MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 edd76f4398cd937c508d229a8482add54c2ec8efe84a6881af90bbd40d8b8601. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: edd76f4398cd937c508d229a8482add54c2ec8efe84a6881af90bbd40d8b8601
SHA3-384 hash: 2bccd01da5b5a2a8812b621ef25c35aaf0b8806c8ad30699b882d3f0a6977eaba001f1addf9d2d2afd48536cc36fa611
SHA1 hash: 9d34de87198a3946da2eb170532cbb9425d4123d
MD5 hash: fb57ce37f0732b49974c0225ad342538
humanhash: paris-bulldog-autumn-fruit
File name:fb57ce37f0732b49974c0225ad342538.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:895'488 bytes
First seen:2022-08-29 10:24:39 UTC
Last seen:2022-08-29 10:58:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:W4wM4O8KpmTOGXZDNSQfPfmGOS7Z5w7QeCrQib/RzTOp8og:WY/ERpZjuOZ5war3tOy
Threatray 1'880 similar samples on MalwareBazaar
TLSH T156151297F1448EA3CBE90AB9CC50E0F18774BABCE7B3DA793D16709D39B074A4124256
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 6670596f4f4e0d0a (34 x Loki, 25 x AgentTesla, 21 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
297
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fb57ce37f0732b49974c0225ad342538.exe
Verdict:
Malicious activity
Analysis date:
2022-08-29 10:29:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6077bd44-1773-4d1d-af1e-acd46ec541b5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/302185/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.30916.26309.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Running batch commands
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/630c945d9d41b90af2bd114e/reports/bcadf52f-05e6-4df8-963f-238edc569888/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d97112cf-a1d4-4cc4-898f-562dd093b6e2
Result
Threat name:
PrivateLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1059795
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected PrivateLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 692312 Sample: YCmXYJUxF3.exe Startdate: 29/08/2022 Architecture: WINDOWS Score: 100 67 mdec.nelreports.net 2->67 69 part-0032.t-0009.t-msedge.net 2->69 71 3 other IPs or domains 2->71 81 Malicious sample detected (through community Yara rule) 2->81 83 Antivirus detection for dropped file 2->83 85 Multi AV Scanner detection for submitted file 2->85 87 8 other signatures 2->87 10 YCmXYJUxF3.exe 3 2->10         started        14 rem.exe 2 2->14         started        16 rem.exe 3 2->16         started        signatures3 process4 file5 59 C:\Users\user\AppData\...\YCmXYJUxF3.exe.log, ASCII 10->59 dropped 99 Injects a PE file into a foreign processes 10->99 18 YCmXYJUxF3.exe 6 5 10->18         started        101 Drops executables to the windows directory (C:\Windows) and starts them 14->101 22 rem.exe 2 24 14->22         started        103 Multi AV Scanner detection for dropped file 16->103 105 Machine Learning detection for dropped file 16->105 25 rem.exe 2 1 16->25         started        signatures6 process7 dnsIp8 53 C:\Windows\SysWOW64\rem\rem.exe, PE32 18->53 dropped 55 C:\Windows\...\rem.exe:Zone.Identifier, ASCII 18->55 dropped 57 C:\Users\user\AppData\Local\...\install.vbs, data 18->57 dropped 89 Creates an undocumented autostart registry key 18->89 91 Creates an autostart registry key pointing to binary in C:\Windows 18->91 27 wscript.exe 18->27         started        77 45.138.172.94, 2404, 49740 COMBAHTONcombahtonGmbHDE Germany 22->77 79 geoplugin.net 178.237.33.50, 49764, 80 ATOM86-ASATOM86NL Netherlands 22->79 93 Writes to foreign memory regions 22->93 95 Maps a DLL or memory area into another process 22->95 97 Installs a global keyboard hook 22->97 29 svchost.exe 12 22->29         started        31 svchost.exe 22->31         started        33 MpCmdRun.exe 22->33         started        35 iexplore.exe 25->35         started        file9 signatures10 process11 process12 37 chrome.exe 29->37         started        40 chrome.exe 29->40         started        42 chrome.exe 31->42         started        44 chrome.exe 31->44         started        46 conhost.exe 33->46         started        dnsIp13 73 192.168.2.1 unknown unknown 37->73 75 239.255.255.250 unknown Reserved 37->75 48 chrome.exe 37->48         started        51 chrome.exe 40->51         started        process14 dnsIp15 61 part-0032.t-0009.fbs1-t-msedge.net 13.107.219.60, 443, 49779, 49780 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 48->61 63 accounts.google.com 142.250.185.237, 443, 49769 GOOGLEUS United States 48->63 65 8 other IPs or domains 48->65
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/edd76f4398cd937c508d229a8482add54c2ec8efe84a6881af90bbd40d8b8601/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2022-08-29 10:25:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5xlw6q4yzwjxyueneknijavn2vgc5shp5bfgranpsc55idmlqyaq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
146e9314dabcad733e15ab5e796c53fda2be2b34ea00a0bc03efda9ea674202f
RemcosRAT
1eb85ede00f809ba0f2ae9ea64c78615705f7314f31934887849c60f86b6505e
RemcosRAT
21717cdfec5b3e14e7493537a9ca67045929faa591dc041350bc29070ca65681
RemcosRAT
4f95967b9b1f5532cb570bb1f762328d07ea16c20b6fcf1c4cfde82d06906630
RemcosRAT
5d6eba999783a02b983236280eb56702dcd5b7df5d8320b5d13209aee3141d8d
RemcosRAT
79591c17fbca50b3698fd0176958e394dd500e7afdd75b5b33cd31095665caa2
RemcosRAT
808b1f23a0d9457d31d5abd083b2b81cc68b0a0d3a87e59e9e6d56d773dbde39
RemcosRAT
b6838c7c0ee74c331e1c7ef8e0fa34bad89943e607b927ff4d0ddd0415758670
RemcosRAT
bf7212910de7bff455c3b3fe4b3a1a05059fe0da0c29e69b3aef492fe2a66fc0
RemcosRAT
eac4853e6f2cae0238a578afa9818773a8a1e33f092180b005a6329fdd2209dd
RemcosRAT
+ 1'870 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:rem-file brand:microsoft persistence phishing rat
Link:
https://tria.ge/reports/220829-mfyw2sfgak/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Detected potential entity reuse from brand microsoft.
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Deletes itself
Loads dropped DLL
Adds policy Run key to start application
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
45.138.172.94:2404
Unpacked files
SH256 hash:
c45a3dae97e5e635a567df02635fe941af384f35cc993d4e52a57fa4f4026b3e
MD5 hash:
966c65a2893f62df72494272d810448f
SHA1 hash:
de82f765123b6ed954996603b663e9bac36acfb6
Link:
https://www.unpac.me/results/152f9d5c-d499-4166-95d9-68bc4294445c/
SH256 hash:
2a1bd4f68c3c1f8c7f6f7966b572a48e5fcdf3d19767461a08f2be7efeab1450
MD5 hash:
f313244625565dbfba6ebf01d31ceae3
SHA1 hash:
c01b1d9fb5dc7800aa3d1852bbbd5ce9c9e1f5d9
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/152f9d5c-d499-4166-95d9-68bc4294445c/
SH256 hash:
a92541a00869ff2513c77d43c3c774cefe0e704629c9acb58992ac86b5b276c8
MD5 hash:
cc6bdb4123bd2f51b0556210b5ebf576
SHA1 hash:
b3ddaaa04ce90c29565953105c05bb67695f62d2
Link:
https://www.unpac.me/results/152f9d5c-d499-4166-95d9-68bc4294445c/
SH256 hash:
b4c99eecb0f7fa1d2ce9ade8be97efca9c80c25ff8dd0be6c3630e5e10c812ac
MD5 hash:
de4ee69638f5855fdd6572def9d50345
SHA1 hash:
5f6bf6c9cecc283bde4e0a474595d77ad7a91beb
Link:
https://www.unpac.me/results/152f9d5c-d499-4166-95d9-68bc4294445c/
SH256 hash:
9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034
MD5 hash:
93c6391d23c1aa1ed66fb13f82f2ee31
SHA1 hash:
220098c3047c32b51ae13a5cc1e9beeef3da6e18
Link:
https://www.unpac.me/results/152f9d5c-d499-4166-95d9-68bc4294445c/
SH256 hash:
edd76f4398cd937c508d229a8482add54c2ec8efe84a6881af90bbd40d8b8601
MD5 hash:
fb57ce37f0732b49974c0225ad342538
SHA1 hash:
9d34de87198a3946da2eb170532cbb9425d4123d
Link:
https://www.unpac.me/results/152f9d5c-d499-4166-95d9-68bc4294445c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/edd76f4398cd937c508d229a8482add54c2ec8efe84a6881af90bbd40d8b8601

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe edd76f4398cd937c508d229a8482add54c2ec8efe84a6881af90bbd40d8b8601

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/302185/
  
URLhaus
https://urlhaus.abuse.ch/url/2264749/
  
Delivery method
Distributed via web download

Comments