MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2643b4686b59c10dd7e51a8482f5515f15ab47eb81b6d8674b135c7ea266d24. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2643b4686b59c10dd7e51a8482f5515f15ab47eb81b6d8674b135c7ea266d24
SHA3-384 hash: 8d7358c29ac9f9fbd173516601d24081e6712d47d9dc993a94f1dc28bec0533e916d68d15a96a37c860ff0f0c75a3318
SHA1 hash: e89224a9007e970775765d10531b0b4745d89bd8
MD5 hash: 2552ee4ef6ff571f4791942deca0d55f
humanhash: glucose-louisiana-cold-potato
File name:2552ee4ef6ff571f4791942deca0d55f
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'222'656 bytes
First seen:2022-11-26 17:02:39 UTC
Last seen:2022-11-26 18:29:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:ucCsMgnxZWnVxBTiaXrfoSs9IqoUF5arrK5fJKt0EDxobyoOZ:ucRxZWVxBDTvsRoUF5jfJ3DhO
Threatray 2'273 similar samples on MalwareBazaar
TLSH T17345333792603A38DC1F4A7ABF9E7A348D2DB887D1A57249303C27986B1EC7127421DC
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
253
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
6ef647cfe131f11e48e3acfd2b52595d.exe
Verdict:
Malicious activity
Analysis date:
2022-11-26 16:21:56 UTC
Tags:
trojan raccoon recordbreaker loader stealer rat azorult remcos
Link:
https://app.any.run/tasks/c4dac2f3-dde8-464e-b444-a50f519f8cbe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/338824/
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.12283.8288.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a file
Setting a keyboard event handler
DNS request
Launching a process
Enabling the 'hidden' option for recently created files
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bladabindi obfuscated packed
Link:
https://www.filescan.io/uploads/638246c9559d07a06f479cb5/reports/f725c63d-0c98-468f-a011-e30cc8c36264/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/141f5e53-fa74-4502-8bae-57c93cd28c95
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1121653
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 754370 Sample: v37AZES2hM.exe Startdate: 26/11/2022 Architecture: WINDOWS Score: 100 42 tuekisaa.ac.ug 2->42 44 parthaha.ac.ug 2->44 46 2 other IPs or domains 2->46 52 Multi AV Scanner detection for domain / URL 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Antivirus detection for URL or domain 2->56 58 8 other signatures 2->58 8 v37AZES2hM.exe 1 7 2->8         started        12 Rnjeh.exe 3 2->12         started        14 Rnjeh.exe 2 2->14         started        signatures3 process4 file5 30 C:\Users\user\AppData\Roaming\...\Rnjeh.exe, PE32 8->30 dropped 32 C:\Users\user\...\Rnjeh.exe:Zone.Identifier, ASCII 8->32 dropped 34 C:\Users\user\AppData\...\v37AZES2hM.exe.log, ASCII 8->34 dropped 60 Injects a PE file into a foreign processes 8->60 16 v37AZES2hM.exe 2 3 8->16         started        20 cmd.exe 1 8->20         started        62 Antivirus detection for dropped file 12->62 64 Machine Learning detection for dropped file 12->64 22 Rnjeh.exe 12->22         started        24 Rnjeh.exe 14->24         started        signatures6 process7 dnsIp8 36 nikahuve.ac.ug 185.157.162.167, 65214 OBE-EUROPEObenetworkEuropeSE Sweden 16->36 38 tuekisaa.ac.ug 16->38 40 2 other IPs or domains 16->40 48 Installs a global keyboard hook 16->48 50 Encrypted powershell cmdline option found 20->50 26 powershell.exe 17 20->26         started        28 conhost.exe 20->28         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f2643b4686b59c10dd7e51a8482f5515f15ab47eb81b6d8674b135c7ea266d24/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2022-11-26 17:03:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6jsdwrugwwobbxl6kgueql2vcxyvvnd6xanw3btuwe24p2rgnusa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1c4c51643818307480c2436301dab98c4794812abb3e94df7b133450411b66e1
RemcosRAT
37bee18c2bfa75be343118be994d0c0fb422a7a84d7352ac3d91af1b9b0ddf0b
RemcosRAT
467500ef0b7c20edfa4128862b5f66f30591be122744cf0217d80fb8d5ad2b84
RemcosRAT
9063dd7d69236cca3007587ccc04334b4289ec456f6983673f3d9f749092a29c
RemcosRAT
a04d627bf01f18ee5ca0d47dac132c9ae2f12973aa9c54c331170d67967deb7d
RemcosRAT
a1ebb5b1ac3f9290675988d32ee609547286ac4453ae7e6605fc64f6247880d1
RemcosRAT
aa3661c6facf433bf9b20a1d00433c57ba8a8beb8479716987a787d56a82680c
RemcosRAT
d9139bcd0b6b44e2f3d766d1d56377a756a0880730f7aeb03e29c964116933a4
RemcosRAT
ed81a5ba77f8b1fd4e7881cc34f626ceec8c5b44d08822ca1d183e08d740f611
RemcosRAT
+ 2'263 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:11262022 persistence rat
Link:
https://tria.ge/reports/221126-vkpg6sac26/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
nikahuve.ac.ug:65214
kalskala.ac.ug:65214
tuekisaa.ac.ug:65214
parthaha.ac.ug:65214
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7726f5cf-430a-405b-bcae-e52b911fca69
Unpacked files
SH256 hash:
d673d6ac1e46c2c80552c4ad03a881f333c0645827ff686f27e5965186a4a253
MD5 hash:
25d60ba3f97b7d4037b0d7bfc3a95165
SHA1 hash:
f67cb04418389f03256c4bd8221d9ec2a2b2c2ea
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/0dca2cde-b538-4178-b253-ccb6198949c2/
SH256 hash:
dc1fd469d7cdb329c5051d1308764ae41a4d0002528382e605030c797ac27352
MD5 hash:
6264bcec2d524eb84a2e2f910d042fc4
SHA1 hash:
f1905a2d26fb48a527ad63ed0893d02372f37f26
Link:
https://www.unpac.me/results/0dca2cde-b538-4178-b253-ccb6198949c2/
SH256 hash:
8ffa39aae908e30501361803091d323dec2fc7757fede9fabbc67261aaef1d75
MD5 hash:
4295e2f8dbf1da0134f49b8eb8917133
SHA1 hash:
4b9c02f7ad4b5f698873f95a2d4034c2360dd0f7
Link:
https://www.unpac.me/results/0dca2cde-b538-4178-b253-ccb6198949c2/
SH256 hash:
f2643b4686b59c10dd7e51a8482f5515f15ab47eb81b6d8674b135c7ea266d24
MD5 hash:
2552ee4ef6ff571f4791942deca0d55f
SHA1 hash:
e89224a9007e970775765d10531b0b4745d89bd8
Link:
https://www.unpac.me/results/0dca2cde-b538-4178-b253-ccb6198949c2/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f2643b4686b5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f2643b4686b59c10dd7e51a8482f5515f15ab47eb81b6d8674b135c7ea266d24

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:pe_imphash
Create hunting rule
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe f2643b4686b59c10dd7e51a8482f5515f15ab47eb81b6d8674b135c7ea266d24

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2433942/
Cape
Cape
https://www.capesandbox.com/analysis/338824/

Comments


Avatar
zbet commented on 2022-11-26 17:02:46 UTC

url : hxxp://paldo.ac.ug/rc.exe