MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8c85ac89539665cb4eaf51023871b56d402c368d3c9b529fa82366a7371287c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f8c85ac89539665cb4eaf51023871b56d402c368d3c9b529fa82366a7371287c
SHA3-384 hash: 75c3c119d929a4be2310c1e0c558b314c668cece440068779c0a05c5749601dd13ebaa95f2b76b2511c4094c1a0d8697
SHA1 hash: adeb625444db4a3df0320bb253cd8397eeb3552b
MD5 hash: 4999897539993e2bd0c88cd0745026e2
humanhash: don-gee-xray-king
File name:vbc (4).exe1
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:887'808 bytes
First seen:2022-07-07 14:35:08 UTC
Last seen:2022-07-07 15:43:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:vGGuam4kVg6rj/zoKQ1NbHDJr7q4xXuVFN/C4s:uGuam4ky6rj/zoKQ1NbHDM4xXu
TLSH T1AC15230143614035C8BE43BCA0B3B99A477476153B62E39F5F50A5BA2B373E9873768B
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13101/52/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter KdssSupport
Tags:exe RemcosRAT


Avatar
KdssSupport
Uploaded with API

Intelligence

File Origin
# of uploads :
2
# of downloads :
267
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
INV0150012849 DT 28.03.2022.pdf
Verdict:
Malicious activity
Analysis date:
2022-07-07 14:10:07 UTC
Tags:
opendir trojan exploit CVE-2017-11882 loader rat remcos
Link:
https://app.any.run/tasks/08c80568-788d-4c53-ac67-691da3fe9568

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/285573/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.39949686.24629.16534.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Running batch commands
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62c6ef3a6ee6df015bbf3f02/reports/e3c0a68d-8619-49f0-96bf-b62773cfb952/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aad22622-e52a-48ea-aa14-64ef3b085f89
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1026525
Signature
.NET source code contains potential unpacker
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f8c85ac89539665cb4eaf51023871b56d402c368d3c9b529fa82366a7371287c/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2022-07-07 03:02:51 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
22 of 26 (84.62%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7defvsevhftfznhk6uichby3k3kafq3i2pe3kkp2qi3gu43rfb6a._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:awele persistence rat
Link:
https://tria.ge/reports/220707-rykjlahccq/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
gdyhjjdhbvxgsfe.gotdns.ch:2718
Unpacked files
SH256 hash:
3a2f16bd4881f333d13eb1061f25399ec931bd70a4001d8c7174b3da9e17dd6a
MD5 hash:
091cbe070b84119bbb782666001ca39f
SHA1 hash:
b9f5d4937a114fd0f5a3613415ee31ef067a8395
Link:
https://www.unpac.me/results/2018c3c3-5de9-4026-8f3d-ee7667e7f2cf/
SH256 hash:
507265f79bc13aaed8695fd47cecace203db620ff7bcb8d63096603af656dd48
MD5 hash:
c1a7f6b51bb4419a0e4a132bd50b4aab
SHA1 hash:
9e22394484b9d5276afa0ff92ba5d725c6261c5d
Link:
https://www.unpac.me/results/2018c3c3-5de9-4026-8f3d-ee7667e7f2cf/
SH256 hash:
4d7a1202e5360fcc3a77f8d9af28f80b26ae66346341a973dc8ac9096d8a8747
MD5 hash:
3f428362a2e853d401aea8fa0b452721
SHA1 hash:
4ced635ff3431693515c91eb57b3c32f1acdedca
Link:
https://www.unpac.me/results/2018c3c3-5de9-4026-8f3d-ee7667e7f2cf/
SH256 hash:
92fc8071021b5861cd8ab121a69b5738f395cd604d0701a2550c88a4dc774d9f
MD5 hash:
74d74d8ab4d7af70f3dc09994d9afd98
SHA1 hash:
059ea823649648abcc0bc08e0958dd3344c57a0f
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/2018c3c3-5de9-4026-8f3d-ee7667e7f2cf/
Parent samples :
17f5cb1dba8dd540465e9135d6541f2a7f871caee59c8afc63cf17e820c0f22f
58a7f521806093c7072a47070aeef1f69de6163b18eb9ada9541acb15957350b
c19e7f8c690e36a1d98ec296034b7e9cb6460cc65d9064a6fe184c993089949c
f8c85ac89539665cb4eaf51023871b56d402c368d3c9b529fa82366a7371287c
e3ad614d9a134b20b9efe02f5029d93c65ddc13322858d87c6ca3751b857413f
93c44acd51b11807883d39e0a7ca13a178f0c69e9b7f20e90245c5973c937db0
8a791c71f76f530179c8e957f5b6235fb573a9ee35a1dabfca368e62f7bba29e
SH256 hash:
f8c85ac89539665cb4eaf51023871b56d402c368d3c9b529fa82366a7371287c
MD5 hash:
4999897539993e2bd0c88cd0745026e2
SHA1 hash:
adeb625444db4a3df0320bb253cd8397eeb3552b
Link:
https://www.unpac.me/results/2018c3c3-5de9-4026-8f3d-ee7667e7f2cf/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f8c85ac89539/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f8c85ac89539665cb4eaf51023871b56d402c368d3c9b529fa82366a7371287c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe f8c85ac89539665cb4eaf51023871b56d402c368d3c9b529fa82366a7371287c

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/285573/

Comments