MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9986aa791f7fdb8d49bad9e9ee267ee9b765841dd4866c11c38128b18a3e49b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e9986aa791f7fdb8d49bad9e9ee267ee9b765841dd4866c11c38128b18a3e49b
SHA3-384 hash: a632e3d6dbefeae26317d78885238b756c21d4e525fe5f70b4d7e9b8ae6eb43fed220416f3fafeabaaf1904360a8b9df
SHA1 hash: 93629fc9867b41c01ab06b0025144b28b055737f
MD5 hash: a0ed42bed3ee4a9a2b5b9601d1f3e3ed
humanhash: november-michigan-single-lima
File name:triage_dropped_file
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'087'488 bytes
First seen:2022-02-21 15:50:20 UTC
Last seen:2022-02-21 18:19:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:XbHchF/xivexx8h2L7h+74bePGqDHQ7/dWyFaGc9GFs:XbHchlxiWPn7h+7ZxQ7/dWj3UF
Threatray 1'867 similar samples on MalwareBazaar
TLSH T1D535F19C29BB11F8F3268EBE5DDCE6B0CB3CE6256541F8B978C91F424740B8499C2275
File icon (PE):PE icon
dhash icon ce9c9496e4949c9c (73 x AgentTesla, 51 x SnakeKeylogger, 30 x Formbook)
Reporter malwarelabnet
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/242992/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.44053.27849.864.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Running batch commands
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed remcos replace.exe
Link:
https://www.filescan.io/uploads/6213b4edac8ad0468b618d79/reports/a7ba41df-d14b-4fef-855d-afcd055718ee/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/28baf791-c3f1-4604-8c01-d2109820ff38
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/943358
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected Remcos RAT
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 575836 Sample: triage_dropped_file Startdate: 21/02/2022 Architecture: WINDOWS Score: 100 53 Malicious sample detected (through community Yara rule) 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 Detected Remcos RAT 2->57 59 7 other signatures 2->59 10 triage_dropped_file.exe 3 2->10         started        14 remcos.exe 2 2->14         started        16 remcos.exe 2 2->16         started        process3 file4 49 C:\Users\user\...\triage_dropped_file.exe.log, ASCII 10->49 dropped 65 Contains functionality to steal Chrome passwords or cookies 10->65 67 Contains functionality to inject code into remote processes 10->67 69 Contains functionality to steal Firefox passwords or cookies 10->69 71 Delayed program exit found 10->71 18 triage_dropped_file.exe 4 5 10->18         started        73 Injects a PE file into a foreign processes 14->73 21 remcos.exe 14->21         started        23 remcos.exe 14->23         started        25 remcos.exe 14->25         started        27 remcos.exe 16->27         started        29 remcos.exe 16->29         started        signatures5 process6 file7 43 C:\Users\user\AppData\Roaming\...\remcos.exe, PE32 18->43 dropped 45 C:\Users\user\...\remcos.exe:Zone.Identifier, ASCII 18->45 dropped 47 C:\Users\user\AppData\Local\...\install.vbs, data 18->47 dropped 31 wscript.exe 1 18->31         started        process8 process9 33 cmd.exe 1 31->33         started        process10 35 remcos.exe 3 33->35         started        38 conhost.exe 33->38         started        signatures11 61 Multi AV Scanner detection for dropped file 35->61 63 Injects a PE file into a foreign processes 35->63 40 remcos.exe 2 1 35->40         started        process12 dnsIp13 51 79.134.225.17, 2050, 49765 FINK-TELECOM-SERVICESCH Switzerland 40->51
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e9986aa791f7fdb8d49bad9e9ee267ee9b765841dd4866c11c38128b18a3e49b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-21 13:05:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5gmgvj4r6763rve3vwpj5yth52nxmwcb3vegnqi4hajiwgfd4snq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
18f51c19c22914e634d9cfcd86018e676e91d1c4a9293c247a3c9da84dce3f60
RemcosRAT
3a7a42d1cb828cdb0f1ea382a8859052b7862414cdb3a5e2d623e922d4d00485
RemcosRAT
65c55c73382e84ea8a229ba4c65ce12c956b3e86916e343ed6e933a10735e9b1
RemcosRAT
7a25e7868a967540a3dc4c8fa89f07444c4b714c4d2f3add235a7f0c33099c57
RemcosRAT
c6d5c5389f6a7d7fadca1c538b5408898454aaf5011910e90549e81fb03c0a1c
RemcosRAT
ed57a7a3f8709be19e7451aa4fb7b7af9586df41f9d63aefc4b30b8b7a5de90a
RemcosRAT
+ 1'857 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat
Link:
https://tria.ge/reports/220221-tagtxaafc2/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
79.134.225.17:2050
Unpacked files
SH256 hash:
e40f77ceb88d37aa4f28943f29a33ce4da45c70ee9467a636c1185fd2f9c3376
MD5 hash:
6f6410801f28446924435965b669b024
SHA1 hash:
fbd6a635f544cf07c004201be53b376d8cd2a608
Link:
https://www.unpac.me/results/cabab685-cd2b-4840-bd67-ec2e0867a36c/
SH256 hash:
6099e94075f574ff59509e70f8ca4f11af8a50b9e0fbf8dcb25410e545f87dbb
MD5 hash:
e9dcb9bf785fc8547ecd8062885e9fbb
SHA1 hash:
f6486886939959be409bc9ba73f035b895dd4e15
Link:
https://www.unpac.me/results/cabab685-cd2b-4840-bd67-ec2e0867a36c/
SH256 hash:
0131dcb16abf653577ed21f1dad7592e673b8e450ee3b381431e37c37c0036cb
MD5 hash:
10fe693bd7e5f05cabb9d0d26152b6ec
SHA1 hash:
9a775749b0912687788f85289651f10631922a1b
Detections:
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/cabab685-cd2b-4840-bd67-ec2e0867a36c/
Parent samples :
790bd41c440c93b452252c24c58f359af46ea8c71e59d01bd4f42f6610048217
e9986aa791f7fdb8d49bad9e9ee267ee9b765841dd4866c11c38128b18a3e49b
SH256 hash:
e33254e2ad4d279914a29450f98d1750a9f513fc8ddb853e0dd8346b805faa43
MD5 hash:
b597cce7bfc65e56fa69ebb7f413a33f
SHA1 hash:
7ee40df5ac783432e7c9f7be4f7ed1f286345d58
Link:
https://www.unpac.me/results/cabab685-cd2b-4840-bd67-ec2e0867a36c/
SH256 hash:
e9986aa791f7fdb8d49bad9e9ee267ee9b765841dd4866c11c38128b18a3e49b
MD5 hash:
a0ed42bed3ee4a9a2b5b9601d1f3e3ed
SHA1 hash:
93629fc9867b41c01ab06b0025144b28b055737f
Link:
https://www.unpac.me/results/cabab685-cd2b-4840-bd67-ec2e0867a36c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e9986aa791f7fdb8d49bad9e9ee267ee9b765841dd4866c11c38128b18a3e49b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/242992/

Comments