MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f628532a482840b66c9fdf0ed09de86b63418e1f2cc3bbff139f54482f895d43. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f628532a482840b66c9fdf0ed09de86b63418e1f2cc3bbff139f54482f895d43
SHA3-384 hash: 9ec3bd2c33397ce0dcf1b7ff7a157ad109b8493766a1e635fe910e5e703e1525bc24bbb76757273d8515b8f6ccee476f
SHA1 hash: c6e1338fb7c3ffc9d39d5362722110e8482216ea
MD5 hash: 4da41093eb4cce80c18d1e6a2391ba80
humanhash: delaware-vermont-blue-cola
File name:4da41093eb4cce80c18d1e6a2391ba80
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:512'943 bytes
First seen:2023-03-29 07:06:32 UTC
Last seen:2023-03-29 09:28:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:+Ya6HI+QksRbJpnYqzFNZDPln6PJWJIFwYdga6c4jLvw1SxhDUoj+Xxk1Zci2E6e:+Y1I+QkunY8LzlOWi2HjHw1k15FqvK
TLSH T14DB422083625807BD8971E315B2F9637DF93FD065E6A882F6205BD9D3A31482BF0E752
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 98a2a6a08383a200 (9 x RemcosRAT, 3 x Formbook, 1 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
252
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO_23509-23510.xls
Verdict:
Malicious activity
Analysis date:
2023-03-29 06:15:34 UTC
Tags:
opendir exploit cve-2017-11882 loader
Link:
https://app.any.run/tasks/d1873d03-149c-4ff7-b4f3-235300db995a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/378396/
Detection(s):
Sanesecurity.Malware.28947.BadP.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Setting a keyboard event handler
DNS request
Sending a custom TCP request
Enabling the 'hidden' option for recently created files
Sending an HTTP GET request
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/75568/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
babar comodo nemesis overlay packed remcos shell32.dll
Link:
https://www.filescan.io/uploads/6423e39984fe7631c302acb7/reports/04f42059-3724-4869-98f3-b608247e2940/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f628532a482840b66c9fdf0ed09de86b63418e1f2cc3bbff139f54482f895d43
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fbbcf4ca-3b2b-4756-bcf1-0b59e84e848b
Result
Threat name:
AveMaria, DarkTortilla, Play, Remcos, UA
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1204082
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Installs a global keyboard hook
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sample uses process hollowing technique
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Yara detected AveMaria stealer
Yara detected DarkTortilla Crypter
Yara detected Play Ransomware
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 836998 Sample: O71rCDWHUk.exe Startdate: 29/03/2023 Architecture: WINDOWS Score: 100 92 Snort IDS alert for network traffic 2->92 94 Multi AV Scanner detection for domain / URL 2->94 96 Malicious sample detected (through community Yara rule) 2->96 98 9 other signatures 2->98 10 O71rCDWHUk.exe 19 2->10         started        13 irsqhssjjf.exe 2->13         started        16 qiyvhavtewgo.exe 2->16         started        18 irsqhssjjf.exe 2->18         started        process3 file4 74 C:\Users\user\AppData\Local\...\tqchnnl.exe, PE32 10->74 dropped 20 tqchnnl.exe 1 2 10->20         started        132 Antivirus detection for dropped file 13->132 134 Multi AV Scanner detection for dropped file 13->134 24 WerFault.exe 3 10 13->24         started        27 WerFault.exe 16->27         started        29 WerFault.exe 10 18->29         started        signatures5 process6 dnsIp7 68 C:\Users\user\AppData\...\irsqhssjjf.exe, PE32 20->68 dropped 100 Antivirus detection for dropped file 20->100 102 Multi AV Scanner detection for dropped file 20->102 104 Detected unpacking (changes PE section rights) 20->104 106 3 other signatures 20->106 31 tqchnnl.exe 2 292 20->31         started        36 qiyvhavtewgo.exe 20->36         started        38 WerFault.exe 20->38         started        76 192.168.2.1 unknown unknown 24->76 file8 signatures9 process10 dnsIp11 80 top.not2beabused01.xyz 38.117.65.122, 1558, 49690, 49691 RC-01-ASCA United States 31->80 82 geoplugin.net 178.237.33.50, 49706, 80 ATOM86-ASATOM86NL Netherlands 31->82 60 C:\Users\user\AppData\Local\Temp\fmwrz.exe, PE32 31->60 dropped 62 C:\Users\user\AppData\Local\Temp\datxld.exe, PE32 31->62 dropped 64 C:\Users\user\AppData\Local\Temp\datrem.exe, PE32 31->64 dropped 66 C:\Users\user\AppData\Local\Temp\datorg.exe, PE32 31->66 dropped 84 Tries to harvest and steal browser information (history, passwords, etc) 31->84 86 Maps a DLL or memory area into another process 31->86 88 Sample uses process hollowing technique 31->88 90 Installs a global keyboard hook 31->90 40 fmwrz.exe 31->40         started        43 datorg.exe 31->43         started        46 datrem.exe 31->46         started        50 18 other processes 31->50 48 WerFault.exe 36->48         started        file12 signatures13 process14 file15 72 C:\Users\user\AppData\Local\...\ghibzkdm.exe, PE32 40->72 dropped 52 ghibzkdm.exe 40->52         started        120 Multi AV Scanner detection for dropped file 43->120 122 Machine Learning detection for dropped file 43->122 124 Hides that the sample has been downloaded from the Internet (zone.identifier) 43->124 126 Tries to steal Instant Messenger accounts or passwords 50->126 128 Tries to steal Mail credentials (via file / registry access) 50->128 130 Tries to harvest and steal browser information (history, passwords, etc) 50->130 signatures16 process17 file18 70 C:\Users\user\AppData\...\qiyvhavtewgo.exe, PE32 52->70 dropped 108 Antivirus detection for dropped file 52->108 110 Detected unpacking (changes PE section rights) 52->110 112 Detected unpacking (overwrites its own PE header) 52->112 114 3 other signatures 52->114 56 ghibzkdm.exe 52->56         started        signatures19 process20 dnsIp21 78 top.not2beabused01.xyz 56->78 116 Increases the number of concurrent connection per server for Internet Explorer 56->116 118 Hides that the sample has been downloaded from the Internet (zone.identifier) 56->118 signatures22
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f628532a482840b66c9fdf0ed09de86b63418e1f2cc3bbff139f54482f895d43/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-03-29 07:07:08 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6yufgksifbalm3e734hnbhpinnruddq7ftb3x7ytt5keql4jlvbq._file
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:remcos family:warzonerat botnet:sixthclients collection infostealer persistence rat spyware stealer
Link:
https://tria.ge/reports/230329-hxmswsgh2s/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Warzone RAT payload
Modifies WinLogon for persistence
Remcos
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
top.not2beabused01.xyz:1558
sub.not2beabused02.xyz:1558
top.not2beabused01.xyz:1668
Unpacked files
SH256 hash:
0af5b1c8eff1fd4a1108f1241d19551a141a28a7019d2360bd72616e3a3702d9
MD5 hash:
4933fea55812619147c9ebbe1e61f5fb
SHA1 hash:
a79f881c76f27a0619378ed6b32f509670fc5cfa
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/5c97497c-ae94-4d67-903b-646093e506f8/
Parent samples :
05b59ecf47b2421de0d6777fbd1498ac5b6c2fc0a8233838e3246195f452175e
ba484a35c10e0de7b344da174c26560e29bd3fe895216f9d03c0ce1cfc3de706
f628532a482840b66c9fdf0ed09de86b63418e1f2cc3bbff139f54482f895d43
SH256 hash:
4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
MD5 hash:
78d3f22fed32bf75725573cf8df7d666
SHA1 hash:
2e0c049c4b58a7db1259bfa7023473ebe6785025
Link:
https://www.unpac.me/results/5c97497c-ae94-4d67-903b-646093e506f8/
SH256 hash:
f628532a482840b66c9fdf0ed09de86b63418e1f2cc3bbff139f54482f895d43
MD5 hash:
4da41093eb4cce80c18d1e6a2391ba80
SHA1 hash:
c6e1338fb7c3ffc9d39d5362722110e8482216ea
Link:
https://www.unpac.me/results/5c97497c-ae94-4d67-903b-646093e506f8/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f628532a4828/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f628532a482840b66c9fdf0ed09de86b63418e1f2cc3bbff139f54482f895d43

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe f628532a482840b66c9fdf0ed09de86b63418e1f2cc3bbff139f54482f895d43

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2589802/
Cape
Cape
https://www.capesandbox.com/analysis/378396/

Comments


Avatar
zbet commented on 2023-03-29 07:06:37 UTC

url : hxxp://13.126.112.247/11/vbc.exe