MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f99a929a42f7c6931aa9e45861aea8e8d24f20da66f8144c7d9e324386364034. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f99a929a42f7c6931aa9e45861aea8e8d24f20da66f8144c7d9e324386364034
SHA3-384 hash: 6e228010aee6e4443d4bbd1720e8ebbded298b8848395c244d5d0c7c298587a49c65a9ae47a09ce69bf1cc48ade66bc0
SHA1 hash: 32fe509e354ab20dc3aff8aab90bcd1fff9fd862
MD5 hash: cf7421633145edb90fbcac702fb4603a
humanhash: minnesota-magnesium-october-green
File name:cf7421633145edb90fbcac702fb4603a.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:475'648 bytes
First seen:2021-06-07 15:14:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:WRuo1M2w1IGKITF94FtKeVuufYJn64sQO2i:WRuoy2bGdT0XTVuoq
Threatray 366 similar samples on MalwareBazaar
TLSH F1A4F062074EC9D9F25E0778882C9B2209563E660CC55DCD9B9DBEF03C716EE528E0BD
Reporter abuse_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
276
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
11222.exe
Verdict:
Suspicious activity
Analysis date:
2021-06-07 09:40:28 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/712a57c6-f2bb-4505-8589-dff0ff1125a6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/165067/
Detection(s):
SecuriteInfo.com.Variant.Ursu.759639.12940.16350.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Creating a process with a hidden window
Creating a window
Running batch commands
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/798222
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: WScript or CScript Dropper
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 430619 Sample: FQmrSvo5iP.exe Startdate: 07/06/2021 Architecture: WINDOWS Score: 100 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 6 other signatures 2->48 9 FQmrSvo5iP.exe 5 2->9         started        13 remcos.exe 2 2->13         started        15 remcos.exe 2 2->15         started        process3 file4 36 C:\Users\user\AppData\...\FQmrSvo5iP.exe, PE32 9->36 dropped 38 C:\Users\...\FQmrSvo5iP.exe:Zone.Identifier, ASCII 9->38 dropped 40 C:\Users\user\AppData\...\FQmrSvo5iP.exe.log, ASCII 9->40 dropped 62 Writes to foreign memory regions 9->62 64 Allocates memory in foreign processes 9->64 66 Injects a PE file into a foreign processes 9->66 17 FQmrSvo5iP.exe 4 5 9->17         started        signatures5 process6 file7 30 C:\Users\user\AppData\Roaming\...\remcos.exe, PE32 17->30 dropped 32 C:\Users\user\...\remcos.exe:Zone.Identifier, ASCII 17->32 dropped 34 C:\Users\user\AppData\Local\...\install.vbs, data 17->34 dropped 50 Multi AV Scanner detection for dropped file 17->50 52 Machine Learning detection for dropped file 17->52 54 Contains functionality to steal Chrome passwords or cookies 17->54 56 3 other signatures 17->56 21 wscript.exe 1 17->21         started        signatures8 process9 process10 23 cmd.exe 1 21->23         started        process11 25 remcos.exe 2 23->25         started        28 conhost.exe 23->28         started        signatures12 58 Multi AV Scanner detection for dropped file 25->58 60 Machine Learning detection for dropped file 25->60
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f99a929a42f7c6931aa9e45861aea8e8d24f20da66f8144c7d9e324386364034/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-06-07 03:06:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
19 of 29 (65.52%)
Threat level:
  3/5
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
27a607812f2e113484b27f50f1337cad704713a356fb24a74103d8ef027da16d
RemcosRAT
4969dc5e2b7349e189cdc079c2e9e02014e559d1315564b6d6fd18eeb252c605
RemcosRAT
4e4463e40d78f3eb63012ed1f3aa7727d98ff68fc9c7b69cf6c0f482c9483476
RemcosRAT
54b91d6b1324d8b3dec856922b4566b362535d84538297b612c5323e9230daf0
RemcosRAT
57bbdab22d9197c60e2bb9aa35a36321276518c07716a71a0c7005944473a03d
RemcosRAT
741ffe5460a43194d3a8cf76729abd8f6a5fb7d991e219037215920195a38c5e
RemcosRAT
8017cf230cb7f4e72b6128a7e696821749c4990dbd446f8206d948c3ed6530ec
RemcosRAT
a0bb5a244b144a8e10087fd70a04580c3bb8c4c8add7da671a06f10020473004
RemcosRAT
c85d33153d768a2f98066c8ba07e58890cbac4c185e4ef45739fb03750e1088b
RemcosRAT
f4dcc52b899bbe0d34ffbb44032c0186953c174beaf647c0556c7e71385c6bb4
RemcosRAT
+ 356 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:chase persistence rat
Link:
https://tria.ge/reports/210607-ezvk3vjjqs/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
chasesure.duckdns.org:2404
chasesure.ddns.net:2404
Unpacked files
SH256 hash:
2d483c3cc92577972fb4cf63f440e3e50058bae4423c812f1cf19e101cc6e7b4
MD5 hash:
3a56d47574b0d7ed00e0d19bae04b72e
SHA1 hash:
103eae958e0a61e910571d442c6c7370fbc5ce6c
Link:
https://www.unpac.me/results/8e724e86-74ea-4d03-ba02-6e9b4620d75a/
SH256 hash:
d05696d2065f50f9370fa2d454a0617cca161ed9e03b47e1a6f616fdc4ef7801
MD5 hash:
4c74c011fed9e686a3b1abb15421f49a
SHA1 hash:
41539be87a90c28e9fd89d60b151fe66d3674bf7
Link:
https://www.unpac.me/results/8e724e86-74ea-4d03-ba02-6e9b4620d75a/
SH256 hash:
4f4f98df23f6149b00c642b05ec146e4adf32a73ddc2fa037d7cb3de3c61b927
MD5 hash:
e3e36a5667d8a7845be3788995947dc8
SHA1 hash:
bd596c1a1e95a54277d133bf12fb42db54d5149d
Detections:
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/8e724e86-74ea-4d03-ba02-6e9b4620d75a/
SH256 hash:
938220f7ee689512bff7a3d9353fc17c70bb824903d7a363659c0438e58d1e4c
MD5 hash:
616ab8e843798ab17eb8928e355266c2
SHA1 hash:
d69b17dac38f9144db60e5b557d1fa2f715e8828
Link:
https://www.unpac.me/results/8e724e86-74ea-4d03-ba02-6e9b4620d75a/
SH256 hash:
f99a929a42f7c6931aa9e45861aea8e8d24f20da66f8144c7d9e324386364034
MD5 hash:
cf7421633145edb90fbcac702fb4603a
SHA1 hash:
32fe509e354ab20dc3aff8aab90bcd1fff9fd862
Link:
https://www.unpac.me/results/8e724e86-74ea-4d03-ba02-6e9b4620d75a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f99a929a42f7c6931aa9e45861aea8e8d24f20da66f8144c7d9e324386364034

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe f99a929a42f7c6931aa9e45861aea8e8d24f20da66f8144c7d9e324386364034

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1335656/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/165067/

Comments