MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fdd7d96b0a21a1cc73dec6865c08f961b1a6bc21bfebd2d89a37c8bc37abde9b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fdd7d96b0a21a1cc73dec6865c08f961b1a6bc21bfebd2d89a37c8bc37abde9b
SHA3-384 hash: 3c37d252f5ee98793ee84549c8b28b91b801687f842614558c70682751f9b5b74ec0bd00444e4fd227c024915db140f2
SHA1 hash: 5601d37a122538cc3e2120c20987f4fd51cf46a1
MD5 hash: 20d4a040e22dff3d939245aba59bf931
humanhash: thirteen-carolina-steak-ack
File name:image2021042GFREDS12322ERDQ1DOC03027382DOC202.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'151'488 bytes
First seen:2022-09-19 12:10:47 UTC
Last seen:2022-10-07 13:18:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'604 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:gBTP6yzQ0JW+ZvBrCMk/gPPw3RD1xJxo4IduBZJ:uD6qQsrznw3Hdmsz
Threatray 1'932 similar samples on MalwareBazaar
TLSH T1FF35E128637ACC07C86AA535C9D2E2301FB95DC5C35FC60B08D87D67F63A39C69923A5
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 8a1332e8aacc4db2 (8 x Formbook, 7 x AgentTesla, 6 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
79.134.225.116:2404

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
79.134.225.116:2404 https://threatfox.abuse.ch/ioc/850486/

Intelligence

File Origin
# of uploads :
3
# of downloads :
271
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
image2021042GFREDS12322ERDQ1DOC03027382DOC202.exe
Verdict:
Malicious activity
Analysis date:
2022-09-19 12:11:25 UTC
Tags:
trojan rat remcos keylogger
Link:
https://app.any.run/tasks/97047e68-5abb-4aac-b2e4-3047e1fa1d6c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/311321/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Basic.5.Gen.18989.5496.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
packed
Link:
https://www.filescan.io/uploads/63285c97b333b2ec6b3579c4/reports/c2851a7d-912f-48cb-bf8e-68dd13443781/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f45e2409-dea8-4970-b4c9-d1f7ee632f8d
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1072930
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 705472 Sample: image2021042GFREDS12322ERDQ... Startdate: 19/09/2022 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic 2->37 39 Multi AV Scanner detection for domain / URL 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 10 other signatures 2->43 7 image2021042GFREDS12322ERDQ1DOC03027382DOC202.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\...\YXSYAxcslZ.exe, PE32 7->23 dropped 25 C:\Users\...\YXSYAxcslZ.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\Local\...\tmp21A2.tmp, XML 7->27 dropped 29 image2021042GFREDS...27382DOC202.exe.log, ASCII 7->29 dropped 45 Uses schtasks.exe or at.exe to add and modify task schedules 7->45 47 Writes to foreign memory regions 7->47 49 Adds a directory exclusion to Windows Defender 7->49 51 Injects a PE file into a foreign processes 7->51 11 vbc.exe 2 16 7->11         started        15 powershell.exe 21 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 31 www.arkern-tr.com 37.0.14.206, 2404, 49701 WKD-ASIE Netherlands 11->31 33 bushnew.duckdns.org 79.134.225.116, 2404, 49702 FINK-TELECOM-SERVICESCH Switzerland 11->33 35 geoplugin.net 178.237.33.50, 49703, 80 ATOM86-ASATOM86NL Netherlands 11->35 53 Installs a global keyboard hook 11->53 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started        signatures8 process9
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fdd7d96b0a21a1cc73dec6865c08f961b1a6bc21bfebd2d89a37c8bc37abde9b/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-09-19 12:11:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7xl5s2ykegq4y466y2dfychzmgy2npbbx7v5fwe2g7elyn5l32nq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
20d06c9366037f9c7d08d843ddcb74e264accf481dbefd7b1f77669abb4d9be9
RemcosRAT
4f95967b9b1f5532cb570bb1f762328d07ea16c20b6fcf1c4cfde82d06906630
RemcosRAT
58d5e75956574ad0a933ef2c4edaeeb7f601d3360e14ea8bb9a3c2d19e71f974
RemcosRAT
592f15fec50eda79baadcb6bc5c4cb79de60e5bb285f20fb8e8927477495f065
RemcosRAT
b563d460e40277fd18dfa645f16081ed6328f519e218afc6570dafe951f5feea
RemcosRAT
b7cc11f42808bc13ea70def8382654e7c9294eb30c42ed29d5eb9f2d7bbf9514
RemcosRAT
eaea558cf05de77f2b72fe6ccafbcd63198dd067627d801a40b1b7d95251666f
RemcosRAT
+ 1'922 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:recovery rat
Link:
https://tria.ge/reports/220919-pclhnagbb8/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Uses the VBS compiler for execution
Remcos
Malware Config
C2 Extraction:
www.arkern-tr.com:2404
bushnew.duckdns.org:2404
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/325c1e18-0985-419d-9999-71d48d3a8e62
Unpacked files
SH256 hash:
8acf4111ec02dfae8f8575aa67c3562277b4fb8aba0f6ddfcbadcc40253f9765
MD5 hash:
acde4326d5564f1f010a4ff496dd5445
SHA1 hash:
72384f655ad711c317491d27f72f38c7554797b7
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/09f9f07f-a369-44fd-bdf5-cffa8a60e1cc/
Parent samples :
a12ad95eb51a6c2e558d23ff681f2619141ae91d46ca21d0b04f94339b9dd8a7
fdd7d96b0a21a1cc73dec6865c08f961b1a6bc21bfebd2d89a37c8bc37abde9b
SH256 hash:
44c50087cbd9a86677ff5b898c1ad52abf5f25297179a174edcc8b81dec967fc
MD5 hash:
d012ba9057bf67c7f29871326f2af919
SHA1 hash:
1d5b8b512b37f0e1900496b578117082929654c7
Link:
https://www.unpac.me/results/09f9f07f-a369-44fd-bdf5-cffa8a60e1cc/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/09f9f07f-a369-44fd-bdf5-cffa8a60e1cc/
SH256 hash:
1dfb9787397716fc88257a33fc439c8b80f99d676183e9fa7a2f5d278586e642
MD5 hash:
41c9fac739e5284da7b73ee0ab4e3867
SHA1 hash:
0725b54b8e6aa371441455c4ae6df80c0a0863bd
Link:
https://www.unpac.me/results/09f9f07f-a369-44fd-bdf5-cffa8a60e1cc/
SH256 hash:
212d124c528d616c822ed973fc68d72fac509b239370b279386b8cbc1cd89690
MD5 hash:
6c0ebab50c54ff8b5365660a458543e4
SHA1 hash:
037296a1b13011038894e3d8d381f4a1710a7021
Link:
https://www.unpac.me/results/09f9f07f-a369-44fd-bdf5-cffa8a60e1cc/
SH256 hash:
fdd7d96b0a21a1cc73dec6865c08f961b1a6bc21bfebd2d89a37c8bc37abde9b
MD5 hash:
20d4a040e22dff3d939245aba59bf931
SHA1 hash:
5601d37a122538cc3e2120c20987f4fd51cf46a1
Link:
https://www.unpac.me/results/09f9f07f-a369-44fd-bdf5-cffa8a60e1cc/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fdd7d96b0a21/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fdd7d96b0a21a1cc73dec6865c08f961b1a6bc21bfebd2d89a37c8bc37abde9b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/311321/

Comments