MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d900c6367744e8c0fa61f90269bee13dbaa90fd4e84b5db559bef7fd6be1d851. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d900c6367744e8c0fa61f90269bee13dbaa90fd4e84b5db559bef7fd6be1d851
SHA3-384 hash: fa895df4f91f6ee0ced8414bd1951a19cf387a3cd4b2ee8abc5faef8a3d9b1b86f736a88fe8e4089ea01696111a2dd0f
SHA1 hash: 74b8672a07fe067743488c0e719332dd3ff2cba7
MD5 hash: c4cac05259418d9e2696fb0f0db8fbf3
humanhash: delta-johnny-march-video
File name:c4cac05259418d9e2696fb0f0db8fbf3
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:488'448 bytes
First seen:2022-05-14 00:45:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d4caf119a59974e14265e37638578a58 (1 x RemcosRAT, 1 x RedLineStealer)
ssdeep 12288:Fxu8G/fqMCQ/JRsxvObN3YBekuXvsY41:bubfqMCQhRsxvObNIeks/41
Threatray 1'215 similar samples on MalwareBazaar
TLSH T164A40210BFA1D034C5A7C63814B497B5DE7A78132675198F37982B6A3F603C01ABE76E
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5c59da3ce0c1c850 (36 x Stop, 33 x Smoke Loader, 26 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
402
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/270528/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Running batch commands
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/17617/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed tofsee
Link:
https://www.filescan.io/uploads/627efbcbae83652f0e9ee085/reports/ea9425a1-635d-4719-9fd6-0f2603574a8e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f8f056c0-44e3-4a2c-a5bc-81ea6effdc3b
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/993946
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 626442 Sample: 2HK1cUTWU3 Startdate: 14/05/2022 Architecture: WINDOWS Score: 100 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 3 other signatures 2->68 9 2HK1cUTWU3.exe 4 4 2->9         started        13 ios.exe 2->13         started        15 ios.exe 2->15         started        process3 file4 54 C:\Users\user\AppData\Roaming\ios.exe, PE32 9->54 dropped 56 C:\Users\user\...\ios.exe:Zone.Identifier, ASCII 9->56 dropped 70 Contains functionality to steal Chrome passwords or cookies 9->70 72 Contains functionality to inject code into remote processes 9->72 74 Contains functionality to steal Firefox passwords or cookies 9->74 76 Delayed program exit found 9->76 17 wscript.exe 9->17         started        19 WerFault.exe 9 9->19         started        22 WerFault.exe 9 9->22         started        24 5 other processes 9->24 78 Multi AV Scanner detection for dropped file 13->78 80 Detected unpacking (changes PE section rights) 13->80 82 Detected unpacking (overwrites its own PE header) 13->82 signatures5 process6 file7 26 cmd.exe 17->26         started        42 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->42 dropped 44 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 22->44 dropped 46 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 24->46 dropped 48 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 24->48 dropped 50 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 24->50 dropped 52 2 other malicious files 24->52 dropped process8 process9 28 ios.exe 26->28         started        32 conhost.exe 26->32         started        dnsIp10 58 skygroupt6.zapto.org 62.197.136.97, 2080, 49751 SPRINTLINKUS Netherlands 28->58 60 geoplugin.net 178.237.33.50, 49771, 80 ATOM86-ASATOM86NL Netherlands 28->60 84 Installs a global keyboard hook 28->84 34 WerFault.exe 28->34         started        36 WerFault.exe 28->36         started        38 WerFault.exe 28->38         started        40 WerFault.exe 28->40         started        signatures11 process12
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d900c6367744e8c0fa61f90269bee13dbaa90fd4e84b5db559bef7fd6be1d851/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-05-13 18:08:49 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
24 of 41 (58.54%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
576183a33f5247a852bc65a4dc4cbca5762bfbad1291a82572681f7075dc6123
RemcosRAT
6debeb4cbf5037ee3b4d23e3a005dc58ebb0f26ac5f5266e910187a66760a4a0
RemcosRAT
81b648fca4135b631044dd68aee71ee704dcc930ae635658b9438585c5dc6b90
RemcosRAT
ba8d32d0c7844fdd2e5c4311fc6dc7a400d7c1ff97bebd9760d62308c669fb8f
RemcosRAT
e6a1d0c6cdb62e541492740eeabafe7f88f242d6a442fa0e2d2b4e8b1a2b1617
RemcosRAT
fafd7463254353a7e4ea4900b93f412fb84bbbddae730fc145c54331eb2533f8
RemcosRAT
+ 1'205 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat
Link:
https://tria.ge/reports/220514-a4mgpsfghp/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
skygroupt6.zapto.org:2080
Gathering data
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d900c6367744e8c0fa61f90269bee13dbaa90fd4e84b5db559bef7fd6be1d851

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe d900c6367744e8c0fa61f90269bee13dbaa90fd4e84b5db559bef7fd6be1d851

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2193910/
Cape
Cape
https://www.capesandbox.com/analysis/270528/

Comments


Avatar
zbet commented on 2022-05-14 00:45:52 UTC

url : hxxp://85.202.169.85/800/vbc.exe