55
RemcosRAT
286ac923f7619b720847b3820652ca94b3b09ee4885e581ced04e8f1395713b9
RemcosRAT
28f1bd1e02427a817d05c69884c5d5ccf3455859a2f1c3a6dce5e6da75141bcd
RemcosRAT
5f06da67169389577ec237bfb0c3e0e9203833048f48081deed7b6201ad18c27
RemcosRAT
97fe546f4790b24b92895fd102ab528c84187dde94b00e4efc16e78dba9f80a4
RemcosRAT
b11bd18587058601cde1be46ec722f2ddc96fddd976f3a263e4d0358e8e08865
RemcosRAT
bc5e3b9e7638a68bbb36387281fedc1bedb12d67575b9242a47c0bf0c8f3c265
RemcosRAT
c944bccd2c79cfde05f0c641c559256ff09fdff944381f9d220dfd14cb35a7a7
RemcosRAT
ecf100d294f5b6b63ebc4e1430f6a07b07e3899b0c447a536d7c53c51d711549
RemcosRAT
+ 276 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos rat
Link:
https://tria.ge/reports/210426-zemd4ja3x6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Blocklisted process makes network request
NirSoft MailPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
185.19.85.168:1723
Dropper Extraction:
https://ia601406.us.archive.org/10/items/all_20210426/ALL.TXT
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d2d9b66c9aad0e6cc20a786a89299a8b4a65a5a344db369dfd7bfbad3fb40b55

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/144275/

Comments