MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d71b625ed03ed8629f0cffa7c61cbd882f0c2541f84c9f17320b351d44ca0381. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d71b625ed03ed8629f0cffa7c61cbd882f0c2541f84c9f17320b351d44ca0381
SHA3-384 hash: 85cb0db71c63e6e2ff78ce1685e92bf281597f34d8614da279b6ab0387e3677afea8717d109cc454782b0305c58ba017
SHA1 hash: 109364c2ded28d6e5ab61c49fa16e744905fc4a6
MD5 hash: bc9d4feac55d2bc2a7721db06aa4597c
humanhash: one-ceiling-lithium-butter
File name:d71b625ed03ed8629f0cffa7c61cbd882f0c2541f84c9f17320b351d44ca0381
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:519'168 bytes
First seen:2021-09-29 07:50:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:tzGz3Ni+hBr7IUA064lQHIdwFGG+DHRBlJPPth:tGNi+hBr8UAXmmFGGiJt
Threatray 2'110 similar samples on MalwareBazaar
TLSH T1B4B48DDA1EB457CBFB4E01F8F9792B8813BA9028D59BF3C2CA45B0B351367644920DD6
Reporter JAMESWT_WT
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d71b625ed03ed8629f0cffa7c61cbd882f0c2541f84c9f17320b351d44ca0381
Verdict:
Suspicious activity
Analysis date:
2021-09-28 19:17:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4f8993e1-1be0-4e96-8e96-b217568807f1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/192987/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1048-1.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Scr.Malcodegdn30.14006.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4f8454eb-1b0f-4511-89fe-a4af80747cb3
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/860815
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates an autostart registry key pointing to binary in C:\Windows
Detected Remcos RAT
Drops executables to the windows directory (C:\Windows) and starts them
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 493304 Sample: xLw8w0xBY1 Startdate: 29/09/2021 Architecture: WINDOWS Score: 100 73 Malicious sample detected (through community Yara rule) 2->73 75 Multi AV Scanner detection for dropped file 2->75 77 Multi AV Scanner detection for submitted file 2->77 79 10 other signatures 2->79 11 xLw8w0xBY1.exe 3 2->11         started        15 Windows NT Audio Jack Device Pictures.exe 2 2->15         started        17 Windows NT Audio Jack Device Pictures.exe 2 2->17         started        process3 file4 67 C:\Users\user\AppData\...\xLw8w0xBY1.exe.log, ASCII 11->67 dropped 91 Contains functionality to detect virtual machines (IN, VMware) 11->91 93 Contains functionality to steal Chrome passwords or cookies 11->93 95 Contains functionality to capture and log keystrokes 11->95 99 2 other signatures 11->99 19 xLw8w0xBY1.exe 1 5 11->19         started        97 Drops executables to the windows directory (C:\Windows) and starts them 15->97 23 Windows NT Audio Jack Device Pictures.exe 15->23         started        25 Windows NT Audio Jack Device Pictures.exe 17->25         started        signatures5 process6 file7 63 Windows NT Audio J...Device Pictures.exe, PE32 19->63 dropped 65 Windows NT Audio J...exe:Zone.Identifier, ASCII 19->65 dropped 81 Creates an autostart registry key pointing to binary in C:\Windows 19->81 27 cmd.exe 1 19->27         started        30 cmd.exe 1 19->30         started        signatures8 process9 signatures10 85 Uses ping.exe to sleep 27->85 32 Windows NT Audio Jack Device Pictures.exe 3 27->32         started        35 PING.EXE 1 27->35         started        38 conhost.exe 27->38         started        87 Uses cmd line tools excessively to alter registry or file data 30->87 89 Uses ping.exe to check the status of other devices and networks 30->89 40 conhost.exe 30->40         started        42 reg.exe 1 30->42         started        process11 dnsIp12 61 Windows NT Audio J...ce Pictures.exe.log, ASCII 32->61 dropped 44 Windows NT Audio Jack Device Pictures.exe 1 4 32->44         started        48 Windows NT Audio Jack Device Pictures.exe 32->48         started        50 Windows NT Audio Jack Device Pictures.exe 32->50         started        69 127.0.0.1 unknown unknown 35->69 file13 process14 dnsIp15 71 yjune2021.duckdns.org 194.5.97.131, 3030, 49741 DANILENKODE Netherlands 44->71 101 Detected Remcos RAT 44->101 103 Installs a global keyboard hook 44->103 52 cmd.exe 1 44->52         started        55 iexplore.exe 44->55         started        signatures16 process17 signatures18 83 Uses cmd line tools excessively to alter registry or file data 52->83 57 conhost.exe 52->57         started        59 reg.exe 1 52->59         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d71b625ed03ed8629f0cffa7c61cbd882f0c2541f84c9f17320b351d44ca0381/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-28 07:54:50 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=24nwexwqh3mgfhym76t4mhf5raxqyjkb7bgj6fzsbm2r2rgkaoaq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0278c4b0397c831f5c3fd4f9ae46093fccee05167dab7391570ba138ad3238a0
RemcosRAT
26726a1e321ed1e0f39b676a56b38eb41641f734aa05e0a9669c6144b53ee191
RemcosRAT
3b012c89bb2f6a513be0335d94b0b7f8517edeb70ba37b559a94b0993df4ad80
RemcosRAT
5e27b2f6ec7f0387f6c380ac26eb924fcc732601c43ed7c400c42ae82fb0de57
RemcosRAT
62ee412123d6e8832cebbf33d84d5695adc4fc2d66f0ec7222d9ccd5f21d4866
RemcosRAT
83177bc5d78b3fd5054543d6fc65d16b4576be79447ac5ee894a4b3b330e3764
RemcosRAT
ab5e531c49ff91e17814ab2974a20b7b141b42b1d0229e27b20713358effd633
RemcosRAT
c3402066324ea3b63b1736d2cb257a441b3660a257751ea54ced7d43864f4d6d
RemcosRAT
e0a23d00156db7984951934506ee9edd0249d9a2d39e6bfb285291d510ee054f
RemcosRAT
eca9be257354d26e49e1b03d1b8d42228cf66b5ee1b1236afad3c348da43c48b
RemcosRAT
+ 2'100 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:post-vax brand:microsoft evasion persistence phishing rat trojan
Link:
https://tria.ge/reports/210929-jpvn7secfj/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Modifies registry key
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Detected potential entity reuse from brand microsoft.
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Remcos
UAC bypass
Malware Config
C2 Extraction:
yjune2021.duckdns.org:3030
Unpacked files
SH256 hash:
2caf03cb277023c9f80a3173b12e673bc24d530b2198d6adf63e048235da79f9
MD5 hash:
f3745a6a2d6a32c1768a8bbb49a616f5
SHA1 hash:
48ce3f69e4f80f245ca40bea9f9cc9fefc733e41
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/29f74d0f-1dd4-4f1d-ad9d-4dc76ad77daf/
SH256 hash:
9fc472553c58f3a5a4a12a6e81979a72dc65adb09891e14c1c8a86b11198ec4c
MD5 hash:
f007e685079bbf61452dde2dec66586d
SHA1 hash:
52a560353d5245fe384e5f6d9fe723c3b302356f
Link:
https://www.unpac.me/results/29f74d0f-1dd4-4f1d-ad9d-4dc76ad77daf/
SH256 hash:
fd604473fe89558a563c0fe92612923323434357b666269c0d0d8da45237a072
MD5 hash:
1fb58d9e1b0b31ea0e734dcaf89d3188
SHA1 hash:
4c61b11da3b033102f0e1f0b57f7b707710a18ed
Link:
https://www.unpac.me/results/29f74d0f-1dd4-4f1d-ad9d-4dc76ad77daf/
SH256 hash:
6a671abf66304301602b4afd0902840bc3915455cffc58d8916eaa693abe33ec
MD5 hash:
681eca96e4e7b513317178dc7065ef39
SHA1 hash:
24af82015bc57d125f1ccb759840118b2283d1dc
Link:
https://www.unpac.me/results/29f74d0f-1dd4-4f1d-ad9d-4dc76ad77daf/
SH256 hash:
d71b625ed03ed8629f0cffa7c61cbd882f0c2541f84c9f17320b351d44ca0381
MD5 hash:
bc9d4feac55d2bc2a7721db06aa4597c
SHA1 hash:
109364c2ded28d6e5ab61c49fa16e744905fc4a6
Link:
https://www.unpac.me/results/29f74d0f-1dd4-4f1d-ad9d-4dc76ad77daf/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d71b625ed03e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d71b625ed03ed8629f0cffa7c61cbd882f0c2541f84c9f17320b351d44ca0381

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe d71b625ed03ed8629f0cffa7c61cbd882f0c2541f84c9f17320b351d44ca0381

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1640786/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/192987/

Comments