MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f10f5bb8cc88bd512d50ee6daeb4f8f04abe7810ad9a29f097d10e24ac440163. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash:	f10f5bb8cc88bd512d50ee6daeb4f8f04abe7810ad9a29f097d10e24ac440163
SHA3-384 hash:	a94bbc341214ff3c42b881b433ab3cd215686f5a096a9613046fd3b4a4ad7437095a96f5f20d99c77d054af332f205bd
SHA1 hash:	bbcb9dd47a9c73f6f4b817ee8df71c3ca974a639
MD5 hash:	d22b316ddfa73bb390e9fc4bafc936e1
humanhash:	quebec-vermont-king-undress
File name:	SecuriteInfo.com.W32.AIDetectNet.01.4434.10282
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	628'736 bytes
First seen:	2022-08-22 13:35:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'604 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:1d1zVfuIgZOQI+cidivbaNHez74fYJy1MO:zSdZVLHNHeH4YJa
Threatray	2'406 similar samples on MalwareBazaar
TLSH	T132D4D08E26A74406DE7A42B5D4F617881A38FC263B21EECFE883714A0D717FD4129B57
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	43131a5a59659989 (2 x RemcosRAT, 1 x AgentTesla, 1 x DarkCloud)
Reporter	SecuriteInfoCom
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

253

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

SecuriteInfo.com.W32.AIDetectNet.01.4434.10282

Verdict:

Malicious activity

Analysis date:

2022-08-22 13:38:03 UTC

Tags:

rat remcos

Link:

https://app.any.run/tasks/54d61cd0-2acb-43be-841a-5d7d47053764

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/300230/

Detection(s):

SecuriteInfo.com.W32.AIDetectNet.01.4434.10282.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/630386873cbb13868a702d3d/reports/522db4bb-b96e-4a08-ae7f-2e51c2e30473/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a598c85c-1077-446d-ba3d-a0e25cc7793f

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1055546

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected Remcos RAT

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/f10f5bb8cc88bd512d50ee6daeb4f8f04abe7810ad9a29f097d10e24ac440163/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2022-08-22 13:36:15 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6ehvxogmrc6vclkq5zw25nhy6bfl46aqvwnct4ex2ehcjlceafrq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

1ecbe12894a4e76f7b609f70718c1175906a8f975d12311bfe0bf3ef26864205

RemcosRAT

479e9ffe2e1f53da21b1cd438c9b88e04a3f0d6f09f4a1c4a50d859a11940356

RemcosRAT

77ec85f10b4bd4847f5db6c938547d78c35417c0a5503f1a7bdd4a2594964c95

RemcosRAT

97c419445239463daaf12bb767b95cb44c43d4ae6d3320e24e2caa8a910ab2db

RemcosRAT

ba180ae6674d9daa2cbd08847130b5c39e82249838b3d7da09b3b2f67be526dc

RemcosRAT

c8a52cd96047db62def2fc5fa5b631751d4444388918a42bbb8dcd0ba3e025ed

RemcosRAT

d7263b192acf5496e734271cb964a6940c7269d14c9cd35cce95623991a20bc4

RemcosRAT

f3009e5a76bdb5e0401e6e0ffc904cc39085d8d4d7ccf419e9f9608fb913755d

RemcosRAT

f30fd3eac2f68db757aa698a3438c007c52e7959a92d16015289621e5c538d4f

RemcosRAT

+ 2'396 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:ghosthot rat

Link:

https://tria.ge/reports/220822-qv8xcagchq/

Behaviour

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Uses the VBS compiler for execution

Remcos

Malware Config

C2 Extraction:

lionsguard.ddns.net:5074

Unpacked files

SH256 hash:

fd7ec2c2b29fbc01780a188a5cdc9ff933f9bf5aaac5e493a78ebe8cff323671

MD5 hash:

96d26000145394e3ee4ae1aaaea2c41c

SHA1 hash:

8ab95e09f3048a7b0be6748ad5e09ac9ead58a66

Detections:

win_remcos_g0

win_remcos_auto

Link:

https://www.unpac.me/results/5ca17647-eff0-4da3-8f09-1e8b4b60f33c/

Parent samples :

f10f5bb8cc88bd512d50ee6daeb4f8f04abe7810ad9a29f097d10e24ac440163
18493650ce095ff8474ee20874160906b185069fd52877fc046d220dc79908db

SH256 hash:

46e8eac57230a8d93c58e3b21f359588b220139bb555810968ff946396234db1

MD5 hash:

5dd8627825df76d4d017d90457b84621

SHA1 hash:

4897138a3811c3cb7cd81920ea07e8db3529a2e2

Link:

https://www.unpac.me/results/5ca17647-eff0-4da3-8f09-1e8b4b60f33c/

SH256 hash:

ceda93fdfce3ad8e4f800d4f2d940d793b68b4b0b254b652bf42e13dbd189ba7

MD5 hash:

786afe844ec1723b635cace747b60efd

SHA1 hash:

fa647a584a7fcad392147a182e3a2435b3ad5bb9

Link:

https://www.unpac.me/results/5ca17647-eff0-4da3-8f09-1e8b4b60f33c/

SH256 hash:

db3db349e5525445592066301bd31d0790e944fbf029d7211d4b108d88837da7

MD5 hash:

9921b93464ef6dc74ee41ae516b5afdf

SHA1 hash:

a24cde72ab7d9238baa3d42590ce05a644ecea38

Link:

https://www.unpac.me/results/5ca17647-eff0-4da3-8f09-1e8b4b60f33c/

SH256 hash:

9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034

MD5 hash:

93c6391d23c1aa1ed66fb13f82f2ee31

SHA1 hash:

220098c3047c32b51ae13a5cc1e9beeef3da6e18

Link:

https://www.unpac.me/results/5ca17647-eff0-4da3-8f09-1e8b4b60f33c/

SH256 hash:

f10f5bb8cc88bd512d50ee6daeb4f8f04abe7810ad9a29f097d10e24ac440163

MD5 hash:

d22b316ddfa73bb390e9fc4bafc936e1

SHA1 hash:

bbcb9dd47a9c73f6f4b817ee8df71c3ca974a639

Link:

https://www.unpac.me/results/5ca17647-eff0-4da3-8f09-1e8b4b60f33c/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f10f5bb8cc88/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f10f5bb8cc88bd512d50ee6daeb4f8f04abe7810ad9a29f097d10e24ac440163

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/300230/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample