MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9dbb342e635717b55ef19c20e7943858acf892e6040a9a4f3609eaa41981bc9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9dbb342e635717b55ef19c20e7943858acf892e6040a9a4f3609eaa41981bc9
SHA3-384 hash: 4c3d2cec2f04ad03b5f563e33ba3b9ea5c17dc98aa602eb448b1348c21d662b5c280ee7a02feada023fa58a7549c2930
SHA1 hash: 37e69ebe6e65ff3067d3e7e319caedb489feee23
MD5 hash: 921c1764462feb206d4ca0b44452254c
humanhash: artist-spaghetti-south-paris
File name:image_2022_11_31T21_40_57_475Z.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:493'164 bytes
First seen:2022-11-07 14:55:24 UTC
Last seen:2022-11-07 17:13:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 29b61e5a552b3a9bc00953de1c93be41 (174 x Formbook, 82 x AgentTesla, 81 x Loki)
ssdeep 12288:XAeZvHnOr6uf2x7ctE9Szu1qqNR+o3nSxmJbMHM:XAyuWuf2x7ca9Szkso3nSBM
Threatray 2'172 similar samples on MalwareBazaar
TLSH T1C2A4232671D1D2FBFCA210B8026DDF96D377C7095554C69B0BF40FBB9E18A479A03268
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter James_inthe_box
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
image_2022_11_31T21_40_57_475Z.exe
Verdict:
Malicious activity
Analysis date:
2022-11-07 14:56:01 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/0e8894e3-442c-4865-843b-57c62b26b542

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/329997/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.13027.11657.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/49673/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63691c867da1a723acc6a171/reports/ae6a859a-4db8-46ec-a12a-62e8faac8edd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5896ddbd-909d-4068-9889-3da7d760fdfe
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1107708
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 740372 Sample: image_2022_11_31T21_40_57_4... Startdate: 07/11/2022 Architecture: WINDOWS Score: 100 42 Multi AV Scanner detection for domain / URL 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 6 other signatures 2->48 7 image_2022_11_31T21_40_57_475Z.exe 18 2->7         started        10 eyfjldcq.exe 2->10         started        13 eyfjldcq.exe 2->13         started        process3 file4 26 C:\Users\user\AppData\Local\Temp\gorajh.exe, PE32 7->26 dropped 15 gorajh.exe 1 2 7->15         started        50 Multi AV Scanner detection for dropped file 10->50 52 Machine Learning detection for dropped file 10->52 54 Contains functionality to steal Chrome passwords or cookies 10->54 58 2 other signatures 10->58 19 eyfjldcq.exe 10->19         started        56 Maps a DLL or memory area into another process 13->56 21 eyfjldcq.exe 13->21         started        signatures5 process6 file7 28 C:\Users\user\AppData\...\eyfjldcq.exe, PE32 15->28 dropped 34 Multi AV Scanner detection for dropped file 15->34 36 Machine Learning detection for dropped file 15->36 38 Contains functionality to steal Chrome passwords or cookies 15->38 40 3 other signatures 15->40 23 gorajh.exe 2 13 15->23         started        signatures8 process9 dnsIp10 30 41.216.183.226, 41900, 49695 AS40676US South Africa 23->30 32 geoplugin.net 178.237.33.50, 49696, 80 ATOM86-ASATOM86NL Netherlands 23->32
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f9dbb342e635717b55ef19c20e7943858acf892e6040a9a4f3609eaa41981bc9/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-11-07 08:06:44 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
25 of 40 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7hn3gqxggvyxwvppdhba46kdqwfm7cjombaktjhtmcpkuqmydpeq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
16f94dbc6345fd8220c180376a3074e966a8579b305d877b4714256d450141d0
RemcosRAT
2f53875cb56cc1a1f69655fcfca71ac0f952b8d582bda33e101d8b262e38d0f9
RemcosRAT
31edb5c9a0590d100f941cfcb0c142abf141fba4a90c6bddb6c7fc59b4475f28
RemcosRAT
8c2653e4d9998668579383d87f291afe6ba5740ec3bc6d8f44618c0f9af77189
RemcosRAT
8e7d1931cfe215a12acad3beb975cd78099a295a721069b35c05b469e2f703f9
RemcosRAT
9d724226a2a3c8676d4a58b64b636d9dcc178c1d40fcf321309afa14505cf285
RemcosRAT
ae86ff848167aff1ce842e1c0e77bea0a84dfcb0ec4f115086c99225775c80c4
RemcosRAT
d42107d756734247da36e67eb859e1ca7fefcdae69d5cd50730979d7b005e83d
RemcosRAT
+ 2'162 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehoststar persistence rat
Link:
https://tria.ge/reports/221107-sa1rcaceh8/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
41.216.183.226:41900
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0b4aeb2b-67b8-4871-8625-fdd5618e8327
Unpacked files
SH256 hash:
b004491771d05dc604c8f1a7b169673e9b7a7f33c4833bcfa50c5e76b8c9a1d8
MD5 hash:
b30ad3ec69c35a44bd720e88e07e283e
SHA1 hash:
52a834e399eb4fcac0a4bc0b1f53634da776aecf
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/a87727e7-c0fe-41c8-a101-e6f417454fb3/
Parent samples :
8573105c4b67affc024eec0b64c4f4c2f2e7f52d31b5eec059d6d8dc6f0a3743
0de500897b8ed984575c14906255f694bee3fdade7cc369f7c0a51185ec61ba0
76bf90f97131f4b187fbdfce5a1f02224e30a752782cbcd7f9a5d90a043de128
dae79c591e41fac5133e80652d94e8c1cc42e62381a38f2dc11c42360547afe7
f6d04e26f4e1ccafc73107d102606ed5e528fcb2e6451f568241b840152454ee
ac2022d039991daaa6b3f05a7d2324b55247446b4f0b20f0feb36d22fd21d428
522de9141cf7d1449c48f439b23bbc53be3de244e1baf817759b64eedfe5ae00
f9dbb342e635717b55ef19c20e7943858acf892e6040a9a4f3609eaa41981bc9
284749a242c7dcee6d5f8d71bb4de12ccbc7f7acc24a8fb795859b0393f23577
SH256 hash:
a82758db14cf0a6096bd16bc7000cc00168be1fecca6882415e57af1528b7a0f
MD5 hash:
7b781ed35f737e4fcb01f95911ddd4ef
SHA1 hash:
bd41d5f509a1e6f52d84e969de76fb77e7d298eb
Link:
https://www.unpac.me/results/a87727e7-c0fe-41c8-a101-e6f417454fb3/
SH256 hash:
f9dbb342e635717b55ef19c20e7943858acf892e6040a9a4f3609eaa41981bc9
MD5 hash:
921c1764462feb206d4ca0b44452254c
SHA1 hash:
37e69ebe6e65ff3067d3e7e319caedb489feee23
Link:
https://www.unpac.me/results/a87727e7-c0fe-41c8-a101-e6f417454fb3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f9dbb342e635717b55ef19c20e7943858acf892e6040a9a4f3609eaa41981bc9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/329997/

Comments