MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d74d5c42926dda1fa4499cd087c9058411dbf34831cabb822d512b2c9a3728a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d74d5c42926dda1fa4499cd087c9058411dbf34831cabb822d512b2c9a3728a5
SHA3-384 hash: ba5ace4ce3e1c193e4be78b503ffc8fbb5268f7567c7a970c86ddf9fcc8336e112dfe985114e9df44ebc7460452f6f39
SHA1 hash: 2df4e2114e7fc7892061b4b924b5746daea7bb77
MD5 hash: e7e37e58de40b390fcded847360e0c49
humanhash: sad-jupiter-princess-hawaii
File name:e7e37e58de40b390fcded847360e0c49.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:896'512 bytes
First seen:2021-07-12 05:15:10 UTC
Last seen:2021-07-12 05:42:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'655 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:FNfMcGra0DM3AevoI9/nPDlGIupzbxvpBk8cPfE7Z6tWGs0ysOZ+qemccB:Mc6a0QwEoI9bmzbxhim
Threatray 1'863 similar samples on MalwareBazaar
TLSH T10E155B5836306D9EC81298759DA49C30F721EC634787D2E370973DBBB9FD6868E042B6
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
37.0.11.114:2404

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
37.0.11.114:2404 https://threatfox.abuse.ch/ioc/159690/

Intelligence

File Origin
# of uploads :
2
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e7e37e58de40b390fcded847360e0c49.exe
Verdict:
Malicious activity
Analysis date:
2021-07-12 05:15:48 UTC
Tags:
trojan rat remcos
Link:
https://app.any.run/tasks/816d5f85-10d3-4248-acb8-760be4155625

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/170869/
Detection(s):
SecuriteInfo.com.ArtemisE7E37E58DE40.25433.122.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/599cf122-b2a0-4c65-9f0d-64b0913227ed
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/814503
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Detected Remcos RAT
Drops PE files with benign system names
Found malware configuration
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 446914 Sample: EA8zPd5Z8C.exe Startdate: 12/07/2021 Architecture: WINDOWS Score: 100 63 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->63 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 8 other signatures 2->69 9 EA8zPd5Z8C.exe 3 2->9         started        13 explorer.exe 2 2->13         started        15 explorer.exe 2 2->15         started        17 explorer.exe 2 2->17         started        process3 file4 53 C:\Users\user\AppData\...A8zPd5Z8C.exe.log, ASCII 9->53 dropped 77 Contains functionality to detect virtual machines (IN, VMware) 9->77 79 Contains functionality to steal Chrome passwords or cookies 9->79 81 Contains functionality to capture and log keystrokes 9->81 87 3 other signatures 9->87 19 EA8zPd5Z8C.exe 2 5 9->19         started        83 Injects code into the Windows Explorer (explorer.exe) 13->83 85 Injects a PE file into a foreign processes 13->85 22 explorer.exe 13->22         started        24 explorer.exe 13->24         started        26 explorer.exe 15->26         started        28 explorer.exe 15->28         started        30 explorer.exe 17->30         started        signatures5 process6 file7 47 C:\Users\user\AppData\...\explorer.exe, PE32 19->47 dropped 49 C:\Users\...\explorer.exe:Zone.Identifier, ASCII 19->49 dropped 51 C:\Users\user\AppData\Local\...\install.bat, ASCII 19->51 dropped 32 cmd.exe 1 19->32         started        process8 signatures9 59 Uses ping.exe to sleep 32->59 61 Uses ping.exe to check the status of other devices and networks 32->61 35 explorer.exe 3 32->35         started        38 PING.EXE 1 32->38         started        41 conhost.exe 32->41         started        process10 dnsIp11 71 System process connects to network (likely due to code injection or exploit) 35->71 73 Multi AV Scanner detection for dropped file 35->73 75 Machine Learning detection for dropped file 35->75 43 explorer.exe 35->43         started        55 127.0.0.1 unknown unknown 38->55 signatures12 process13 dnsIp14 57 dpqw-avira.bot.nu 37.0.11.114, 2404, 49733 WKD-ASIE Netherlands 43->57 89 System process connects to network (likely due to code injection or exploit) 43->89 signatures15
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d74d5c42926dda1fa4499cd087c9058411dbf34831cabb822d512b2c9a3728a5/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=25gvyqusnxnb7jcjttiipsifqqi5x42ighflxarnkevszgrxfcsq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
3ce969a94f4bc8dec526e3551626d7e3639bae986304deba85e8f29f039fe345
RemcosRAT
4c11b7fb217b3675e60d659ce0a2c3eee1bdbd3e3ddba1ad6d762878f62534d1
RemcosRAT
5b474ca6fc8158bd6f14d53bca8962f25db3392dfe324f49ddf376610bd785e4
RemcosRAT
5f4e4a43a01b235d781c6888198b18750529dda9fc4727727940115090e06a6d
RemcosRAT
762d689595557fa3064907433659411b95132e554f7d17fcf62d1a77db51e3e5
RemcosRAT
ac7d008a3ac44bc8dfe3edbbc8542ed5b51bcf911b67eb8e9a715ebb5250ad27
RemcosRAT
ce4962d3126223b4bd68704159cbdc7479fb2df4263fb9f3d57492e770b74a94
RemcosRAT
d2a1375e9e0c3c8fbc3496cb6c1690e2c47d167a5cac476b528ad2c051f85a52
RemcosRAT
eeddb4eb1252a45f5a8246d68dc6557f3e0c6f264a0a6f42e81d041c53864a48
RemcosRAT
ff91b720363ded7601beba0c3b9f73c4cd677c79e88f9b82113073d0691df7a9
RemcosRAT
+ 1'853 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:host persistence rat
Link:
https://tria.ge/reports/210712-va9x384z62/
Behaviour
Runs ping.exe
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
dpqw-avira.bot.nu:2404
Unpacked files
SH256 hash:
d20e9835e64bfe5e7e0aec9891b65870ab7230d812f79d9b181dcb38e562fb8f
MD5 hash:
ecd04e02857e43176379f1cd636a0411
SHA1 hash:
8ba0a3e69331ec3b20d7f9a7185d3c2e3701d2a3
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/89b95b76-054d-42a2-94b5-124727fef17d/
SH256 hash:
91b80af50989c0f002db4ea6fe1e4f5c10f937c9044d1292edaa6e32f9fa23c6
MD5 hash:
e415170cbbbbc8f44bcbec29c4a701eb
SHA1 hash:
e060fd5da91c4101fb1c54f98c23a5028a73470f
Link:
https://www.unpac.me/results/89b95b76-054d-42a2-94b5-124727fef17d/
SH256 hash:
9b85c6bb673aae94163dbe7edf017f12953f0a325e71de72b38b666ecd902213
MD5 hash:
714958633b93631f22032aa9164b74cd
SHA1 hash:
77bc8569dca48043b32b2029bc30ac31c45c110b
Link:
https://www.unpac.me/results/89b95b76-054d-42a2-94b5-124727fef17d/
SH256 hash:
d74d5c42926dda1fa4499cd087c9058411dbf34831cabb822d512b2c9a3728a5
MD5 hash:
e7e37e58de40b390fcded847360e0c49
SHA1 hash:
2df4e2114e7fc7892061b4b924b5746daea7bb77
Link:
https://www.unpac.me/results/89b95b76-054d-42a2-94b5-124727fef17d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d74d5c42926dda1fa4499cd087c9058411dbf34831cabb822d512b2c9a3728a5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe d74d5c42926dda1fa4499cd087c9058411dbf34831cabb822d512b2c9a3728a5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1442252/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/170869/

Comments