MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe62a7a3e86391e95bbfe46c669fa2ce372d911053342787c9f22f7287c94521. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe62a7a3e86391e95bbfe46c669fa2ce372d911053342787c9f22f7287c94521
SHA3-384 hash: 44caa909e2bbeb79c569da3901f31e8b457ae83128f8d2de69a67e79492802ec488c6adababf6b51b1ccf268e687aacd
SHA1 hash: da0ed336c9ecb3374238ddb4d1f5fb798cf6cada
MD5 hash: 71ac65d6674034d67719875d94473dbd
humanhash: johnny-wolfram-helium-four
File name:Order 1.19.22.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:833'536 bytes
First seen:2022-01-19 18:16:58 UTC
Last seen:2022-01-19 19:51:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:U2YXcS5yZuYcgA73oeSQjPH0knhzACvLS:UzMe8uYNw4F+PbnhVL
Threatray 15'018 similar samples on MalwareBazaar
TLSH T13B050113779EC925C569677248EF800083B1BF466653D70E3DE833BC9E6278B4A4639E
Reporter GovCERT_CH
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
204
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Order 1.19.22.exe
Verdict:
Suspicious activity
Analysis date:
2022-01-20 03:43:57 UTC
Tags:
rat remcos stealer
Link:
https://app.any.run/tasks/70af7e7d-7fd0-48a7-8dff-c921fcb2102f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/220755/
Detection(s):
SecuriteInfo.com.Trojan.Siggen16.36328.4090.31091.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bladabindi control.exe obfuscated packed remcos remote.exe replace.exe update.exe
Link:
https://www.filescan.io/uploads/61e855abd32385db6309e1db/reports/8b7d6d06-9b0c-49d6-9e71-a688bfc74590/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/68356291-6ebb-4e91-b745-5d1c971a77b7
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/923746
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Detected Remcos RAT
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fe62a7a3e86391e95bbfe46c669fa2ce372d911053342787c9f22f7287c94521/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-19 12:24:44 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7zrkpi7imoi6sw574rwgnh5czy3s3eiqkm2cpb6j6ixxfb6jiuqq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
remcos
Create hunting rule
Similar samples:
18f4e5cdfd1f834e6eded0c2aeb60bb6fbe35add6f38d15aa295d05c233d126d
RemcosRAT
1e3432a2d3072ee5958b26e15d97ca1f6734c3522e701682b237544f5eb66645
RemcosRAT
3d652eb897291f8eb2fe8f9374007388b0cd426a797de77545b82a325dde762a
RemcosRAT
4e5add107e83a073bd97b795409f41a1e0d1b26b8ebecae38f2e1f805a8cdde6
RemcosRAT
9a9f7ea8a021b5c4e7984076bfe6f0ab42bddb7b50fa18ef0da17c12e8ef95e1
RemcosRAT
b2708f388708fd87b4b362bc00be90494d27daa7cbd4624907501b2553473ff4
RemcosRAT
ff30ebf52489bc096912d3d89259f8f6e44ec3ced1d124094d10f2fbfaa18590
RemcosRAT
ff97bd0b382bcd07b0e71fd6249426a1d1246c52b07edd238eaa64136db737df
RemcosRAT
+ 15'008 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/220119-ww2sbacbgr/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Remcos
Malware Config
C2 Extraction:
janeilla.myddns.me:9711
Unpacked files
SH256 hash:
8b25188a1581753b0faa89a7e371d2cc852fd95635b8503b6b20a4263af486e8
MD5 hash:
384cab014157440d3c462a97689e40ff
SHA1 hash:
4b91e7dfd574e04db14d2e3223df9327a5b95ba2
Link:
https://www.unpac.me/results/65946188-57b0-4e36-9105-3adbe21b58a9/
SH256 hash:
a2767f6502f99cb10ffaebeb7e1dfd4ed37a86a5ccd109760e52959c00881fbf
MD5 hash:
df4c5c81c475ebeace158165ebd723d8
SHA1 hash:
191137d894a9b33e06bf13701bde2ccf77da7ac6
Detections:
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/65946188-57b0-4e36-9105-3adbe21b58a9/
Parent samples :
9f3e8d8d088ecf0b56a9550796d1df4168ba8354c26b8a2692703ff691e47b1e
f117302732cf460254150c63f9428c91e4b0502940b8f9c7a6169b454a2cfcc9
fe62a7a3e86391e95bbfe46c669fa2ce372d911053342787c9f22f7287c94521
058278c7e517a47963d1528182d93fabe19909c09e00f5f764ea812714bd23d2
SH256 hash:
8e8674985d7d5c5064b052f9f5f97a25038ab1ba886b3ad4f64a448846f8a6f5
MD5 hash:
2496587ba0579429c34c1b3e1bfda6bb
SHA1 hash:
01546660b85638415d82cb3f88f40a9164e23039
Link:
https://www.unpac.me/results/65946188-57b0-4e36-9105-3adbe21b58a9/
SH256 hash:
fe62a7a3e86391e95bbfe46c669fa2ce372d911053342787c9f22f7287c94521
MD5 hash:
71ac65d6674034d67719875d94473dbd
SHA1 hash:
da0ed336c9ecb3374238ddb4d1f5fb798cf6cada
Link:
https://www.unpac.me/results/65946188-57b0-4e36-9105-3adbe21b58a9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.75
Link:
https://yomi.yoroi.company/submissions/fe62a7a3e86391e95bbfe46c669fa2ce372d911053342787c9f22f7287c94521

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe fe62a7a3e86391e95bbfe46c669fa2ce372d911053342787c9f22f7287c94521

(this sample)

  
Dropped by
RemcosRAT
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/220755/

Comments