MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e21e8c522a9966a51d1059cac3735a68a08803182e7ce78e857d28c0d3424f1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e21e8c522a9966a51d1059cac3735a68a08803182e7ce78e857d28c0d3424f1f
SHA3-384 hash: 4ac860c31716530fad90ee914e6269d41e2551250ad25bc7bf0c851c62adf0edac10b4139f0cc9510de441f0d587274a
SHA1 hash: d094ce35595c668e5349a20ad6150a349cf537f1
MD5 hash: e40726b44abd64042271651ca1caac11
humanhash: gee-burger-arizona-speaker
File name:e40726b44abd64042271651ca1caac11.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:451'311 bytes
First seen:2021-10-13 09:34:08 UTC
Last seen:2021-10-13 11:24:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 12288:Ce+ZNqq/S2usLuZ4ozt7ANZ6bT/jDK6Kl8ENuVjkc:JQNqqKsaZVCPWT7+cEN1c
Threatray 742 similar samples on MalwareBazaar
TLSH T1ACA4231AB7C0B8A7C5A660F35CBD3B6A7932D908401E971A0324BD37E9365D7FC1C692
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
208
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e40726b44abd64042271651ca1caac11.exe
Verdict:
Malicious activity
Analysis date:
2021-10-13 11:13:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f53dc144-dc12-46cd-9b93-813bbf6a60a0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/197152/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37779838.14274.16862.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6166a84a1c2d58ba7404831d/reports/9749d534-a966-41d0-91cc-9a6c3b592704/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/08d33390-2e6f-45ea-9fb3-3d6a358c43c9
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/869511
Signature
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates an undocumented autostart registry key
Delayed program exit found
Deletes itself after installation
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 501940 Sample: E5onSB0pfg.exe Startdate: 13/10/2021 Architecture: WINDOWS Score: 100 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Multi AV Scanner detection for dropped file 2->57 59 9 other signatures 2->59 10 E5onSB0pfg.exe 17 2->10         started        14 Dlls.exe 16 2->14         started        process3 file4 43 C:\Users\user\AppData\Local\...\vkbstj.dll, PE32 10->43 dropped 65 Contains functionalty to change the wallpaper 10->65 67 Contains functionality to steal Chrome passwords or cookies 10->67 69 Contains functionality to inject code into remote processes 10->69 73 2 other signatures 10->73 16 E5onSB0pfg.exe 6 5 10->16         started        45 C:\Users\user\AppData\Local\...\vkbstj.dll, PE32 14->45 dropped 71 Injects a PE file into a foreign processes 14->71 20 Dlls.exe 14->20         started        signatures5 process6 file7 37 C:\Users\user\AppData\Roaming\...\Dlls.exe, PE32 16->37 dropped 39 C:\Users\user\...\Dlls.exe:Zone.Identifier, ASCII 16->39 dropped 41 C:\Users\user\AppData\Local\...\install.vbs, data 16->41 dropped 51 Creates an undocumented autostart registry key 16->51 22 wscript.exe 1 16->22         started        signatures8 process9 signatures10 63 Deletes itself after installation 22->63 25 cmd.exe 1 22->25         started        process11 process12 27 Dlls.exe 16 25->27         started        31 conhost.exe 25->31         started        file13 47 C:\Users\user\AppData\Local\...\vkbstj.dll, PE32 27->47 dropped 75 Multi AV Scanner detection for dropped file 27->75 77 Contains functionalty to change the wallpaper 27->77 79 Machine Learning detection for dropped file 27->79 81 4 other signatures 27->81 33 Dlls.exe 2 3 27->33         started        signatures14 process15 dnsIp16 49 Venonletmonitprradministratioran.loseyourip.com 8.6.8.23, 24091, 49754 AS-CHOOPAUS United States 33->49 61 Installs a global keyboard hook 33->61 signatures17
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e21e8c522a9966a51d1059cac3735a68a08803182e7ce78e857d28c0d3424f1f/
Threat name:
Win32.Trojan.Nsisx
Create hunting rule
Status:
Malicious
First seen:
2021-10-13 01:24:56 UTC
AV detection:
13 of 45 (28.89%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4ipiyurktftkkhiqlhfmg422ncqiqayyfz6opdufpuumbu2cj4pq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0bb25dccd5ee69b35f2c03c04b50ec23573929d193739becb1c623d32db64e4a
RemcosRAT
1730338ca0fbfe0985bed5638fc8599a6dd38761ab8b89e3d8a076947a320028
RemcosRAT
1c49b4e3b554aeac842b8dc4daf0c5cf24015f96b68e935ddb4adb168b35a696
RemcosRAT
502f18997fa73c5af97c3f8f3cd7a8a12d7d648642bd238b4eb15c0457e879a1
RemcosRAT
5d94b24f251b4fd9b9a59a3d60b86512528add9c95a880d8e32e76b1f54b8eea
RemcosRAT
5e1473cb44990bf7a1d8da8ad410642430bc6c5663859bc4e4c738e22b3cc71e
RemcosRAT
75d92595eacd434de03308b953df7cb12ae082d15093378a9d66814a41c92622
RemcosRAT
b3e18d1026779e01b6bc834a8da488eeb669e5e366ef8d495c109c0f1424d3c1
RemcosRAT
b9c5a6059ee5150b5837e446196c4349571d80336b438056f687d7044cd246b9
RemcosRAT
d23f3b04b3aabbd4c086e042b29103658b44f34f7fc1ce0181fec75cdfbc4737
RemcosRAT
+ 732 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:netgeneration persistence rat
Link:
https://tria.ge/reports/211013-lkehjadhc6/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Program crash
Adds Run key to start application
Deletes itself
Loads dropped DLL
Adds policy Run key to start application
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
Venonletmonitprradministratioran.loseyourip.com:24091
Unpacked files
SH256 hash:
e21e8c522a9966a51d1059cac3735a68a08803182e7ce78e857d28c0d3424f1f
MD5 hash:
e40726b44abd64042271651ca1caac11
SHA1 hash:
d094ce35595c668e5349a20ad6150a349cf537f1
Link:
https://www.unpac.me/results/feff22b8-4667-4633-9591-54f820ac71a5/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e21e8c522a99/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/e21e8c522a9966a51d1059cac3735a68a08803182e7ce78e857d28c0d3424f1f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe e21e8c522a9966a51d1059cac3735a68a08803182e7ce78e857d28c0d3424f1f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1671327/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/197152/

Comments