MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6d04e26f4e1ccafc73107d102606ed5e528fcb2e6451f568241b840152454ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f6d04e26f4e1ccafc73107d102606ed5e528fcb2e6451f568241b840152454ee
SHA3-384 hash: 1742cd3101979268dbbbad5641788c41dec3ecaf259c8ea0eba3fe6cb5400914f1f0a12e02615d77b994f93259fda3e6
SHA1 hash: f546ac0a67ed38ba9660251f5c132ce172015fea
MD5 hash: eaabbd55abbc1672509e5cc9733b0265
humanhash: east-wolfram-jersey-pizza
File name:Swift_Copy.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:454'465 bytes
First seen:2022-10-27 13:25:56 UTC
Last seen:2022-10-28 06:44:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 29b61e5a552b3a9bc00953de1c93be41 (174 x Formbook, 82 x AgentTesla, 81 x Loki)
ssdeep 12288:b/FFJ680JbgSgmF0gPrRNt6GsVmwA+NxF:b9eAS3FtrF6GKmwA+NxF
Threatray 2'072 similar samples on MalwareBazaar
TLSH T1E0A4232128D085E7E98B95B24913F349EB31860C2B652B83D7355F3FFD316D669082DB
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter James_inthe_box
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
242
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Swift_Copy.exe
Verdict:
Malicious activity
Analysis date:
2022-10-27 13:28:06 UTC
Tags:
rat remcos stealer
Link:
https://app.any.run/tasks/760ca7e4-0696-4906-9d05-d82e205b2a07

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/324908/
Detection(s):
SecuriteInfo.com.Trojan.Garf.Gen.6.14110.3103.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/45985/overview
Behaviour
MalwareBazaar
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mispadu
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fde6b9bb-139d-49e3-a334-4a64284ba9df
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1099362
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 732015 Sample: Swift_Copy.exe Startdate: 27/10/2022 Architecture: WINDOWS Score: 100 56 Malicious sample detected (through community Yara rule) 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 Yara detected Remcos RAT 2->60 62 3 other signatures 2->62 8 Swift_Copy.exe 18 2->8         started        11 nvddqt.exe 2->11         started        14 nvddqt.exe 2->14         started        process3 file4 40 C:\Users\user\AppData\Local\...\laxpfdnbj.exe, PE32 8->40 dropped 16 laxpfdnbj.exe 1 2 8->16         started        66 Antivirus detection for dropped file 11->66 68 Multi AV Scanner detection for dropped file 11->68 70 Maps a DLL or memory area into another process 11->70 20 nvddqt.exe 11->20         started        22 nvddqt.exe 14->22         started        signatures5 process6 file7 38 C:\Users\user\AppData\Roaming\...\nvddqt.exe, PE32 16->38 dropped 48 Antivirus detection for dropped file 16->48 50 Multi AV Scanner detection for dropped file 16->50 52 Detected unpacking (changes PE section rights) 16->52 54 6 other signatures 16->54 24 laxpfdnbj.exe 2 13 16->24         started        signatures8 process9 dnsIp10 44 41.216.183.226, 41900, 49695, 49696 AS40676US South Africa 24->44 46 geoplugin.net 178.237.33.50, 49697, 80 ATOM86-ASATOM86NL Netherlands 24->46 64 Maps a DLL or memory area into another process 24->64 28 laxpfdnbj.exe 1 24->28         started        31 laxpfdnbj.exe 1 24->31         started        33 laxpfdnbj.exe 1 24->33         started        35 27 other processes 24->35 signatures11 process12 dnsIp13 72 Tries to steal Instant Messenger accounts or passwords 28->72 74 Tries to steal Mail credentials (via file / registry access) 28->74 42 192.168.2.1 unknown unknown 35->42 76 Tries to harvest and steal browser information (history, passwords, etc) 35->76 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f6d04e26f4e1ccafc73107d102606ed5e528fcb2e6451f568241b840152454ee/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-10-27 08:41:52 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
22 of 25 (88.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=63ie4jxu4hgk7rzra7iqeydo2xssr7fs4zcr6vucig4eafjektxa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
2f53875cb56cc1a1f69655fcfca71ac0f952b8d582bda33e101d8b262e38d0f9
RemcosRAT
31edb5c9a0590d100f941cfcb0c142abf141fba4a90c6bddb6c7fc59b4475f28
RemcosRAT
39c927965e14fb38c14b82c66c398f9cac1343d450db26e43c763b08a764b04b
RemcosRAT
8c2653e4d9998668579383d87f291afe6ba5740ec3bc6d8f44618c0f9af77189
RemcosRAT
8e7d1931cfe215a12acad3beb975cd78099a295a721069b35c05b469e2f703f9
RemcosRAT
9d724226a2a3c8676d4a58b64b636d9dcc178c1d40fcf321309afa14505cf285
RemcosRAT
b45dbf75dd0de5a62cb362bcc26b59cdd6a7adae8a74c71c30e7db9c36b20265
RemcosRAT
e7a7431b7c5f7d73f80f8474e5d62a3620a639c762ea78b0266ff867c048a153
RemcosRAT
+ 2'062 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehoststar collection persistence rat spyware stealer
Link:
https://tria.ge/reports/221027-qph4qsccc7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
41.216.183.226:41900
Unpacked files
SH256 hash:
b004491771d05dc604c8f1a7b169673e9b7a7f33c4833bcfa50c5e76b8c9a1d8
MD5 hash:
b30ad3ec69c35a44bd720e88e07e283e
SHA1 hash:
52a834e399eb4fcac0a4bc0b1f53634da776aecf
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/3e3b7f4e-1d91-4fa9-8f55-815ea57a0862/
Parent samples :
8573105c4b67affc024eec0b64c4f4c2f2e7f52d31b5eec059d6d8dc6f0a3743
0de500897b8ed984575c14906255f694bee3fdade7cc369f7c0a51185ec61ba0
76bf90f97131f4b187fbdfce5a1f02224e30a752782cbcd7f9a5d90a043de128
dae79c591e41fac5133e80652d94e8c1cc42e62381a38f2dc11c42360547afe7
f6d04e26f4e1ccafc73107d102606ed5e528fcb2e6451f568241b840152454ee
ac2022d039991daaa6b3f05a7d2324b55247446b4f0b20f0feb36d22fd21d428
522de9141cf7d1449c48f439b23bbc53be3de244e1baf817759b64eedfe5ae00
f9dbb342e635717b55ef19c20e7943858acf892e6040a9a4f3609eaa41981bc9
284749a242c7dcee6d5f8d71bb4de12ccbc7f7acc24a8fb795859b0393f23577
SH256 hash:
0672625a9d8928b8e2b624d9d1977196e0552262125f98198e63370589a4c2ac
MD5 hash:
9a25d16592e90b2a61f5be902494302b
SHA1 hash:
fc9820f95dff8c3f94b2fcc27aeb3e337882d876
Link:
https://www.unpac.me/results/3e3b7f4e-1d91-4fa9-8f55-815ea57a0862/
SH256 hash:
f6d04e26f4e1ccafc73107d102606ed5e528fcb2e6451f568241b840152454ee
MD5 hash:
eaabbd55abbc1672509e5cc9733b0265
SHA1 hash:
f546ac0a67ed38ba9660251f5c132ce172015fea
Link:
https://www.unpac.me/results/3e3b7f4e-1d91-4fa9-8f55-815ea57a0862/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f6d04e26f4e1ccafc73107d102606ed5e528fcb2e6451f568241b840152454ee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/324908/

Comments