MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef5e11914dc0593327b1696d65668e32d8ef278310fb6913a74a54f992ef2b77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef5e11914dc0593327b1696d65668e32d8ef278310fb6913a74a54f992ef2b77
SHA3-384 hash: f05317d33882d56a9b2bf07d623f906be6e4d2072b31d7a5ab80fe45286eb5c15f22eed902ce350793dffebc440e1a4e
SHA1 hash: c415d79c8fa2e48d46baa2947ca52bf0510abd20
MD5 hash: b808a552e43325ef50d55a8e103f5627
humanhash: summer-crazy-alanine-idaho
File name:b808a552e43325ef50d55a8e103f5627
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:740'344 bytes
First seen:2022-07-19 16:33:36 UTC
Last seen:2022-07-19 19:43:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 71 x LummaStealer, 62 x Rhadamanthys)
ssdeep 3072:WahKyd2n31pjGruJ+R3FT+gb9qoQN8kKpKZ/:WahO0uJG36OkKpK5
Threatray 3'330 similar samples on MalwareBazaar
TLSH T167F47CD47B519067CE175C718E2BE3E92A68FC90AE3831573A74FB2F163E9E21C16205
TrID 43.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
27.6% (.EXE) Win64 Executable (generic) (10523/12/4)
13.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) OS/2 Executable (generic) (2029/13)
5.2% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 39f0f0d2cee8f870 (1 x RemcosRAT, 1 x LummaStealer)
Reporter zbetcheckin
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/291939/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.50658875.1465.12828.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Launching a process
Creating a window
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/26758/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack.dll overlay packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/62d6ddb08fbcdde3605d9518/reports/78275be4-2add-4406-a30d-e6ffcfd3b56d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e3801fc0-3289-43a8-8f14-3afff1a6b9ec
Result
Threat name:
Remcos, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1036676
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Delayed program exit found
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected MSILDownloaderGeneric
Yara detected Remcos RAT
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 669170 Sample: NZ6REqDv6K Startdate: 19/07/2022 Architecture: WINDOWS Score: 100 89 toornavigator.sytes.net 2->89 113 Snort IDS alert for network traffic 2->113 115 Multi AV Scanner detection for domain / URL 2->115 117 Malicious sample detected (through community Yara rule) 2->117 119 13 other signatures 2->119 12 NZ6REqDv6K.exe 1 3 2->12         started        16 fiubigw 2->16         started        18 rundll32.exe 2->18         started        signatures3 process4 file5 85 C:\Users\user\AppData\Local\...\soft_1_2.exe, PE32 12->85 dropped 163 Creates multiple autostart registry keys 12->163 20 soft_1_2.exe 16 7 12->20         started        165 Antivirus detection for dropped file 16->165 167 Machine Learning detection for dropped file 16->167 169 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 16->169 171 3 other signatures 16->171 signatures6 process7 dnsIp8 91 cdn.discordapp.com 162.159.129.233, 443, 49751, 49778 CLOUDFLARENETUS United States 20->91 93 4hmn.short.gy 18.184.197.212, 443, 49750, 49777 AMAZON-02US United States 20->93 81 C:\Users\user\AppData\...ditPadLite.exe, PE32 20->81 dropped 83 C:\Users\...\Algqyrerirayhleditpadlib.exe, PE32 20->83 dropped 129 Antivirus detection for dropped file 20->129 131 Encrypted powershell cmdline option found 20->131 133 Creates multiple autostart registry keys 20->133 135 3 other signatures 20->135 25 Algqyrerirayhleditpadlib.exe 20->25         started        28 InstallUtil.exe 5 17 20->28         started        31 powershell.exe 15 20->31         started        file9 signatures10 process11 dnsIp12 137 Antivirus detection for dropped file 25->137 139 Multi AV Scanner detection for dropped file 25->139 141 Machine Learning detection for dropped file 25->141 151 4 other signatures 25->151 33 explorer.exe 2 4 25->33 injected 95 toornavigator.sytes.net 79.134.225.10, 47582, 49769, 49776 FINK-TELECOM-SERVICESCH Switzerland 28->95 97 geoplugin.net 178.237.33.50, 49770, 80 ATOM86-ASATOM86NL Netherlands 28->97 143 Contains functionality to steal Chrome passwords or cookies 28->143 145 Contains functionality to inject code into remote processes 28->145 147 Contains functionality to steal Firefox passwords or cookies 28->147 149 Delayed program exit found 28->149 38 wscript.exe 28->38         started        40 wscript.exe 28->40         started        42 wscript.exe 28->42         started        44 conhost.exe 31->44         started        signatures13 process14 dnsIp15 87 ghahantellorb.com 94.140.114.84, 49785, 49787, 80 NANO-ASLV Latvia 33->87 75 C:\Users\user\AppData\Roaming\fiubigw, PE32 33->75 dropped 77 C:\Users\user\AppData\Local\Temp\CCB5.exe, PE32+ 33->77 dropped 121 Benign windows process drops PE files 33->121 123 Injects code into the Windows Explorer (explorer.exe) 33->123 125 Writes to foreign memory regions 33->125 127 Hides that the sample has been downloaded from the Internet (zone.identifier) 33->127 46 EditPadLite.exe 14 5 33->46         started        50 explorer.exe 33->50         started        52 CCB5.exe 33->52         started        55 2 other processes 33->55 file16 signatures17 process18 dnsIp19 101 192.168.2.1 unknown unknown 46->101 103 cdn.discordapp.com 46->103 105 4hmn.short.gy 46->105 173 Antivirus detection for dropped file 46->173 175 Encrypted powershell cmdline option found 46->175 177 Injects a PE file into a foreign processes 46->177 57 Algqyrerirayhleditpadlib.exe 46->57         started        60 EditPadLite.exe 46->60         started        63 powershell.exe 46->63         started        107 ghahantellorb.com 50->107 179 System process connects to network (likely due to code injection or exploit) 50->179 181 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 50->181 183 Tries to steal Mail credentials (via file / registry access) 50->183 185 Tries to harvest and steal browser information (history, passwords, etc) 50->185 79 C:\Users\user\AppData\Local\...\Setup_ovl.exe, PE32+ 52->79 dropped 65 Setup_ovl.exe 52->65         started        109 cdn.discordapp.com 55->109 111 4hmn.short.gy 55->111 67 powershell.exe 55->67         started        69 EditPadLite.exe 55->69         started        file20 signatures21 process22 dnsIp23 153 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 57->153 155 Maps a DLL or memory area into another process 57->155 157 Checks if the current machine is a virtual machine (disk enumeration) 57->157 159 Creates a thread in another existing process (thread injection) 57->159 99 toornavigator.sytes.net 60->99 71 conhost.exe 63->71         started        161 Antivirus detection for dropped file 65->161 73 conhost.exe 67->73         started        signatures24 process25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ef5e11914dc0593327b1696d65668e32d8ef278310fb6913a74a54f992ef2b77/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-07-18 14:37:02 UTC
AV detection:
15 of 40 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=55pbdeknybmtgj5rnfwwkzuoglmo6j4dcd5wse5hjjkptexpfn3q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
28455b1a0b29240e95877cff96528b3a196f0cf3a63d9980dc70349cdc0e1e74
RemcosRAT
5482c9775362ce202cf44b082ce747f7e69f522a903ccc031c975cc714c82a8c
RemcosRAT
6887d3d4d5baa135418c2305915c56b448960d03c427f6c63c430465ddaa6547
RemcosRAT
7725afd42bf7d167afb294be1018d93327a4caa3fccbe2758a6a00d35e60ad58
RemcosRAT
8342c94ddfd4cca232e9d1cd5faed48fdce02a694b062606b938401b502a0c30
RemcosRAT
888459235942199e1cbe86db506800b9f4c43c7f6c44a659ed2de269ce0644a4
RemcosRAT
9a6542e7da5c82465fd053f020d82161a8995c3353b58ac9b3e085d70d9ecf8d
RemcosRAT
+ 3'320 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat
Link:
https://tria.ge/reports/220719-t23wfsfdc5/
Behaviour
Checks SCSI registry key(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
toornavigator.sytes.net:47582
Unpacked files
SH256 hash:
ef5e11914dc0593327b1696d65668e32d8ef278310fb6913a74a54f992ef2b77
MD5 hash:
b808a552e43325ef50d55a8e103f5627
SHA1 hash:
c415d79c8fa2e48d46baa2947ca52bf0510abd20
Link:
https://www.unpac.me/results/9d24a6a0-bba1-40ea-81ea-83f9b95bfc65/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ef5e11914dc0593327b1696d65668e32d8ef278310fb6913a74a54f992ef2b77

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe ef5e11914dc0593327b1696d65668e32d8ef278310fb6913a74a54f992ef2b77

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2259004/
Cape
Cape
https://www.capesandbox.com/analysis/291939/

Comments


Avatar
zbet commented on 2022-07-19 16:33:41 UTC

url : hxxp://179.43.175.187/yjqf/package.exe