MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd228418c8681d5655b1189c61249f20c9da5e1661cad7efacea62a03fcf1687. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd228418c8681d5655b1189c61249f20c9da5e1661cad7efacea62a03fcf1687
SHA3-384 hash: 537422fd8147ba9027cfc001d8597365c4537d27969865058323ed6ea16e6ecab14d46289c176f5ac440a20f36662d96
SHA1 hash: 0406c8ee0f6f5fc41ce02c423af52e260b1b7894
MD5 hash: 3dd5e211cb02f98fe31c6dd83685d464
humanhash: mexico-nevada-six-uncle
File name:file
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:687'936 bytes
First seen:2022-11-02 03:37:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:3IxP6cOZjV3TkFngh/uc7RgPpSNRuqComEaZ1qvZxFM3O5/g7x0J2:3wPpO3hWcApSNRutoftvZ7Me5oCQ
Threatray 2'907 similar samples on MalwareBazaar
TLSH T1DEE412D677F50D23C6A92E7B9C5B04C7077CD1063C12AB1128A0B25C1CAB3DEBD6A5CA
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 550959654d651945 (37 x Formbook, 28 x AgentTesla, 14 x RemcosRAT)
Reporter jstrosch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
256
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Ziraat Bankas Swift Mesaj.exe
Verdict:
Malicious activity
Analysis date:
2022-11-01 19:29:14 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/a8b30e03-d37f-4576-8e3d-0e0b16a90138

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/326952/
Detection(s):
SecuriteInfo.com.UntrustedCertificate.Aichost.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Сreating synchronization primitives
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Creating a window
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated overlay packed
Link:
https://www.filescan.io/uploads/6361e61cce1f43143c2a6295/reports/4f718d0f-c7fa-45d3-add9-4915cbbcc6bd/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cf9f0baf-5f47-42ae-a595-803ce441ec48
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1102950
Signature
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Sigma detected: Copy file to startup via Powershell
Sigma detected: Remcos
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 735611 Sample: file.exe Startdate: 02/11/2022 Architecture: WINDOWS Score: 100 74 www.google.com 2->74 76 part-0032.t-0009.t-msedge.net 2->76 78 3 other IPs or domains 2->78 98 Malicious sample detected (through community Yara rule) 2->98 100 Antivirus / Scanner detection for submitted sample 2->100 102 Multi AV Scanner detection for submitted file 2->102 104 6 other signatures 2->104 10 file.exe 1 2->10         started        signatures3 process4 file5 68 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 10->68 dropped 106 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 10->106 14 RegSvcs.exe 3 17 10->14         started        19 powershell.exe 8 10->19         started        signatures6 process7 dnsIp8 88 45.137.22.236, 49699, 5890 ROOTLAYERNETNL Netherlands 14->88 90 geoplugin.net 178.237.33.50, 49700, 80 ATOM86-ASATOM86NL Netherlands 14->90 70 C:\ProgramData\remcos\logs.dat, data 14->70 dropped 92 Writes to foreign memory regions 14->92 94 Maps a DLL or memory area into another process 14->94 96 Installs a global keyboard hook 14->96 21 svchost.exe 13 14->21         started        24 svchost.exe 13 14->24         started        26 svchost.exe 14->26         started        30 2 other processes 14->30 28 conhost.exe 19->28         started        file9 signatures10 process11 dnsIp12 86 192.168.2.1 unknown unknown 21->86 32 chrome.exe 14 1 21->32         started        35 chrome.exe 21->35         started        37 conhost.exe 21->37         started        39 chrome.exe 24->39         started        41 chrome.exe 24->41         started        43 conhost.exe 24->43         started        45 chrome.exe 26->45         started        47 2 other processes 26->47 49 4 other processes 30->49 process13 dnsIp14 72 239.255.255.250 unknown Reserved 32->72 51 chrome.exe 32->51         started        54 chrome.exe 35->54         started        56 chrome.exe 39->56         started        58 chrome.exe 41->58         started        60 chrome.exe 45->60         started        62 chrome.exe 47->62         started        64 chrome.exe 49->64         started        66 chrome.exe 49->66         started        process15 dnsIp16 80 part-0032.t-0009.t-msedge.net 13.107.246.60, 443, 49713, 49714 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 51->80 82 clients.l.google.com 142.250.147.100, 443, 49704 GOOGLEUS United States 51->82 84 7 other IPs or domains 51->84
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dd228418c8681d5655b1189c61249f20c9da5e1661cad7efacea62a03fcf1687/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-11-01 16:53:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3uriigginaovmvnrdcogcje7ede5uxqwmhfnp35m5jrkap6pc2dq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
31edb5c9a0590d100f941cfcb0c142abf141fba4a90c6bddb6c7fc59b4475f28
RemcosRAT
3ab2ca682019279e28525a8ff1a72e08badba1c0f3012f926bad1528b2b0944a
RemcosRAT
3c21819ed32b31c231e20b51b1f956e4160a7b8dbfe7468b096ce64b4b138007
RemcosRAT
47dabe278b8a171986b17e69ac9fac43657c11eb3c2c1523848074e0cfe6a57f
RemcosRAT
88e06b037f0a779dce49389c9f1e028b8aee5a2f258e4a6e34c53d331dd438ac
RemcosRAT
8e7d1931cfe215a12acad3beb975cd78099a295a721069b35c05b469e2f703f9
RemcosRAT
9d724226a2a3c8676d4a58b64b636d9dcc178c1d40fcf321309afa14505cf285
RemcosRAT
fe800049d4ece336205fd83c50c747fc4f7f18e4cb2f2e80f37d0ec1700166d1
RemcosRAT
+ 2'897 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost brand:microsoft persistence phishing rat
Link:
https://tria.ge/reports/221102-d627qahac9/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Detected potential entity reuse from brand microsoft.
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Remcos
Malware Config
C2 Extraction:
45.137.22.236:5890
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5c9d69e7-3ff6-406d-8860-0ea8ff11d403
Unpacked files
SH256 hash:
2132d32079c5bbaee8f6c2efe2ead603c31e06b8d19112c36117d99510242e27
MD5 hash:
e243f2f83bbaf3c755019fc1e20ad561
SHA1 hash:
e7b6a22d712fef8e94febc9fbe168e67abd4d618
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/b049d269-7ddc-4215-93f8-e434ec6a1662/
Parent samples :
dd228418c8681d5655b1189c61249f20c9da5e1661cad7efacea62a03fcf1687
65054687e67c867b4f3a1fe66888dbc1e43f1152d44ba8a82e98f4374d54ec1d
11a2113e2974db7c18160ff2993c1513f6fa22ef3e86102dd1df775ebd6ea9e0
SH256 hash:
fd56a07f2da75c84337cbf94e0acafc09fb909cfb187a0ae214827ce2c4708bb
MD5 hash:
d93c5f59ddc41313bf36f106a2f1fe17
SHA1 hash:
97c5cd9d0689c1cd74685bc979122a13eba3fcc9
Link:
https://www.unpac.me/results/b049d269-7ddc-4215-93f8-e434ec6a1662/
SH256 hash:
d4bbb214247cd71cbeec26ff6e9b56024f7f322a46786f7e62ac26b98025c361
MD5 hash:
cc478d533fd523576d7982d620456d76
SHA1 hash:
3163cb677477d45bec2fe6f55b1c660f2e5be56b
Link:
https://www.unpac.me/results/b049d269-7ddc-4215-93f8-e434ec6a1662/
SH256 hash:
dd228418c8681d5655b1189c61249f20c9da5e1661cad7efacea62a03fcf1687
MD5 hash:
3dd5e211cb02f98fe31c6dd83685d464
SHA1 hash:
0406c8ee0f6f5fc41ce02c423af52e260b1b7894
Link:
https://www.unpac.me/results/b049d269-7ddc-4215-93f8-e434ec6a1662/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dd228418c868/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dd228418c8681d5655b1189c61249f20c9da5e1661cad7efacea62a03fcf1687

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe dd228418c8681d5655b1189c61249f20c9da5e1661cad7efacea62a03fcf1687

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/326952/
  
URLhaus
https://urlhaus.abuse.ch/url/2396489/

Comments