MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e611419a4b0f0fb37a0c6ec8e6bd88c5314eb889f525ecf875eea8b6338a8f2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e611419a4b0f0fb37a0c6ec8e6bd88c5314eb889f525ecf875eea8b6338a8f2c
SHA3-384 hash: 9a4dbc28a9eae2c56cd29c814a78fc399509fcd11d845c69678ba4f7f0c7ff0d254e60b0a85f14ac1d73ea3829f99c8c
SHA1 hash: 50c1dbbe2fddb3a748e985355b85baeb8b56ddf9
MD5 hash: 33a678d775a82846543ef3cde678ff71
humanhash: steak-single-mike-november
File name:IHD.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:996'864 bytes
First seen:2023-01-09 11:53:16 UTC
Last seen:2023-01-09 13:29:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:1z1UXFA4bK+VWo/3NcB2I/xkOTzckMv9v:sFA4b0qKB2I/xkOT6l
Threatray 4'992 similar samples on MalwareBazaar
TLSH T19425124C7528B55FCCA78FB9DC919CA017F02D628716E38F6D8322DE499D79E8B01263
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f0e8d49696d4e8f0 (3 x AgentTesla, 2 x RemcosRAT, 1 x Formbook)
Reporter Anonymous
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
184
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
SIGNED CONTRACT AND PI.xlsx
Verdict:
Malicious activity
Analysis date:
2023-01-09 08:14:31 UTC
Tags:
exploit cve-2017-11882 loader rat remcos
Link:
https://app.any.run/tasks/ce6ac530-8422-4521-9c3f-e15a96392255

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/351080/
Detection(s):
SecuriteInfo.com.Variant.Barys.40973.25366.23069.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Running batch commands
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys evasive packed
Link:
https://www.filescan.io/uploads/63bc005b06f34cc0fa52eb97/reports/294b517e-de5e-499f-847e-874cf80a5156/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/174a3333-8c6b-4803-b12c-3ca9551a6141
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1147933
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 780665 Sample: IHD.exe Startdate: 09/01/2023 Architecture: WINDOWS Score: 100 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus detection for URL or domain 2->58 60 Antivirus detection for dropped file 2->60 62 8 other signatures 2->62 10 IHD.exe 3 2->10         started        14 qqs.exe 2 2->14         started        16 qqs.exe 2 2->16         started        18 qqs.exe 2->18         started        process3 file4 50 C:\Users\user\AppData\Local\...\IHD.exe.log, ASCII 10->50 dropped 72 Injects a PE file into a foreign processes 10->72 20 IHD.exe 5 4 10->20         started        23 IHD.exe 10->23         started        25 qqs.exe 14->25         started        27 qqs.exe 16->27         started        29 qqs.exe 18->29         started        signatures5 process6 file7 44 C:\Users\user\AppData\Roaming\qqs.exe, PE32 20->44 dropped 46 C:\Users\user\...\qqs.exe:Zone.Identifier, ASCII 20->46 dropped 48 C:\Users\user\AppData\Local\Temp\mqzifm.vbs, data 20->48 dropped 31 wscript.exe 1 20->31         started        process8 process9 33 cmd.exe 1 31->33         started        process10 35 qqs.exe 3 33->35         started        38 conhost.exe 33->38         started        signatures11 64 Multi AV Scanner detection for dropped file 35->64 66 Machine Learning detection for dropped file 35->66 68 Injects a PE file into a foreign processes 35->68 40 qqs.exe 2 15 35->40         started        process12 dnsIp13 52 muwkege4.zapto.org 45.81.39.36, 2290, 49702 LVLT-10753US United States 40->52 54 geoplugin.net 178.237.33.50, 49703, 80 ATOM86-ASATOM86NL Netherlands 40->54 70 Installs a global keyboard hook 40->70 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e611419a4b0f0fb37a0c6ec8e6bd88c5314eb889f525ecf875eea8b6338a8f2c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-01-09 11:54:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4yiudgslb4h3g6qmn3eonpmiyuyu5oej6us6z6dv52ulmm4kr4wa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0e1b5e7257b490e22a966862602dee637a6a192f55527137d6c3a94bc9dc34ca
RemcosRAT
18a39f6193c69dae7ea38aa9dd25fddabdb651c4276e242d0b585bd13c49c3a9
RemcosRAT
2bff54b9373397bb78dc3dd57f37b85affb564edec73fbb265e9a14d313a2a1d
RemcosRAT
36f48dac4f1cc73c684288dd7113e222e1a4026722ce3c55b378402aabe6361c
RemcosRAT
3ac0ff1d6a7bcbcd3feb5fd5f978b98845ac587b4b7e7be2233849295491e777
RemcosRAT
5f61b50531659487b56d97323a53c7c58445a62fb9f47489cd07b38feb3d4527
RemcosRAT
a2cbf70ab3ebedd2c768816596fade8e94d1dd0d6025001ac59a71860e45b808
RemcosRAT
ae6134942672653a0652d8b74100de3c7bccd094ee66bbc0314e75b276cfb1c8
RemcosRAT
c98bf80d5e23903e4934015e75f6c036130296519548b6014575207d2d296201
RemcosRAT
+ 4'982 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:waltar-host 2023 persistence rat
Link:
https://tria.ge/reports/230109-n2v8qahe5z/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
muwkege4.zapto.org:2290
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fe9de884-c134-460c-8220-4c4661e54ed3
Unpacked files
SH256 hash:
1c0072bd0c8fbf0e27d145a0ee7e34428936c2ddeba929d3f60e352891e7e0c6
MD5 hash:
b2d0625c46714e40a6a38238659ea9ed
SHA1 hash:
dc43d5d539eab67b7e3109d0e4894e099a1a18f8
Link:
https://www.unpac.me/results/6302a8a6-63b2-4b5c-8fd6-8e593a0ad626/
SH256 hash:
71c5c5c91f57fc1c8a35a5e89a07f459cee5a2797b14291f4d7d241812f1e629
MD5 hash:
79dc2aaf0abce48402efbbf87519af58
SHA1 hash:
da205149f3ddd1f4afa2d08590aedab774a8c4d8
Link:
https://www.unpac.me/results/6302a8a6-63b2-4b5c-8fd6-8e593a0ad626/
SH256 hash:
f1359ebc829d2ad0ba57a4456f4cfcbed6227a7338d311875801f5a84cd99648
MD5 hash:
9cf15648b2237c001d7b6db8bce88a8c
SHA1 hash:
89f629b3d3a8368663f7a6731415eb2b3966b79a
Link:
https://www.unpac.me/results/6302a8a6-63b2-4b5c-8fd6-8e593a0ad626/
SH256 hash:
ab2f8dbc2b147528cecac6ea1a8886951c424be0b2026743b39d97f0cbabb04c
MD5 hash:
77ab42f4bbbf4565846eb8953192d71f
SHA1 hash:
3c662c756cc31867c0473716a74e777a65ced550
Link:
https://www.unpac.me/results/6302a8a6-63b2-4b5c-8fd6-8e593a0ad626/
SH256 hash:
851b803413aebc153c1e5db95fb4e0f8e038c685dc4751e23fb2ed1766d830e1
MD5 hash:
945f70020e9ad4bb6bfe817fcdb8a432
SHA1 hash:
22a57f85a4fc81de674c0f49ee59c7532bfd8014
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/6302a8a6-63b2-4b5c-8fd6-8e593a0ad626/
Parent samples :
e611419a4b0f0fb37a0c6ec8e6bd88c5314eb889f525ecf875eea8b6338a8f2c
12d40f09ff572ec60039c1a9b761f65b414c30831d5024f54e7a1098213a1b45
482e5f0c7a1f79e82e3a8031809178709617e7dd1fceaf8074bcc88d65deb3ff
SH256 hash:
e611419a4b0f0fb37a0c6ec8e6bd88c5314eb889f525ecf875eea8b6338a8f2c
MD5 hash:
33a678d775a82846543ef3cde678ff71
SHA1 hash:
50c1dbbe2fddb3a748e985355b85baeb8b56ddf9
Link:
https://www.unpac.me/results/6302a8a6-63b2-4b5c-8fd6-8e593a0ad626/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e611419a4b0f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e611419a4b0f0fb37a0c6ec8e6bd88c5314eb889f525ecf875eea8b6338a8f2c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe e611419a4b0f0fb37a0c6ec8e6bd88c5314eb889f525ecf875eea8b6338a8f2c

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/351080/
  
URLhaus
https://urlhaus.abuse.ch/url/2502222/

Comments