MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dfa6c38c1b3b33a94e1e884e47e0864808c8af196c260b6b8045cb4ed37d300e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	dfa6c38c1b3b33a94e1e884e47e0864808c8af196c260b6b8045cb4ed37d300e
SHA3-384 hash:	b933ee2fee1838d81c17515ea7391c3a6e4ac01e4276012c261440c016c2514c779f5f26f423a1c4bb50e4d109d5e897
SHA1 hash:	4eac5b1b54eb59b1f4ae5c9a4e81216c8d1f39e3
MD5 hash:	1f0e311ebd62fec9d8767e8fbad2df1b
humanhash:	mirror-zulu-helium-spaghetti
File name:	PRE-ALERT ZSL22060094 JSCHT22060026 & ZSL22060084 JSCHT22060026.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'147'904 bytes
First seen:	2022-07-05 07:34:46 UTC
Last seen:	2022-07-11 09:02:46 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:r2SpBePSVM+qCKOdsthVAFuf/Eh60FM7vMC4I1XGkFsOjm5QzDxOnlourmXZZRwj:ySpBZZOOitzAQiQRHmChOnl/rrWci8/
Threatray	2'195 similar samples on MalwareBazaar
TLSH	T1A5350141BAF96FB1DE7C83FA492011A053F7229A289DD72C9EC424CF4674F548660F6B
TrID	61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.0% (.SCR) Windows screen saver (13101/52/3) 8.8% (.EXE) Win64 Executable (generic) (10523/12/4) 5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	cocaman
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

256

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.W32.AIDetectNet.01.5957.13553.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a window

Launching a process

Creating a process with a hidden window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62c3e9abc1b6cfcaa5ea1b24/reports/ea2ec724-b486-4e2d-b788-792f9c2879b9/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3c5b22cb-16e9-4e22-882a-f08c50e8218e

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1024617

Signature

Adds a directory exclusion to Windows Defender

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dfa6c38c1b3b33a94e1e884e47e0864808c8af196c260b6b8045cb4ed37d300e/

Threat name:

ByteCode-MSIL.Trojan.RemLoader

Status:

Malicious

First seen:

2022-07-05 07:05:31 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=36tmhda3hmz2stq6rbhepyegjaemrlyznqtaw24aixfu5u35gaha._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

121dd806963977a4c80e98a91e1bccf577d74da295787f7d61ef22cc1026822e

RemcosRAT

3f715bd72a816f61a56b8f1aac0f76cb13438238b8493902785816db7bc51e36

RemcosRAT

b393eb9bb8d0ce7b7017e2b2440c06dc892c3064b4123c14e27638faf72fd7d4

RemcosRAT

d3a21cede73947b114725d5d26f451d9d51d82ffece745f70416d1e844293109

RemcosRAT

ebcb09c56c09245ba10f231b7d4bfacdb5615ee6e3820f479f0a0d6488759668

RemcosRAT

+ 2'185 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost rat

Link:

https://tria.ge/reports/220705-jensxafagl/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Remcos

Malware Config

C2 Extraction:

172.111.234.100:5888

Unpacked files

SH256 hash:

8a2bdfab746e1801caea2880365b07f841840e650008e33ed60396250be969e1

MD5 hash:

766b3b053587a229db27d42d16d4b8b2

SHA1 hash:

f605f9a5213e928a97ba1bbade39d43f3173a110

Detections:

win_remcos_auto

Link:

https://www.unpac.me/results/776a6331-c29a-4bc5-82d4-3bc94a6ce833/

Parent samples :

dfa6c38c1b3b33a94e1e884e47e0864808c8af196c260b6b8045cb4ed37d300e
21323faa5f74ccc103e64f30bc31b36e0cfc971a601b59502713151ad4f465db

SH256 hash:

70bb4f8aa7d0a33f8206f78c845fa2bd686c2a0f2b3bd50cd0b6b887a45398ca

MD5 hash:

30d61a3a3e26c2bca2eb766990132d7c

SHA1 hash:

94f9742d5f21b13f7d8d194fe938193cbb6a0d4d

Link:

https://www.unpac.me/results/776a6331-c29a-4bc5-82d4-3bc94a6ce833/

SH256 hash:

3b59fe180dd50e3f3d4fdcbdd4e7a2d4e3e1c85ae43cb4f3716c4be41e9ec2ae

MD5 hash:

9ea556e333e216a65aa09c102f36004f

SHA1 hash:

814c07f1dc68bd61840384aac3aa8346d9f8148f

Link:

https://www.unpac.me/results/776a6331-c29a-4bc5-82d4-3bc94a6ce833/

SH256 hash:

4061b865bcb956750e8ce1ae0aa26e747c141999bf1f61b33b122d6a475e77a3

MD5 hash:

23430cc9f1ebb93097f0c2816a6605e7

SHA1 hash:

45dca36d354b407ef4aa4a4d330cd8ca241c0f75

Link:

https://www.unpac.me/results/776a6331-c29a-4bc5-82d4-3bc94a6ce833/

SH256 hash:

b37db97f2721e61088a677c95061ba17e75efe0673cc1cf3b64f33d3b13d9749

MD5 hash:

95a67693ede845824956fe6d22251e1c

SHA1 hash:

283763d80b4324f6e93b0cee1da34069ec6e871b

Link:

https://www.unpac.me/results/776a6331-c29a-4bc5-82d4-3bc94a6ce833/

SH256 hash:

dfa6c38c1b3b33a94e1e884e47e0864808c8af196c260b6b8045cb4ed37d300e

MD5 hash:

1f0e311ebd62fec9d8767e8fbad2df1b

SHA1 hash:

4eac5b1b54eb59b1f4ae5c9a4e81216c8d1f39e3

Link:

https://www.unpac.me/results/776a6331-c29a-4bc5-82d4-3bc94a6ce833/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/dfa6c38c1b3b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip 6bd3aa925fb32ac8df99f9336365bafae2464680f353637c2cc6b64c6bf35b5b

RemcosRAT

exe dfa6c38c1b3b33a94e1e884e47e0864808c8af196c260b6b8045cb4ed37d300e

(this sample)

Delivery method

Other

Dropped by

SHA256 6bd3aa925fb32ac8df99f9336365bafae2464680f353637c2cc6b64c6bf35b5b

Dropped by

MD5 bac0549ad0174d31cdc9baac2b93817e

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample