MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dae79c591e41fac5133e80652d94e8c1cc42e62381a38f2dc11c42360547afe7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dae79c591e41fac5133e80652d94e8c1cc42e62381a38f2dc11c42360547afe7
SHA3-384 hash: 67deaf8323535b77308dd93a1809a71334de49adc0a09888a2824cdf719b7d2d37f0c97bced87d14032279ba2d4f526f
SHA1 hash: 3e55f2bd71bbfea911c85e2f536b57a2c19f8ba2
MD5 hash: a7245f2f42d562ba4effac50d5eb3a86
humanhash: neptune-hamper-snake-oklahoma
File name:SecuriteInfo.com.Trojan.Garf.Gen.8.25539.12822
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:489'767 bytes
First seen:2022-10-26 13:42:06 UTC
Last seen:2022-10-28 08:36:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 29b61e5a552b3a9bc00953de1c93be41 (174 x Formbook, 82 x AgentTesla, 81 x Loki)
ssdeep 6144:qweEpqL9VnSf5bAzdUaa6KoU87GJgBzDvjmnUGlOUj8/TiRSbgp2XCV7aCMGpGW/:bqBVSiLaVo2JoMoB/TaSEp2+7aCZcZnY
Threatray 2'069 similar samples on MalwareBazaar
TLSH T19DA4235167E0C5B6E1028972877BEEC887F9DC1A03D99BC703581E9D7BE13D28B1E50A
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter SecuriteInfoCom
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
4
# of downloads :
255
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Trojan.Garf.Gen.8.25539.12822
Verdict:
Malicious activity
Analysis date:
2022-10-26 13:46:03 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/8fdc7187-4414-4abb-959f-81ebfbadc59c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/324420/
Detection(s):
SecuriteInfo.com.Trojan.Garf.Gen.8.25539.12822.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Searching for the window
Сreating synchronization primitives
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/45663/overview
Behaviour
MalwareBazaar
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f791c542-0fe9-4029-8deb-6f7e960529ed
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1098438
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 731091 Sample: SecuriteInfo.com.Trojan.Gar... Startdate: 26/10/2022 Architecture: WINDOWS Score: 100 52 Malicious sample detected (through community Yara rule) 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 Yara detected Remcos RAT 2->56 58 2 other signatures 2->58 7 SecuriteInfo.com.Trojan.Garf.Gen.8.25539.12822.exe 18 2->7         started        10 vkjhxkbnfvqec.exe 1 2->10         started        13 vkjhxkbnfvqec.exe 1 2->13         started        process3 file4 36 C:\Users\user\AppData\Local\Temp\arrwz.exe, PE32 7->36 dropped 15 arrwz.exe 1 3 7->15         started        60 Antivirus detection for dropped file 10->60 62 Multi AV Scanner detection for dropped file 10->62 64 Machine Learning detection for dropped file 10->64 19 conhost.exe 10->19         started        21 vkjhxkbnfvqec.exe 10->21         started        23 vkjhxkbnfvqec.exe 10->23         started        66 Maps a DLL or memory area into another process 13->66 25 conhost.exe 13->25         started        27 vkjhxkbnfvqec.exe 13->27         started        29 vkjhxkbnfvqec.exe 13->29         started        signatures5 process6 file7 38 C:\Users\user\AppData\...\vkjhxkbnfvqec.exe, PE32 15->38 dropped 44 Antivirus detection for dropped file 15->44 46 Multi AV Scanner detection for dropped file 15->46 48 Machine Learning detection for dropped file 15->48 50 5 other signatures 15->50 31 arrwz.exe 2 13 15->31         started        34 conhost.exe 15->34         started        signatures8 process9 dnsIp10 40 41.216.183.226, 41900, 49695 AS40676US South Africa 31->40 42 geoplugin.net 178.237.33.50, 49696, 80 ATOM86-ASATOM86NL Netherlands 31->42
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dae79c591e41fac5133e80652d94e8c1cc42e62381a38f2dc11c42360547afe7/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-10-26 06:37:21 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
24 of 41 (58.54%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ltzywi6ih5mkez6qbss3fhiyhgefzrdqgry6lobdrbdmbkhv7tq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
2f53875cb56cc1a1f69655fcfca71ac0f952b8d582bda33e101d8b262e38d0f9
RemcosRAT
31edb5c9a0590d100f941cfcb0c142abf141fba4a90c6bddb6c7fc59b4475f28
RemcosRAT
3ab2ca682019279e28525a8ff1a72e08badba1c0f3012f926bad1528b2b0944a
RemcosRAT
3c21819ed32b31c231e20b51b1f956e4160a7b8dbfe7468b096ce64b4b138007
RemcosRAT
9378e7d749031db44b0ba686cfaf2bb02011e7877f688f4edd601fb48fdbdd7e
RemcosRAT
9d724226a2a3c8676d4a58b64b636d9dcc178c1d40fcf321309afa14505cf285
RemcosRAT
fe800049d4ece336205fd83c50c747fc4f7f18e4cb2f2e80f37d0ec1700166d1
RemcosRAT
+ 2'059 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehoststar persistence rat
Link:
https://tria.ge/reports/221026-qz83xafgf2/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
41.216.183.226:41900
Unpacked files
SH256 hash:
b004491771d05dc604c8f1a7b169673e9b7a7f33c4833bcfa50c5e76b8c9a1d8
MD5 hash:
b30ad3ec69c35a44bd720e88e07e283e
SHA1 hash:
52a834e399eb4fcac0a4bc0b1f53634da776aecf
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/61fbe779-bbec-48e6-9c04-bd8d25497ffc/
Parent samples :
8573105c4b67affc024eec0b64c4f4c2f2e7f52d31b5eec059d6d8dc6f0a3743
0de500897b8ed984575c14906255f694bee3fdade7cc369f7c0a51185ec61ba0
76bf90f97131f4b187fbdfce5a1f02224e30a752782cbcd7f9a5d90a043de128
dae79c591e41fac5133e80652d94e8c1cc42e62381a38f2dc11c42360547afe7
f6d04e26f4e1ccafc73107d102606ed5e528fcb2e6451f568241b840152454ee
ac2022d039991daaa6b3f05a7d2324b55247446b4f0b20f0feb36d22fd21d428
522de9141cf7d1449c48f439b23bbc53be3de244e1baf817759b64eedfe5ae00
f9dbb342e635717b55ef19c20e7943858acf892e6040a9a4f3609eaa41981bc9
284749a242c7dcee6d5f8d71bb4de12ccbc7f7acc24a8fb795859b0393f23577
SH256 hash:
a07bad73e097aa522375689866ccd506b03eddceeacfbc05d9610a1656f6735a
MD5 hash:
36a1e874d53243658484be856e6c55de
SHA1 hash:
77c9b0a399ad8fd70069929d3ab6a6531679a3cc
Link:
https://www.unpac.me/results/61fbe779-bbec-48e6-9c04-bd8d25497ffc/
SH256 hash:
dae79c591e41fac5133e80652d94e8c1cc42e62381a38f2dc11c42360547afe7
MD5 hash:
a7245f2f42d562ba4effac50d5eb3a86
SHA1 hash:
3e55f2bd71bbfea911c85e2f536b57a2c19f8ba2
Link:
https://www.unpac.me/results/61fbe779-bbec-48e6-9c04-bd8d25497ffc/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dae79c591e41/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dae79c591e41fac5133e80652d94e8c1cc42e62381a38f2dc11c42360547afe7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip 5fcd2b75332006a31b954cc43d15ff90e3f1b20baf45deee1577ad4a937fad24

RemcosRAT

Executable exe dae79c591e41fac5133e80652d94e8c1cc42e62381a38f2dc11c42360547afe7

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/324420/
  
Dropped by
SHA256 5fcd2b75332006a31b954cc43d15ff90e3f1b20baf45deee1577ad4a937fad24
  
Dropped by
MD5 1483c650c7aaa6d27338db16fc555a2d

Comments