MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebcb09c56c09245ba10f231b7d4bfacdb5615ee6e3820f479f0a0d6488759668. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ebcb09c56c09245ba10f231b7d4bfacdb5615ee6e3820f479f0a0d6488759668
SHA3-384 hash: 9816c04f5b87793c1cf2e91c6e45a2759dbdda61d79332dbf9eaee7cb50b77168c440f23e824d8159a7d06e2f3845a35
SHA1 hash: 6d41c1a0e8115c756b56ec3fb91ffd7efe7336e0
MD5 hash: a51f5739a87cbcc07899d659f9da3d4c
humanhash: winner-nebraska-finch-zulu
File name:PROFORMA INVOICE.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:807'424 bytes
First seen:2022-06-20 11:50:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:h2iNmkegCLyhFGg+/RVE9EDVEFo440EV0XfkhelOYCpltaiPkHaeoFu409TKwSm0:h1QrxW59qE24cSOVpf57e409WwSmKS8
Threatray 2'489 similar samples on MalwareBazaar
TLSH T18605120476785A22EA3D8BFC88E2601053FCA437A206F7D88FD671CB5C677578B51A27
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13101/52/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
194.147.140.160:2404

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.147.140.160:2404 https://threatfox.abuse.ch/ioc/716831/

Intelligence

File Origin
# of uploads :
1
# of downloads :
266
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/281562/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62b05f69e8129220e07bd2c6/reports/515917ae-0787-4549-9755-cf358626ba92/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a2432120-a6d6-43d8-837e-affb6442c4ed
Result
Threat name:
Remcos, Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1016249
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Uses dynamic DNS services
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Remcos RAT
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 648745 Sample: PROFORMA INVOICE.exe Startdate: 20/06/2022 Architecture: WINDOWS Score: 100 73 Snort IDS alert for network traffic 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 Antivirus detection for dropped file 2->77 79 14 other signatures 2->79 13 PROFORMA INVOICE.exe 3 2->13         started        16 remcos.exe 2 2->16         started        18 remcos.exe 2->18         started        process3 signatures4 93 Injects a PE file into a foreign processes 13->93 20 PROFORMA INVOICE.exe 4 5 13->20         started        23 remcos.exe 16->23         started        25 remcos.exe 18->25         started        process5 file6 55 C:\Users\user\AppData\Roaming\...\remcos.exe, PE32 20->55 dropped 57 C:\Users\user\...\remcos.exe:Zone.Identifier, ASCII 20->57 dropped 59 C:\Users\user\AppData\Local\...\install.vbs, data 20->59 dropped 27 wscript.exe 1 20->27         started        process7 process8 29 cmd.exe 1 27->29         started        process9 31 remcos.exe 3 29->31         started        34 conhost.exe 29->34         started        signatures10 95 Multi AV Scanner detection for dropped file 31->95 97 Injects a PE file into a foreign processes 31->97 36 remcos.exe 2 68 31->36         started        process11 dnsIp12 69 nebus2022.duckdns.org 194.147.140.160, 2404, 49755, 49756 PTPEU unknown 36->69 71 geoplugin.net 178.237.33.50, 49762, 80 ATOM86-ASATOM86NL Netherlands 36->71 61 C:\Users\user\AppData\Roaming\...\dwn.exe, PE32 36->61 dropped 81 Tries to harvest and steal browser information (history, passwords, etc) 36->81 83 Installs a global keyboard hook 36->83 85 Injects a PE file into a foreign processes 36->85 41 dwn.exe 36->41         started        44 remcos.exe 36->44         started        46 remcos.exe 36->46         started        48 5 other processes 36->48 file13 signatures14 process15 signatures16 87 Injects a PE file into a foreign processes 41->87 50 dwn.exe 41->50         started        89 Tries to harvest and steal browser information (history, passwords, etc) 44->89 91 Tries to steal Instant Messenger accounts or passwords 46->91 process17 dnsIp18 63 checkip.dyndns.com 158.101.44.242, 49814, 80 ORACLE-BMC-31898US United States 50->63 65 192.168.2.1 unknown unknown 50->65 67 checkip.dyndns.org 50->67 53 WerFault.exe 50->53         started        process19
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ebcb09c56c09245ba10f231b7d4bfacdb5615ee6e3820f479f0a0d6488759668/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-06-20 11:51:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5pfqtrlmbesfxiipemnx2s72zw2wcxxg4oba6r47bigwjcdvszua._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
121dd806963977a4c80e98a91e1bccf577d74da295787f7d61ef22cc1026822e
RemcosRAT
1e3d5369ea28851f7013099f82d535b12e3e88c72ae190fdf571fb9beb9e0ace
RemcosRAT
49bc50c3b1ff689c3cbcfcf1f7d42f29547f15f4ab990dafc27f5eb4b562d446
RemcosRAT
5f37b5f63e3badceb3ea40bb2a6cef92e466410bebbf6864d6d4b5100b6114eb
RemcosRAT
b07f08cbf908eb0d5c93679c8dca8438e4f185a70d675ad79184533dc6b4b262
RemcosRAT
c208cb83639f1b0a5bac59a310c377fb31f7d7dae0084f557461b8d4312c81a6
RemcosRAT
e04e4c474ded78364c1f802de5a653e2d495bc1a0ddb78325962778a221970e6
RemcosRAT
+ 2'479 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:remcos family:snakekeylogger botnet:remotehost collection keylogger persistence rat spyware stealer suricata
Link:
https://tria.ge/reports/220620-nz5z5schbj/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Snake Keylogger
Snake Keylogger Payload
suricata: ET MALWARE Remocs 3.x Unencrypted Checkin
suricata: ET MALWARE Remocs 3.x Unencrypted Server Response
Malware Config
C2 Extraction:
nebus2022.duckdns.org:2404
https://api.telegram.org/bot5481947115:AAFVbDIKJxBXFE89n6wSClm_vX5NS-8RJqE/sendMessage?chat_id=1673063963
Unpacked files
SH256 hash:
5e283b55dad10a493f9eb8d87028365f8e2d7a68491b623cb27f6018fdcba190
MD5 hash:
a5ac6ab8b2e3a07e0c11a77f400b519a
SHA1 hash:
d47be810fb8319a1bbc0b7cdee993d9d3c9c51bf
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/69525f53-92d8-4db3-8bc0-a3198e976bc3/
Parent samples :
121dd806963977a4c80e98a91e1bccf577d74da295787f7d61ef22cc1026822e
ebcb09c56c09245ba10f231b7d4bfacdb5615ee6e3820f479f0a0d6488759668
SH256 hash:
6de8bc7d4844efdb55328126b632a374bee9aaf3073cf9ca5fe5fdf303106f8e
MD5 hash:
7ce2d10bd0f02667bc0e1343d9ffc1c1
SHA1 hash:
c3a5b4e5721085022eb7bf0008b7e449f9369fcf
Link:
https://www.unpac.me/results/69525f53-92d8-4db3-8bc0-a3198e976bc3/
SH256 hash:
6294c73ce07984710b4086a9b4af7cb494263c4780fd327b0a3ec567bf92ae06
MD5 hash:
b348462c542a2954b94e5b2240138b58
SHA1 hash:
3b0aab6fe8bd33e2d97784733c6d6e46aba24089
Link:
https://www.unpac.me/results/69525f53-92d8-4db3-8bc0-a3198e976bc3/
SH256 hash:
bde3026151bf56b464fc8dd0501c865f3d5808ac9fe7fa5507fddc5a99732fb2
MD5 hash:
fe0ccf66fbce2515104df2d4d587e13b
SHA1 hash:
236261f943185c084d1ed948ce9807379f442d50
Link:
https://www.unpac.me/results/69525f53-92d8-4db3-8bc0-a3198e976bc3/
SH256 hash:
ebcb09c56c09245ba10f231b7d4bfacdb5615ee6e3820f479f0a0d6488759668
MD5 hash:
a51f5739a87cbcc07899d659f9da3d4c
SHA1 hash:
6d41c1a0e8115c756b56ec3fb91ffd7efe7336e0
Link:
https://www.unpac.me/results/69525f53-92d8-4db3-8bc0-a3198e976bc3/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ebcb09c56c09/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/ebcb09c56c09245ba10f231b7d4bfacdb5615ee6e3820f479f0a0d6488759668

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/281562/

Comments