MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e982ae5ea3e7d8b92372076442bd0f96a572d974a2265c609a0cc5e4b4eac9cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e982ae5ea3e7d8b92372076442bd0f96a572d974a2265c609a0cc5e4b4eac9cb
SHA3-384 hash: ad1f49e8fa87302a5cfb115bd800b90ed83c59cc6c8cd72955f0ca950aeadea50778cc22b4b54efb11284d9490b8ff04
SHA1 hash: 7c707c2f0600729e9954d3f2ed102643cfeb108a
MD5 hash: e312632ef9548565eabc682af0fbc369
humanhash: sad-glucose-seven-venus
File name:PI#443536_Clvginpxlcltmugbbdjzhthnvqtewvwkrs_Signed_.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:722'152 bytes
First seen:2021-08-06 07:07:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a09d64195bff556eb90ba4781b170ac7 (4 x RemcosRAT, 2 x Formbook)
ssdeep 12288:TlyPhGe3nf8jHmf/3AwhgFn33DdzQwcApa56Q0uGPWNfXA+:TAPbaHLwh2nBZ6ouTA+
Threatray 571 similar samples on MalwareBazaar
TLSH T11AE48D61F3614873C2627A3CDD4B53ADA826BE412D2473466FF93C489FB9341392A19F
dhash icon 616110152b2b5130 (12 x RemcosRAT, 5 x Formbook, 4 x BitRAT)
Reporter JAMESWT_WT
Tags:exe express-gus52.duckdns.org philandro Software GmbH RemcosRAT signed

Code Signing Certificate

Organisation:philandro Software GmbH
Issuer:DigiCert SHA2 Assured ID Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2018-10-24T00:00:00Z
Valid to:2022-01-05T12:00:00Z
Serial number: 03e9eb4dff67d4f9a554a422d5ed86f3
Intelligence: 7 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 7cf9ec56f8db42db83d8c7693e86093e983aa70957a7f7f2508b940758b4e842
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
157
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PI#443536_Clvginpxlcltmugbbdjzhthnvqtewvwkrs_Signed_.exe
Verdict:
Malicious activity
Analysis date:
2021-08-06 07:09:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/912c14a4-4410-433c-8506-30a836306aac

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/176919/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.19282.1328.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Launching a process
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/12ef226e-b29d-4c8e-9c8b-3fbc9f54f787
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/828129
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 460558 Sample: PI#443536_Clvginpxlcltmugbb... Startdate: 06/08/2021 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 10 other signatures 2->55 7 PI#443536_Clvginpxlcltmugbbdjzhthnvqtewvwkrs_Signed_.exe 1 19 2->7         started        12 Clvginp.exe 13 2->12         started        14 Clvginp.exe 14 2->14         started        process3 dnsIp4 37 cdn.discordapp.com 162.159.129.233, 443, 49710, 49712 CLOUDFLARENETUS United States 7->37 33 C:\Users\Public\Libraries\...\Clvginp.exe, PE32 7->33 dropped 63 Writes to foreign memory regions 7->63 65 Creates a thread in another existing process (thread injection) 7->65 67 Injects a PE file into a foreign processes 7->67 16 ieinstal.exe 2 7->16         started        69 Machine Learning detection for dropped file 12->69 20 logagent.exe 12->20         started        22 logagent.exe 14->22         started        file5 signatures6 process7 dnsIp8 35 185.157.162.100, 49151, 49717, 49718 OBE-EUROPEObenetworkEuropeSE Sweden 16->35 39 Injects a PE file into a foreign processes 16->39 24 ieinstal.exe 1 16->24         started        27 ieinstal.exe 13 16->27         started        29 ieinstal.exe 1 16->29         started        31 3 other processes 16->31 41 Contains functionalty to change the wallpaper 20->41 43 Contains functionality to steal Chrome passwords or cookies 20->43 45 Contains functionality to steal Firefox passwords or cookies 20->45 47 Delayed program exit found 20->47 signatures9 process10 signatures11 57 Tries to steal Instant Messenger accounts or passwords 24->57 59 Tries to steal Mail credentials (via file access) 24->59 61 Tries to harvest and steal browser information (history, passwords, etc) 27->61
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e982ae5ea3e7d8b92372076442bd0f96a572d974a2265c609a0cc5e4b4eac9cb/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2021-08-06 07:07:05 UTC
File Type:
PE (Exe)
Extracted files:
24
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5gbk4xvd47mlsi3sa5sefpips2sxfwluuitfyye2btc6jnhkzhfq._file
Verdict:
malicious
Similar samples:
0d182038f62a038b380a4d3c3769d5eb389b08b194b7dce13606252e7e1aff1c
RemcosRAT
38ba862149962bc5a10825a2b818391624cda439fcb3f6212b75d84eeeb4f70c
RemcosRAT
43749e8d0c848f2143447b979748f3605e7773abe0550da6ec111473003247c3
RemcosRAT
46a376d25369d059b1c149d8fb4821aa3ddb504bb381a02f3d5e4e019a41ed4d
RemcosRAT
4c0c348d5fe6d35084087f5df83a5d5f15aa75a30b1dc37204f701383a7685eb
RemcosRAT
b3d6d97ed4c74d16ab89046ee019d874b8cc1a8ca257e132b3d2cbd146a48545
RemcosRAT
dce7bd6ffb24e1022633df291493bc759eda61266bc34c9753ab7912c31b7e96
RemcosRAT
ebe0b8890392475537625aeefaec22b5f0115011e135117d7afd9325eb47fad8
RemcosRAT
+ 561 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:auggg persistence rat suricata trojan
Link:
https://tria.ge/reports/210806-fjmx5nj7zj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader, DBatLoader
Remcos
suricata: ET MALWARE Remocs 3.x Unencrypted Checkin
suricata: ET MALWARE Remocs 3.x Unencrypted Server Response
Malware Config
C2 Extraction:
185.157.162.100:49151
Unpacked files
SH256 hash:
795b2b5d6668147d7924ac96f90741ddc2a2b5003f455fb842b613a286fbf8fc
MD5 hash:
53011b69a7231aea23d66805a681144b
SHA1 hash:
e3d0d157e763c865e79ccc5bedc2fd5fd90413f7
Link:
https://www.unpac.me/results/72b247eb-3171-4325-935b-5737a5bb8417/
SH256 hash:
e982ae5ea3e7d8b92372076442bd0f96a572d974a2265c609a0cc5e4b4eac9cb
MD5 hash:
e312632ef9548565eabc682af0fbc369
SHA1 hash:
7c707c2f0600729e9954d3f2ed102643cfeb108a
Link:
https://www.unpac.me/results/72b247eb-3171-4325-935b-5737a5bb8417/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e982ae5ea3e7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/e982ae5ea3e7d8b92372076442bd0f96a572d974a2265c609a0cc5e4b4eac9cb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_KB_CERT_03e9eb4dff67d4f9a554a422d5ed86f3
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/176919/

Comments