MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1
SHA3-384 hash: 581069716e083e6d454acfe7196827defe34d115d24fe73133386c21b7959a7f8d30d853b7bf7d6c1172fdfc2151ead1
SHA1 hash: 3684e802d6831d76da44d53cef16939916976b94
MD5 hash: 5051c71e2b1b319a14474b47876403e4
humanhash: snake-quiet-july-berlin
File name:5051c71e2b1b319a14474b47876403e4.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:2'271'520 bytes
First seen:2022-10-17 14:40:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:WN9ewmMdH+HY530osWnYQb6VOKs4zm2evT:I
TLSH T1B2B5E8F490BB8492F6479D81293CF9E105B231A3ADCE0D39176AAB04CFEFD543945A4E
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
255
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/321036/
Detection(s):
SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file
Сreating synchronization primitives
Creating a file in the %temp% subdirectories
DNS request
Sending a custom TCP request
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Creating a process with a hidden window
Running batch commands
Launching the process to change network settings
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/634d6981b5f60e72b8c7099c/reports/4fffd057-bd8f-4a1e-bd12-4d3b196cf54d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9d428e53-031c-419d-8e13-97a993e70583
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1091984
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Very long command line found
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 724603 Sample: vTUFDETTGV.exe Startdate: 17/10/2022 Architecture: WINDOWS Score: 100 51 xmr.2miners.com 2->51 53 cdn.discordapp.com 2->53 57 Multi AV Scanner detection for domain / URL 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Antivirus detection for URL or domain 2->61 63 12 other signatures 2->63 8 vTUFDETTGV.exe 3 2->8         started        12 cmd.exe 2->12         started        14 unzip.exe 1 2->14         started        16 3 other processes 2->16 signatures3 process4 file5 49 C:\Users\user\AppData\...\vTUFDETTGV.exe.log, ASCII 8->49 dropped 77 Writes to foreign memory regions 8->77 79 Injects a PE file into a foreign processes 8->79 18 InstallUtil.exe 2 37 8->18         started        23 conhost.exe 12->23         started        25 choice.exe 12->25         started        27 conhost.exe 14->27         started        29 conhost.exe 16->29         started        31 conhost.exe 16->31         started        33 conhost.exe 16->33         started        signatures6 process7 dnsIp8 55 minecraftrpgserver.com 185.252.178.88, 49726, 49727, 80 LVLT-10753US Germany 18->55 39 C:\Users\user\AppData\...\InstallUtil.exe, PE32 18->39 dropped 41 C:\Users\user\...\time_20221019_015317.dat, data 18->41 dropped 43 C:\Users\user\...\time_20221019_005316.dat, data 18->43 dropped 45 32 other malicious files 18->45 dropped 65 Writes many files with high entropy 18->65 67 Installs a global keyboard hook 18->67 35 InstallUtil.exe 3 18->35         started        file9 signatures10 process11 file12 47 C:\ProgramDatabehaviorgraphoogle\unzip.exe, PE32 35->47 dropped 69 Antivirus detection for dropped file 35->69 71 Multi AV Scanner detection for dropped file 35->71 73 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 35->73 75 Machine Learning detection for dropped file 35->75 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1/
Threat name:
ByteCode-MSIL.Trojan.Scarsi
Create hunting rule
Status:
Malicious
First seen:
2022-10-17 03:10:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
16 of 42 (38.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=57kccnrtyznusasfqzh6w2jhts63bgw5tnyoelqyygb3wd2hptaq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:remcos family:xmrig botnet:220928 miner rat upx
Link:
https://tria.ge/reports/221017-r2fd2sccej/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
XMRig Miner payload
Remcos
Suspicious use of NtCreateUserProcessOtherParentProcess
xmrig
Malware Config
C2 Extraction:
minecraftrpgserver.com:80
Unpacked files
SH256 hash:
a6acfe617040a5005be0d1675756dc9f09596d3bb2bb3ebc8a2c6881b8c4cfd7
MD5 hash:
db843358b89f4074346cab346720ab06
SHA1 hash:
94d77a5f2d66f20baf557ad30c3ab284665980d9
Link:
https://www.unpac.me/results/0976d5b7-c10b-4781-a958-b7faea3d4d4e/
SH256 hash:
5533ae83a1783618075884febd0d4eb6e3782bfbb47d8d376012ad41091ae703
MD5 hash:
06023dcae77296b3c86fb25e7c6a97ee
SHA1 hash:
776a04bf9bd169590d61137ec10cbee460e4a543
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/0976d5b7-c10b-4781-a958-b7faea3d4d4e/
Parent samples :
de97f8f7c987f236ffc128a0cce9a455f29192596032a0754eb62ec21481bfa8
787c4d531c961df4851c6ad6410cd9aaa4d7de8f40e7a288b95878bb807ef7d8
efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1
873d0e41e7f6ea921fb007a0a00426cc119ab68ce5f75d1d84cea08381d00163
SH256 hash:
cae460bc7d0c7791877fecb59bda5c61f1388901adf656edef72198ec2f2940a
MD5 hash:
5f1ea64565f02faa4b0c76a44dfe5baa
SHA1 hash:
184e1871983de84d49544b650e86b5bfa2f5fb27
Link:
https://www.unpac.me/results/0976d5b7-c10b-4781-a958-b7faea3d4d4e/
SH256 hash:
7031a5d8d0a77eeae0563553d85c03a7fa43280c56cf6d176cc8a3ac19dcc96a
MD5 hash:
df83f035b778294f07cbbce2a6195980
SHA1 hash:
17d19553de5462d73b9d062eb7c8db1819059be9
Link:
https://www.unpac.me/results/0976d5b7-c10b-4781-a958-b7faea3d4d4e/
SH256 hash:
efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1
MD5 hash:
5051c71e2b1b319a14474b47876403e4
SHA1 hash:
3684e802d6831d76da44d53cef16939916976b94
Link:
https://www.unpac.me/results/0976d5b7-c10b-4781-a958-b7faea3d4d4e/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/efd4213633c6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:pe_imphash
Create hunting rule
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2276782/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2276802/
Cape
Cape
https://www.capesandbox.com/analysis/321036/

Comments