MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f197a58d2ac9ac937c5d417d0800d4804a80402395cdde0fe42dec0931674da4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 12 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f197a58d2ac9ac937c5d417d0800d4804a80402395cdde0fe42dec0931674da4
SHA3-384 hash: a1cc464847eb091103181576a89f50cb97d1208cfd9ab3bb33b4acc79dab1b7ad1ecf9b6a8ca6e7c56e6c66d2b3c8813
SHA1 hash: dc307074db36fefeb99a5c1715b90a1382493d70
MD5 hash: c88d4757ee5c295c3ff996dca43e737a
humanhash: montana-failed-cardinal-moon
File name:c88d4757ee5c295c3ff996dca43e737a
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'011'200 bytes
First seen:2023-08-08 07:14:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:x+h7rFnTibJ2tYdG7T+IAmvHfvT2Nxda5vWfco//3HS8meXaI1eIEJJZ3gSeYApt:S6byT+I/vXT2NMWfco//3y8m29MQCyt
Threatray 2'605 similar samples on MalwareBazaar
TLSH T1102523339FEC1161E269A3FCA8E601032276D38229EA7F4B44D483754E63F1675D1DAE
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
288
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
c88d4757ee5c295c3ff996dca43e737a
Verdict:
Malicious activity
Analysis date:
2023-08-08 07:16:32 UTC
Tags:
rat remcos remote keylogger
Link:
https://app.any.run/tasks/d48bd01c-dc64-44bf-af9e-480b5bc9c111

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/441242/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% directory
Launching a process
Creating a file
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f197a58d2ac9ac937c5d417d0800d4804a80402395cdde0fe42dec0931674da4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1bdd8c65-b3ca-4bc6-8e01-a1e77e51fb8c
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1287502
Signature
.NET source code contains potential unpacker
Adds extensions / path to Windows Defender exclusion list
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1287502 Sample: CHQTC4muks.exe Startdate: 08/08/2023 Architecture: WINDOWS Score: 100 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 Antivirus detection for URL or domain 2->73 75 9 other signatures 2->75 9 Ktwrl.exe 4 2->9         started        12 CHQTC4muks.exe 1 6 2->12         started        15 Ktwrl.exe 3 2->15         started        process3 file4 81 Multi AV Scanner detection for dropped file 9->81 83 Machine Learning detection for dropped file 9->83 85 Adds extensions / path to Windows Defender exclusion list 9->85 17 cmd.exe 9->17         started        61 C:\Users\user\AppData\Roaming\Ktwrl.exe, PE32 12->61 dropped 87 Writes to foreign memory regions 12->87 89 Injects a PE file into a foreign processes 12->89 19 MSBuild.exe 3 16 12->19         started        24 cmd.exe 1 12->24         started        26 cmd.exe 15->26         started        signatures5 process6 dnsIp7 28 Ktwrl.exe 17->28         started        31 conhost.exe 17->31         started        63 212.193.30.230, 3343, 49698, 49700 SPD-NETTR Russian Federation 19->63 65 geoplugin.net 178.237.33.50, 49699, 80 ATOM86-ASATOM86NL Netherlands 19->65 59 C:\ProgramData\remcos\logs.dat, data 19->59 dropped 77 Installs a global keyboard hook 19->77 79 Adds extensions / path to Windows Defender exclusion list 24->79 33 powershell.exe 21 24->33         started        35 conhost.exe 24->35         started        37 Ktwrl.exe 26->37         started        39 conhost.exe 26->39         started        file8 signatures9 process10 signatures11 41 cmd.exe 28->41         started        44 MSBuild.exe 28->44         started        93 Writes to foreign memory regions 37->93 95 Adds extensions / path to Windows Defender exclusion list 37->95 97 Injects a PE file into a foreign processes 37->97 46 cmd.exe 37->46         started        48 MSBuild.exe 37->48         started        process12 signatures13 50 conhost.exe 41->50         started        52 powershell.exe 41->52         started        91 Adds extensions / path to Windows Defender exclusion list 46->91 54 powershell.exe 46->54         started        57 conhost.exe 46->57         started        process14 dnsIp15 67 192.168.2.1 unknown unknown 54->67
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f197a58d2ac9ac937c5d417d0800d4804a80402395cdde0fe42dec0931674da4/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-08-08 07:15:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6gl2ldjkzgwjg7c5if6qqaguqbfiaqbdsxg54d7efxwasmlhjwsa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
347248cacef4596adbcddb5dbba62e050ddf223548834e8646bf43f96552a328
RemcosRAT
34bfed7f2450542d851b696685ed0a43438683a54f1756a947119d7258a4adb1
RemcosRAT
3da90b636e39cd1f67e3542c60d813c6ff8152f7f740b3ef4ef086ef120836df
RemcosRAT
4b66b1c337c83ccb79e4862a7a32421fd75a565a59fee1f830d4aae55b64af9a
RemcosRAT
5e95168687b15de3724b3c8240c0b40cdb61c75b440d11a7fa72c2b247c920ae
RemcosRAT
7795f522a55ae41cb43c380f7bb4150a2170b9fca1e8b98070ee32934f32fb1a
RemcosRAT
7d1cb09a0fb3d30d8b4503fac7cbd55b30446cc92911eae44132f9debfb39da5
RemcosRAT
a5dfa6c8066bb006adb1490b52540bd2f049b3556c4c51eb59c4c9830c499286
RemcosRAT
a8ae7002d16df08878c864f8cd2f8722dfcb5950372f3b12c88f4e265f2eee40
RemcosRAT
cfc48dfa8aa74b169189104a5f606cb6738fac9828808dfb1e64cbbd3564f10d
RemcosRAT
+ 2'595 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat
Link:
https://tria.ge/reports/230808-h2nwracf81/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
212.193.30.230:3343
79.110.49.161:3343
Unpacked files
SH256 hash:
586fb6890cb801df0df51c9f69a52e54445bbbde4ac20155353fdb43faae7504
MD5 hash:
f1441f0a36ab4f948a4a1936d6cb374e
SHA1 hash:
f1a9b476a0c24143d8cd5897fba395cd18804893
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/56846af6-3700-4f41-9b0f-a3ca14a8debc/
Parent samples :
90199e919b753c405f76a253d0994209b7231e9f1927d9af81e6bc022f93235b
f197a58d2ac9ac937c5d417d0800d4804a80402395cdde0fe42dec0931674da4
12a5309b110e495c50dca3f04195e1f0395874f6103e0fb67e3a1f4f9ad142ca
SH256 hash:
a0893e5a43047506c5b7797af8070fa76221bce5bfb379a8781bdd4d9705ebda
MD5 hash:
d89c18ee88a865fc635821283ec29d8b
SHA1 hash:
bbe59e44ad0da79cc03eb19db5b168d365554e98
Link:
https://www.unpac.me/results/56846af6-3700-4f41-9b0f-a3ca14a8debc/
SH256 hash:
9953099b5ddeba3b384598e56b35306c83f11fe1f8760586a79343eb0278713a
MD5 hash:
5c7f43fc5e6f121a7980359319c76152
SHA1 hash:
841fb85c89fde3ef37b71b77dace6c40e6850fbf
Link:
https://www.unpac.me/results/56846af6-3700-4f41-9b0f-a3ca14a8debc/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/56846af6-3700-4f41-9b0f-a3ca14a8debc/
SH256 hash:
f197a58d2ac9ac937c5d417d0800d4804a80402395cdde0fe42dec0931674da4
MD5 hash:
c88d4757ee5c295c3ff996dca43e737a
SHA1 hash:
dc307074db36fefeb99a5c1715b90a1382493d70
Link:
https://www.unpac.me/results/56846af6-3700-4f41-9b0f-a3ca14a8debc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f197a58d2ac9ac937c5d417d0800d4804a80402395cdde0fe42dec0931674da4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe f197a58d2ac9ac937c5d417d0800d4804a80402395cdde0fe42dec0931674da4

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/441242/
  
URLhaus
https://urlhaus.abuse.ch/url/2702444/

Comments


Avatar
zbet commented on 2023-08-08 07:14:04 UTC

url : hxxp://179.43.175.187/olmx/bank.exe