MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5e9bbc8988d80afda3a6890b91d1148f35ea996ddc5cfaa0ff95da0bc975815. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f5e9bbc8988d80afda3a6890b91d1148f35ea996ddc5cfaa0ff95da0bc975815
SHA3-384 hash: 8239200cce7a2b1e9968a772e88d4474a4fc5c38ec375246f18f0cd302f9525de168f4a97c48cb9c250c72dc49601f08
SHA1 hash: aec206d23b43cc7fe5e0d462b41dad4b23fc1d0a
MD5 hash: 271a615ca2750512c76bffae116135df
humanhash: golf-uncle-violet-july
File name:271a615ca2750512c76bffae116135df
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:76'800 bytes
First seen:2022-03-29 08:40:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'453 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 1536:fW9kQU+iopiA+bHq0R4Co0s7yj7c0q1f:E4YzCo8/c0q1f
Threatray 1'438 similar samples on MalwareBazaar
TLSH T13C73A0A1BE84F62AC1262C32CB12DAF5C227BD27C9709A577CC47F1F7933646850172A
File icon (PE):PE icon
dhash icon 3d7de4e1e1610d15 (7 x NanoCore, 5 x AgentTesla, 4 x SnakeKeylogger)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
219
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/259074/
Detection(s):
SecuriteInfo.com.W32.MSIL_Agent.CSU.genEldorado.16852.12716.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Creating a file
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Running batch commands
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6242c621a19c649412a4d61e/reports/93f0f7d9-3b2c-4e7a-ab2a-d8d9a1a801be/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c43c21cd-5b65-4793-a6d3-6d277060751f
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/967212
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Delayed program exit found
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 599699 Sample: D01UaTxgrQ Startdate: 30/03/2022 Architecture: WINDOWS Score: 100 55 drgeraldvanluven12.zapto.org 2->55 67 Multi AV Scanner detection for domain / URL 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 Antivirus detection for URL or domain 2->71 73 11 other signatures 2->73 11 D01UaTxgrQ.exe 15 6 2->11         started        16 ros.exe 2 2->16         started        18 ros.exe 2 2->18         started        signatures3 process4 dnsIp5 59 136.144.41.109, 49755, 49767, 49770 WORLDSTREAMNL Netherlands 11->59 49 C:\Users\user\AppData\Roaming\...\autofmt.exe, PE32 11->49 dropped 51 C:\Users\user\...\autofmt.exe:Zone.Identifier, ASCII 11->51 dropped 53 C:\Users\user\AppData\...\D01UaTxgrQ.exe.log, ASCII 11->53 dropped 79 Creates an undocumented autostart registry key 11->79 81 Contains functionality to steal Chrome passwords or cookies 11->81 83 Contains functionality to inject code into remote processes 11->83 87 2 other signatures 11->87 20 D01UaTxgrQ.exe 4 4 11->20         started        24 D01UaTxgrQ.exe 11->24         started        85 Injects a PE file into a foreign processes 16->85 26 ros.exe 16->26         started        28 ros.exe 18->28         started        file6 signatures7 process8 file9 43 C:\Users\user\AppData\Roaming\ros.exe, PE32 20->43 dropped 45 C:\Users\user\...\ros.exe:Zone.Identifier, ASCII 20->45 dropped 47 C:\Users\user\AppData\Local\...\install.vbs, data 20->47 dropped 75 Creates autostart registry keys with suspicious names 20->75 30 wscript.exe 1 20->30         started        signatures10 process11 process12 32 cmd.exe 1 30->32         started        process13 34 ros.exe 14 4 32->34         started        37 conhost.exe 32->37         started        signatures14 61 Antivirus detection for dropped file 34->61 63 Machine Learning detection for dropped file 34->63 65 Injects a PE file into a foreign processes 34->65 39 ros.exe 34->39         started        process15 dnsIp16 57 drgeraldvanluven12.zapto.org 66.154.98.162, 2130, 49783, 49784 TOTAL-SERVER-SOLUTIONSUS Canada 39->57 77 Installs a global keyboard hook 39->77 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f5e9bbc8988d80afda3a6890b91d1148f35ea996ddc5cfaa0ff95da0bc975815/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-29 08:29:58 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6xu3xseyrwak7wr2ncilshirjdzv5kmw3xc47kqp7fo2bpexlakq._file
Verdict:
malicious
Similar samples:
17db20ebfbce957562eb47a2a0db1a052df6352613d554fe707fae58b8975f81
RemcosRAT
39b351ef5277e274be877b71e44f126e0c83744c62d4f4163ff7639d0386bdc0
RemcosRAT
8342c94ddfd4cca232e9d1cd5faed48fdce02a694b062606b938401b502a0c30
RemcosRAT
838a8fab72d527c2817b806f6978e6e36de1a101d89646855704b5a0ae044db8
RemcosRAT
c39a8dafb70b4adfb21ca557c23f3b81fc965c204bb70d515f8903f3205b72b7
RemcosRAT
c4558d0d34144540099dcd2c4f0fa8651346c79ac99134cd18eae4e1e3cf84d8
RemcosRAT
c5dacb79bb5f1021b128deef833d1c45bea09c6c27a4a0da9f090509f256ec52
RemcosRAT
f3898ca67fa60276c5c6ace2385d54120cd792943c98e865fbdeb020cb5d4ac9
RemcosRAT
+ 1'428 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:chmoney collection persistence rat spyware stealer
Link:
https://tria.ge/reports/220329-klfljsghfr/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
drgeraldvanluven12.zapto.org:2130
Unpacked files
SH256 hash:
f5e9bbc8988d80afda3a6890b91d1148f35ea996ddc5cfaa0ff95da0bc975815
MD5 hash:
271a615ca2750512c76bffae116135df
SHA1 hash:
aec206d23b43cc7fe5e0d462b41dad4b23fc1d0a
Link:
https://www.unpac.me/results/2276b200-7ae8-490a-b3d2-728247ff979b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/f5e9bbc8988d80afda3a6890b91d1148f35ea996ddc5cfaa0ff95da0bc975815

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe f5e9bbc8988d80afda3a6890b91d1148f35ea996ddc5cfaa0ff95da0bc975815

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2118547/
Cape
Cape
https://www.capesandbox.com/analysis/259074/

Comments


Avatar
zbet commented on 2022-03-29 08:41:01 UTC

url : hxxp://136.144.41.109/CDQ.exe