MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fadf7ead90f9991fc48c3605e00461e0d6495cdb65ae6b97b6e3cb86f73cc9df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 10 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fadf7ead90f9991fc48c3605e00461e0d6495cdb65ae6b97b6e3cb86f73cc9df
SHA3-384 hash: f11eff8a7a883c763b5532a99a6ba5349335069ff33a9bfde452fe55740d5485466760d0dcd9ea2820ae6f2b46339646
SHA1 hash: 8df5614bedd2db78892b11e6a73017d1e05d4183
MD5 hash: bcae06ceab767b7cfe609336242afe02
humanhash: bluebird-california-dakota-sierra
File name:bcae06ceab767b7cfe609336242afe02
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'928'096 bytes
First seen:2023-03-12 17:40:56 UTC
Last seen:2023-03-12 19:42:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a9e5f3ce5156d21424ffde8025e47b6e (1 x Adware.Generic, 1 x RedLineStealer, 1 x Rhadamanthys)
ssdeep 49152:OrHfMapQaxQtWjWLEjTerPUDvW9o8u0pQLElB4I:OrHfMapQaxZjWLEnaUjo7u9LElH
TLSH T19395F140B3D1E0F2C0643E715B6283949B54BF905B9A748F52A43FFE61A0F85DF266CA
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e66f51535171610b (1 x RemcosRAT)
Reporter zbetcheckin
Tags:32 exe RemcosRAT signed

Code Signing Certificate

Organisation:*.zaborfh.com
Issuer:R3
Algorithm:sha256WithRSAEncryption
Valid from:2023-02-28T13:00:07Z
Valid to:2023-05-29T13:00:06Z
Serial number: 0327bbfe1e937752f35d7901a0dfcffaaca8
Intelligence: 5 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: b12a3aab316152904781fb8759fefea778fd8763e971a39f7f7fab19ace4d01a
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bcae06ceab767b7cfe609336242afe02
Verdict:
Malicious activity
Analysis date:
2023-03-12 17:47:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/73eaf04a-faa6-4c07-93a2-3fe51b64b654

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/373748/
Detection(s):
SecuriteInfo.com.Variant.Jaik.128205.978.28523.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Creating a file
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/72814/overview
Behaviour
MalwareBazaar
MeasuringTime
CPUID_Instruction
AntidebugCommonApi
SystemUptime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/640e0eb7cb9bbbbcdcc71e14/reports/b169eafd-ed01-48f5-8000-e1c31de1f9d5/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/fadf7ead90f9991fc48c3605e00461e0d6495cdb65ae6b97b6e3cb86f73cc9df
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9692469b-a297-4f05-bea9-86aed236781b
Result
Threat name:
Remcos, RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1192044
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Early bird code injection technique detected
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Found potential ransomware demand text
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Self deletion via cmd or bat file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Remcos
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Remcos RAT
Yara detected RHADAMANTHYS Stealer
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 824917 Sample: 662vyWFYKr.exe Startdate: 12/03/2023 Architecture: WINDOWS Score: 100 114 Snort IDS alert for network traffic 2->114 116 Malicious sample detected (through community Yara rule) 2->116 118 Antivirus detection for URL or domain 2->118 120 15 other signatures 2->120 12 662vyWFYKr.exe 10 2->12         started        17 Miqui kofa nivesese pixisi loci focolil feme radada nokov fagogox linecav.exe 9 2->17         started        process3 dnsIp4 110 fzcdwr9qzcc0vpgw46nm7.q37kjgmke5ho6thrfjhu3j 12->110 94 Miqui kofa niveses...fagogox linecav.exe, PE32 12->94 dropped 96 Miqui kofa niveses...exe:Zone.Identifier, ASCII 12->96 dropped 148 Self deletion via cmd or bat file 12->148 150 Uses schtasks.exe or at.exe to add and modify task schedules 12->150 19 Miqui kofa nivesese pixisi loci focolil feme radada nokov fagogox linecav.exe 8 12->19         started        24 cmd.exe 1 12->24         started        26 schtasks.exe 1 12->26         started        112 fzcdwr9qzcc0vpgw46nm7.q37kjgmke5ho6thrfjhu3j 17->112 98 C:\Users\user\AppData\Local\...\5859343.dll, PE32 17->98 dropped 152 Writes to foreign memory regions 17->152 154 Allocates memory in foreign processes 17->154 156 Injects a PE file into a foreign processes 17->156 28 WerFault.exe 19 9 17->28         started        30 fontview.exe 17->30         started        32 ngentask.exe 17->32         started        34 WerFault.exe 17->34         started        file5 signatures6 process7 dnsIp8 100 fzcdwr9qzcc0vpgw46nm7.q37kjgmke5ho6thrfjhu3j 19->100 84 C:\Users\user\AppData\Local\...\5854203.dll, PE32 19->84 dropped 132 Writes to foreign memory regions 19->132 134 Allocates memory in foreign processes 19->134 136 Injects a PE file into a foreign processes 19->136 36 fontview.exe 19->36         started        39 ngentask.exe 2 2 19->39         started        43 WerFault.exe 19->43         started        45 WerFault.exe 19->45         started        138 Uses ping.exe to check the status of other devices and networks 24->138 47 PING.EXE 1 24->47         started        49 conhost.exe 24->49         started        51 chcp.com 1 24->51         started        53 conhost.exe 26->53         started        file9 signatures10 process11 dnsIp12 122 Query firmware table information (likely to detect VMs) 36->122 124 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 36->124 126 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 36->126 130 6 other signatures 36->130 55 dllhost.exe 36->55         started        102 vcv.mastercoa.co 192.30.89.27, 8489 CLOUDSINGULARITYCA Canada 39->102 86 C:\ProgramData\remcos\logs.dat, data 39->86 dropped 128 Installs a global keyboard hook 39->128 104 127.0.0.1 unknown unknown 47->104 file13 signatures14 process15 signatures16 140 Early bird code injection technique detected 55->140 142 Tries to harvest and steal browser information (history, passwords, etc) 55->142 144 Maps a DLL or memory area into another process 55->144 146 Queues an APC in another process (thread injection) 55->146 58 dllhost.exe 55->58         started        process17 dnsIp18 106 185.246.220.34, 443, 49715, 49716 LVLT-10753US Germany 58->106 108 192.168.2.1 unknown unknown 58->108 88 C:\Users\user\AppData\...\Ozbdieczyw.exe, PE32+ 58->88 dropped 90 C:\Users\user\AppData\...behaviorgraphsrzmkokdb.exe, PE32+ 58->90 dropped 92 C:\Users\user\AppData\...\s4ccmhhl.cmdline, Unicode 58->92 dropped 62 Gsrzmkokdb.exe 58->62         started        65 Ozbdieczyw.exe 58->65         started        67 csc.exe 58->67         started        file19 process20 file21 158 Machine Learning detection for dropped file 62->158 160 Encrypted powershell cmdline option found 62->160 70 powershell.exe 62->70         started        72 powershell.exe 65->72         started        82 C:\Users\user\AppData\Local\...\s4ccmhhl.dll, PE32 67->82 dropped 74 conhost.exe 67->74         started        76 cvtres.exe 67->76         started        signatures22 process23 process24 78 conhost.exe 70->78         started        80 conhost.exe 72->80         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fadf7ead90f9991fc48c3605e00461e0d6495cdb65ae6b97b6e3cb86f73cc9df/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-03-12 07:18:32 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
16 of 38 (42.11%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7lpx5lmq7gmr7remgyc6abdb4dlesxg3mwxgxf5w4pfyn5z4zhpq._file
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:remcos family:rhadamanthys botnet:remotehost rat stealer
Link:
https://tria.ge/reports/230312-v9fasseg38/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Detect rhadamanthys stealer shellcode
Remcos
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
vcv.mastercoa.co:8489
Unpacked files
SH256 hash:
41e34f719d84c3052692b328e3ce69b3c37535a36f061cd6630c3b9817a51f1c
MD5 hash:
71b7e5bdce5a4065b11b811f6d9077d4
SHA1 hash:
e18164618071b23b474ef8b1f2a96aff0fd06d43
Link:
https://www.unpac.me/results/e84a02bf-0037-4b1a-b8ad-e28fc2027c14/
SH256 hash:
fadf7ead90f9991fc48c3605e00461e0d6495cdb65ae6b97b6e3cb86f73cc9df
MD5 hash:
bcae06ceab767b7cfe609336242afe02
SHA1 hash:
8df5614bedd2db78892b11e6a73017d1e05d4183
Link:
https://www.unpac.me/results/e84a02bf-0037-4b1a-b8ad-e28fc2027c14/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fadf7ead90f9991fc48c3605e00461e0d6495cdb65ae6b97b6e3cb86f73cc9df

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe fadf7ead90f9991fc48c3605e00461e0d6495cdb65ae6b97b6e3cb86f73cc9df

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2567609/
Cape
Cape
https://www.capesandbox.com/analysis/373748/

Comments


Avatar
zbet commented on 2023-03-12 17:41:00 UTC

url : hxxp://143.42.136.20/2707/vbc.exe