MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dae59f6bb7ed3f23202800f69c92d15991b0937facb79f39204e9d5796c1af64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dae59f6bb7ed3f23202800f69c92d15991b0937facb79f39204e9d5796c1af64
SHA3-384 hash: 9125c26307700edb2b4a4c64fb7759963d7ce37b23c95a063241a4d4625052297755742ee204d5fa5394106916c8817d
SHA1 hash: 6935da711b7fe3c6afd85c1548ceafa548ac98ae
MD5 hash: 0013e07cb0c3ed24fb1c7bd5d475345b
humanhash: mississippi-leopard-kentucky-east
File name:dae59f6bb7ed3f23202800f69c92d15991b0937facb79f39204e9d5796c1af64
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'350'144 bytes
First seen:2022-10-10 12:03:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:JhLuyyGS6/kuFKbmgTpJtUoXFfmU0C4kNTLeJ21a89Ga8n6X:PLuyyGeuymgpHUoXgU0CfvE21a89Ga
Threatray 3'089 similar samples on MalwareBazaar
TLSH T1B755E0238AD54B47DC2867B490B1CDB483A7BC25A876D24F5EC97CAF70733928621B53
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0307612c88000000 (65 x AgentTesla, 47 x RemcosRAT, 9 x MassLogger)
Reporter adrian__luca
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
208
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
dae59f6bb7ed3f23202800f69c92d15991b0937facb79f39204e9d5796c1af64
Verdict:
Malicious activity
Analysis date:
2022-10-10 12:04:07 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/0e83d68f-5458-4875-a39e-d959693d0abd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/318372/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.11560.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PackedNET.389.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63440a341ddf36bcc3f43b0e/reports/eaf3527e-4489-4337-93be-af2092bd7f6a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/17f629cd-9c2d-40ad-9b63-62a4637c40a2
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1087369
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 719947 Sample: zmL7wIWEzF.exe Startdate: 11/10/2022 Architecture: WINDOWS Score: 100 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 Sigma detected: Scheduled temp file as task from temp location 2->48 50 7 other signatures 2->50 7 zmL7wIWEzF.exe 7 2->7         started        11 DZHUXj.exe 5 2->11         started        process3 file4 32 C:\Users\user\AppData\Roaming\DZHUXj.exe, PE32 7->32 dropped 34 C:\Users\user\...\DZHUXj.exe:Zone.Identifier, ASCII 7->34 dropped 36 C:\Users\user\AppData\Local\...\tmp18F6.tmp, XML 7->36 dropped 38 C:\Users\user\AppData\...\zmL7wIWEzF.exe.log, ASCII 7->38 dropped 52 Uses schtasks.exe or at.exe to add and modify task schedules 7->52 54 Adds a directory exclusion to Windows Defender 7->54 56 Injects a PE file into a foreign processes 7->56 13 zmL7wIWEzF.exe 2 2 7->13         started        18 powershell.exe 19 7->18         started        20 schtasks.exe 1 7->20         started        58 Multi AV Scanner detection for dropped file 11->58 22 schtasks.exe 1 11->22         started        24 DZHUXj.exe 11->24         started        signatures5 process6 dnsIp7 42 37.0.14.199, 1985, 49696, 49697 WKD-ASIE Netherlands 13->42 40 C:\ProgramData\remcos\logs.dat, data 13->40 dropped 60 Installs a global keyboard hook 13->60 26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        file8 signatures9 process10
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dae59f6bb7ed3f23202800f69c92d15991b0937facb79f39204e9d5796c1af64/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2022-09-23 08:03:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
29
AV detection:
19 of 26 (73.08%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3lsz625x5u7sgibiad3jzewrlgi3be37vs3z6ojaj2ovpfwbv5sa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
20d06c9366037f9c7d08d843ddcb74e264accf481dbefd7b1f77669abb4d9be9
RemcosRAT
24668000291c63d17497280863b4abb8001268e80cd185f2e9185e50115aafcc
RemcosRAT
2f883759c2fd1aefb2578344f0ed2de3540ed71bb325ad6f20d58540cc10f79d
RemcosRAT
3309420da4cc8e91be71bd96a482fd2b544e2b1dd0d5a8e075b3cfe9bac1957f
RemcosRAT
440cf58dc6b8e4724c669e148969ecd8d424c9bf6dbdec6e358fdca7e72b3734
RemcosRAT
61a576cbf239d8e25ba3ea9109f42c1579287514f1a0921ae53c386c649dad67
RemcosRAT
70d6e951bd55244ca98fe522042be5209783c38dbe261d9f4c577da2cc6939cd
RemcosRAT
825624416b00297bbc9a9544a99b2f5d32093307933009625d386b88c413405c
RemcosRAT
+ 3'079 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:hoest rat
Link:
https://tria.ge/reports/221010-n8k2bsbher/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
37.0.14.199:1985
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/47a15d5e-4959-4703-9beb-1505b3156424
Unpacked files
SH256 hash:
011d2fe60f4f68630f5652d94f7f1ad34973b0bd3194ced972316e82dcf8248a
MD5 hash:
8096bb9b5715aec239e737cce433146a
SHA1 hash:
f1fbdf62ae74922f6e5bde73e8da9d12c82b4435
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/f36c61b5-e264-4bd5-ae5a-fa85011d8ca4/
Parent samples :
2f883759c2fd1aefb2578344f0ed2de3540ed71bb325ad6f20d58540cc10f79d
dae59f6bb7ed3f23202800f69c92d15991b0937facb79f39204e9d5796c1af64
SH256 hash:
2470b39032f6182252039c88199016566b0de30c6aa02163a143427afedd12af
MD5 hash:
c3a1924684ca30ed22234ce1d9111dfc
SHA1 hash:
7347706241422758c06440fd6044ae4e042b456b
Link:
https://www.unpac.me/results/f36c61b5-e264-4bd5-ae5a-fa85011d8ca4/
SH256 hash:
bc3008a3cc6e8b32f76d51b4ae920cf99df2925ecd188cc6227e3b9d7e57768f
MD5 hash:
793a3e29e3abbd47bda9646db0e0109a
SHA1 hash:
533a54e9cc572b0226bc7fd0ed2d52376db4a7cd
Link:
https://www.unpac.me/results/f36c61b5-e264-4bd5-ae5a-fa85011d8ca4/
SH256 hash:
a39f674739566eb8e49ad3100ca25c6aa2be87333ea1c75a3c214eb2dfa95d67
MD5 hash:
b181cd8a49405d00caf947782fc0bc29
SHA1 hash:
136a355c3bd6fee90f2c0f08f16a06eba25a8f1b
Link:
https://www.unpac.me/results/f36c61b5-e264-4bd5-ae5a-fa85011d8ca4/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/f36c61b5-e264-4bd5-ae5a-fa85011d8ca4/
SH256 hash:
dae59f6bb7ed3f23202800f69c92d15991b0937facb79f39204e9d5796c1af64
MD5 hash:
0013e07cb0c3ed24fb1c7bd5d475345b
SHA1 hash:
6935da711b7fe3c6afd85c1548ceafa548ac98ae
Link:
https://www.unpac.me/results/f36c61b5-e264-4bd5-ae5a-fa85011d8ca4/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dae59f6bb7ed/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dae59f6bb7ed3f23202800f69c92d15991b0937facb79f39204e9d5796c1af64

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/318372/

Comments