MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3d805e701266e0b8b17d850419bdfa89045096e8e1dc7ea0295ff843be281db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e3d805e701266e0b8b17d850419bdfa89045096e8e1dc7ea0295ff843be281db
SHA3-384 hash: 74e7f6a45b029b69a973f1067c2d9efd09f96779046d060e3a11a8b7fa97e97b02699957de8fc6a071dbf07516a33045
SHA1 hash: 867191e0141e28fdd0de49e938c0071e292f4535
MD5 hash: 89aa5a14ebc368e1e7ba35de3c7723c9
humanhash: nine-river-aspen-kansas
File name:SecuriteInfo.com.MSIL.Kryptik.DLB.tr.24012
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:863'744 bytes
First seen:2022-09-21 04:08:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:CSe0L7+eFnluayAc2oNPSecYldagoHTZsG02Fn7:ne0fNnlbjOjcYldagoHNpDh
Threatray 2'208 similar samples on MalwareBazaar
TLSH T100059D2123E94F57F0B6ABF845A0D0B197B5BC16A46BC24E1EC16CCFB465F60CA60727
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 72ceaeaeb2968eaa (57 x AgentTesla, 9 x Formbook, 7 x RemcosRAT)
Reporter SecuriteInfoCom
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.MSIL.Kryptik.DLB.tr.24012
Verdict:
Malicious activity
Analysis date:
2022-09-21 04:12:20 UTC
Tags:
rat remcos trojan
Link:
https://app.any.run/tasks/ff1d8efd-a389-46f8-a2d1-768e7c9b7e4b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/311888/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.DLB.tr.24012.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
75%
Tags:
anti-vm packed
Link:
https://www.filescan.io/uploads/632a8e4e36ba812561a5f272/reports/7ca658a8-ac00-4338-801c-53f053628d41/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/35ecf13c-1f30-4092-a0a7-2f8ffbe83a1a
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1074241
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Detected Remcos RAT
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 706783 Sample: SecuriteInfo.com.MSIL.Krypt... Startdate: 21/09/2022 Architecture: WINDOWS Score: 100 92 Snort IDS alert for network traffic 2->92 94 Malicious sample detected (through community Yara rule) 2->94 96 Multi AV Scanner detection for dropped file 2->96 98 11 other signatures 2->98 10 SecuriteInfo.com.MSIL.Kryptik.DLB.tr.24012.exe 7 2->10         started        14 remcos.exe 4 2->14         started        16 remcos.exe 2->16         started        process3 file4 72 C:\Users\user\AppData\...\USpAYwwTyKP.exe, PE32 10->72 dropped 74 C:\Users\...\USpAYwwTyKP.exe:Zone.Identifier, ASCII 10->74 dropped 76 C:\Users\user\AppData\Local\...\tmpEC00.tmp, XML 10->76 dropped 78 SecuriteInfo.com.M...LB.tr.24012.exe.log, ASCII 10->78 dropped 104 Uses schtasks.exe or at.exe to add and modify task schedules 10->104 106 Adds a directory exclusion to Windows Defender 10->106 108 Injects a PE file into a foreign processes 10->108 18 SecuriteInfo.com.MSIL.Kryptik.DLB.tr.24012.exe 1 5 10->18         started        22 powershell.exe 18 10->22         started        24 schtasks.exe 1 10->24         started        26 schtasks.exe 14->26         started        28 remcos.exe 14->28         started        30 remcos.exe 14->30         started        36 3 other processes 14->36 32 schtasks.exe 16->32         started        34 remcos.exe 16->34         started        signatures5 process6 dnsIp7 80 192.168.2.1 unknown unknown 18->80 68 C:\Users\user\AppData\Roaming\...\remcos.exe, PE32 18->68 dropped 70 C:\Users\user\...\remcos.exe:Zone.Identifier, ASCII 18->70 dropped 38 cmd.exe 1 18->38         started        41 conhost.exe 22->41         started        43 conhost.exe 24->43         started        45 conhost.exe 26->45         started        47 conhost.exe 32->47         started        file8 process9 signatures10 100 Uses ping.exe to sleep 38->100 102 Uses ping.exe to check the status of other devices and networks 38->102 49 remcos.exe 5 38->49         started        52 PING.EXE 1 38->52         started        55 conhost.exe 38->55         started        process11 dnsIp12 86 Multi AV Scanner detection for dropped file 49->86 88 Machine Learning detection for dropped file 49->88 90 Adds a directory exclusion to Windows Defender 49->90 57 remcos.exe 49->57         started        60 powershell.exe 49->60         started        62 schtasks.exe 49->62         started        82 127.0.0.1 unknown unknown 52->82 signatures13 process14 dnsIp15 84 91.192.100.41, 49702, 8600 AS-SOFTPLUSCH Switzerland 57->84 64 conhost.exe 60->64         started        66 conhost.exe 62->66         started        process16
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e3d805e701266e0b8b17d850419bdfa89045096e8e1dc7ea0295ff843be281db/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-09-21 02:20:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
25
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4pmalzybezxaxcyx3biedg67vciekcloryo4p2qcsx7yio7cqhnq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
200c65040041056006600f5a6ed2bbc3281a6e440a12d24a84544d65e157288e
RemcosRAT
3f2c710a97bb42579ee2f9956437ff160a68bd787439fbc025ab3d6b46076d34
RemcosRAT
5454ec6037767c7c675551dafd7c023e8bd974f7fce965aa94505b19151895f2
RemcosRAT
5b474ca6fc8158bd6f14d53bca8962f25db3392dfe324f49ddf376610bd785e4
RemcosRAT
5f4e4a43a01b235d781c6888198b18750529dda9fc4727727940115090e06a6d
RemcosRAT
753cc07b3d3e9d5cc44061f9f5b2933d2e1f7f18155f9c17346592e254eab0c2
RemcosRAT
b9ca965db145fcc16ad0b97a3232fac27d2cdcbce9122a9a2bc613835b490369
RemcosRAT
d72b99be6c28cec8f3672df1ef58a69cb08524e181fb7ba53edbdab73f3ccf44
RemcosRAT
f79d3098bfb090b6aaa390943e247178f3acff7c8214467df000cd3f102a2382
RemcosRAT
+ 2'198 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:host persistence rat
Link:
https://tria.ge/reports/220921-eqxgzaaegl/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
91.192.100.41:8600
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c37ad0c3-4e55-4fef-9d8a-567ff1635c48
Unpacked files
SH256 hash:
883a54ccd8c0af9a22ef5e853f8198dd5636e14f866e38acb878c44bccecafbe
MD5 hash:
8ae4e8ccedefbdfb9ca1aa0aec5930a9
SHA1 hash:
c95383e65365197a35c1546a09b72856ddaf3d48
Detections:
win_remcos_auto
Create hunting rule
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/bde16cd4-72a8-46ec-91e0-56db9f6f2641/
SH256 hash:
07884ec7948da5359e979afb30f9838513d487a6e852c7b7748330947345f310
MD5 hash:
25a76719a6f43cdc87d266f3ab82f863
SHA1 hash:
2c1c87503e080d084c48bd7b38c77f876cc8c0e9
Link:
https://www.unpac.me/results/bde16cd4-72a8-46ec-91e0-56db9f6f2641/
SH256 hash:
0382f29641df9262ce1104c5bd4a5e0e3aa749b481991178500b798558c92691
MD5 hash:
591788ea3d32b9015b5a2aa517e77a73
SHA1 hash:
160938785cc2c45f4bb0df417d003ba625c39511
Link:
https://www.unpac.me/results/bde16cd4-72a8-46ec-91e0-56db9f6f2641/
SH256 hash:
70dfa4c873605ab0fcdcb62be2a970da110535280d8dc88261edbe1ed2865307
MD5 hash:
d5b0f8aff064b3e828421b48efccd312
SHA1 hash:
724f4bc7ab4e08c45562748b739c8f7496a5ad8f
Link:
https://www.unpac.me/results/bde16cd4-72a8-46ec-91e0-56db9f6f2641/
SH256 hash:
0618500ba9a732fee6e7a3550d4d018c66493389812d098629c80f946fc7d4c5
MD5 hash:
20476c1f25cb12d76096b0c173d5e996
SHA1 hash:
2feffa65a79b79cfe31504f454c8e0d3c87176b3
Link:
https://www.unpac.me/results/bde16cd4-72a8-46ec-91e0-56db9f6f2641/
SH256 hash:
e3d805e701266e0b8b17d850419bdfa89045096e8e1dc7ea0295ff843be281db
MD5 hash:
89aa5a14ebc368e1e7ba35de3c7723c9
SHA1 hash:
867191e0141e28fdd0de49e938c0071e292f4535
Link:
https://www.unpac.me/results/bde16cd4-72a8-46ec-91e0-56db9f6f2641/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e3d805e70126/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e3d805e701266e0b8b17d850419bdfa89045096e8e1dc7ea0295ff843be281db

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/311888/

Comments