MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e962f44882a6fc4f5289556b7b0169b24838ea2285cf961b82447ff71ff2dc0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e962f44882a6fc4f5289556b7b0169b24838ea2285cf961b82447ff71ff2dc0d
SHA3-384 hash: b3cb9b4c52471bd176ebe3bc3c52c50510990c4007d79ccd9ae9c86091fecf137991a4bf9747acb1d51f65fdf2ac1384
SHA1 hash: 887aefc38117cc6d9d1deb0db88a80b7161e90dc
MD5 hash: d919f5ee0f41f50d2a1724b469c7d90e
humanhash: nuts-fillet-magazine-king
File name:d919f5ee0f41f50d2a1724b469c7d90e
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:43'520 bytes
First seen:2022-03-16 00:49:00 UTC
Last seen:2022-03-16 02:34:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 384:dv3+KUQV1pF9orMvRNC+0gkInBHRrfE6RwaO4g6WF8W:ds0pFpy6n56qM
Threatray 1'731 similar samples on MalwareBazaar
TLSH T1CC13E6246FFCDC51E11950B9E663C5FC4868EE06D42EFA33D9E63C2AB27D652241E203
File icon (PE):PE icon
dhash icon c99c3a5c547b96c8 (1 x RemcosRAT)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
d919f5ee0f41f50d2a1724b469c7d90e
Verdict:
Malicious activity
Analysis date:
2022-03-16 01:01:12 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/31343a6e-187e-4120-9152-be02136a0da0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/251131/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.26020.14814.11365.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %AppData% subdirectories
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/623134010cd58dbd92a2a210/reports/6e7e480d-77f5-401b-91f9-d9f9946ec3bb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5bcf99a7-6eed-413c-9a1b-7191b29aeb58
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/957581
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 590062 Sample: 1UmLOHXb1R Startdate: 16/03/2022 Architecture: WINDOWS Score: 100 61 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->61 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 7 other signatures 2->67 7 1UmLOHXb1R.exe 16 7 2->7         started        12 Qirrmthco.exe 14 4 2->12         started        14 Qirrmthco.exe 3 2->14         started        process3 dnsIp4 51 91.243.44.142, 49765, 49778, 49779 SHOCK-1US Russian Federation 7->51 45 C:\Users\user\AppData\...\Qirrmthco.exe, PE32 7->45 dropped 47 C:\Users\...\Qirrmthco.exe:Zone.Identifier, ASCII 7->47 dropped 49 C:\Users\user\AppData\...\1UmLOHXb1R.exe.log, ASCII 7->49 dropped 69 Writes to foreign memory regions 7->69 71 Allocates memory in foreign processes 7->71 73 Injects a PE file into a foreign processes 7->73 16 MSBuild.exe 1 7->16         started        19 cmd.exe 1 7->19         started        75 Multi AV Scanner detection for dropped file 12->75 21 cmd.exe 1 12->21         started        23 MSBuild.exe 12->23         started        25 MSBuild.exe 12->25         started        27 MSBuild.exe 12->27         started        29 cmd.exe 1 14->29         started        31 MSBuild.exe 14->31         started        file5 signatures6 process7 signatures8 53 Contains functionalty to change the wallpaper 16->53 55 Contains functionality to steal Chrome passwords or cookies 16->55 57 Contains functionality to steal Firefox passwords or cookies 16->57 59 Delayed program exit found 16->59 33 conhost.exe 19->33         started        35 timeout.exe 1 19->35         started        37 conhost.exe 21->37         started        39 timeout.exe 1 21->39         started        41 conhost.exe 29->41         started        43 timeout.exe 1 29->43         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e962f44882a6fc4f5289556b7b0169b24838ea2285cf961b82447ff71ff2dc0d/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2022-03-15 14:17:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
16 of 27 (59.26%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5frpisecu36e6uujkvvxwaljwjedr2rcqxhzmg4cir77oh7s3qgq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
18f51c19c22914e634d9cfcd86018e676e91d1c4a9293c247a3c9da84dce3f60
RemcosRAT
1fbca7154111316e9d34ac02beb2377d20ca8426cc83669c89313a4a83358503
RemcosRAT
6862cf51b5546665e90e27a0a188ea8c468097f86b8b5d68fa0521f4cd3a9550
RemcosRAT
7a25e7868a967540a3dc4c8fa89f07444c4b714c4d2f3add235a7f0c33099c57
RemcosRAT
7c491171fbe25c5f47f560db3a857cfc716d0c4733466ac08660e8a8be9bc8cd
RemcosRAT
8865c82943ba3a6479fca40222a730e22e3d1cd279c6c6e0915c5c47f893636a
RemcosRAT
ed57a7a3f8709be19e7451aa4fb7b7af9586df41f9d63aefc4b30b8b7a5de90a
RemcosRAT
+ 1'721 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220316-a6c12sfbhj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
e962f44882a6fc4f5289556b7b0169b24838ea2285cf961b82447ff71ff2dc0d
MD5 hash:
d919f5ee0f41f50d2a1724b469c7d90e
SHA1 hash:
887aefc38117cc6d9d1deb0db88a80b7161e90dc
Link:
https://www.unpac.me/results/0f3c5eca-1f99-4153-adbe-c9223b7022bf/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e962f44882a6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/e962f44882a6fc4f5289556b7b0169b24838ea2285cf961b82447ff71ff2dc0d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe e962f44882a6fc4f5289556b7b0169b24838ea2285cf961b82447ff71ff2dc0d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2099213/
Cape
Cape
https://www.capesandbox.com/analysis/251131/

Comments


Avatar
zbet commented on 2022-03-16 00:49:01 UTC

url : hxxp://91.243.44.142/pl-Ukxamliyg.exe