MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe800049d4ece336205fd83c50c747fc4f7f18e4cb2f2e80f37d0ec1700166d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe800049d4ece336205fd83c50c747fc4f7f18e4cb2f2e80f37d0ec1700166d1
SHA3-384 hash: 9569cd4c161d6e29f44d8b14a58abe831d99d849601732625681b39f555622066d467017d51704dfec58d44e6e7ef0ff
SHA1 hash: 37a1fb2c0bdee0a5e568ce1357382be2bf54d2ad
MD5 hash: 3ab5d25f08cf7aaa6bdfbbf32025c5cb
humanhash: ten-quiet-massachusetts-may
File name:3ab5d25f08cf7aaa6bdfbbf32025c5cb
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'036'288 bytes
First seen:2022-09-10 01:37:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:g4444XygDTaabfMSwB+U9q3bHnDW1pme6TkWssrMEyW9mT5w4444:qJyB+E4bK1pme6TkT6yWw
Threatray 2'097 similar samples on MalwareBazaar
TLSH T1182512F9235CDA27C5AFC978E006249916777971E443DFAA988AB1FC3C7F3A04602593
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13101/52/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
356
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Doc0101972848890730970.xlsx
Verdict:
Malicious activity
Analysis date:
2022-09-07 18:00:00 UTC
Tags:
exploit CVE-2017-11882 loader remcos
Link:
https://app.any.run/tasks/df751d6c-19b5-44c2-be44-07c761cf136c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/309067/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.42180.19279.8146.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Running batch commands
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
keylogger packed
Link:
https://www.filescan.io/uploads/631bea9ebdec86ddb45fc8e3/reports/ef775919-ea62-4890-bfc7-a223a4189129/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/052f9502-6cba-4a69-89ad-81c9b3deaa83
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1068069
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 700599 Sample: nDAH18nzHA.exe Startdate: 10/09/2022 Architecture: WINDOWS Score: 100 63 Multi AV Scanner detection for domain / URL 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Antivirus detection for URL or domain 2->67 69 9 other signatures 2->69 10 nDAH18nzHA.exe 3 2->10         started        13 dos.exe 2 2->13         started        15 dos.exe 2 2->15         started        17 dos.exe 2->17         started        process3 file4 57 C:\Users\user\AppData\...\nDAH18nzHA.exe.log, ASCII 10->57 dropped 19 nDAH18nzHA.exe 5 4 10->19         started        22 nDAH18nzHA.exe 10->22         started        24 nDAH18nzHA.exe 10->24         started        26 svchost.exe 10->26         started        28 dos.exe 13->28         started        30 dos.exe 13->30         started        32 dos.exe 15->32         started        34 dos.exe 17->34         started        process5 file6 51 C:\Users\user\AppData\Roaming\dos.exe, PE32 19->51 dropped 53 C:\Users\user\...\dos.exe:Zone.Identifier, ASCII 19->53 dropped 55 C:\Users\user\AppData\Local\...\install.vbs, data 19->55 dropped 36 wscript.exe 1 19->36         started        process7 process8 38 cmd.exe 1 36->38         started        process9 40 dos.exe 3 38->40         started        43 conhost.exe 38->43         started        signatures10 71 Multi AV Scanner detection for dropped file 40->71 73 Machine Learning detection for dropped file 40->73 45 dos.exe 2 15 40->45         started        49 dos.exe 40->49         started        process11 dnsIp12 59 amegroupofschoos32.sytes.net 81.161.229.136, 4820, 49712 CMCSUS Germany 45->59 61 geoplugin.net 178.237.33.50, 49716, 80 ATOM86-ASATOM86NL Netherlands 45->61 75 Installs a global keyboard hook 45->75 signatures13
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fe800049d4ece336205fd83c50c747fc4f7f18e4cb2f2e80f37d0ec1700166d1/
Threat name:
ByteCode-MSIL.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-09-07 21:02:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=72aaasou5trtmic73a6fbr2h7rhx6ghezmxs5ahtpuhmc4abm3iq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1eb85ede00f809ba0f2ae9ea64c78615705f7314f31934887849c60f86b6505e
RemcosRAT
2d066636d5043a308a989edc747304d9087a60e7a0df3f021ce8b1642466cc52
RemcosRAT
3ab2ca682019279e28525a8ff1a72e08badba1c0f3012f926bad1528b2b0944a
RemcosRAT
4bd1f385e71c2b0c8bb27ce271cfd26c696e3049e3e92cd150ba62666bc6221f
RemcosRAT
808b1f23a0d9457d31d5abd083b2b81cc68b0a0d3a87e59e9e6d56d773dbde39
RemcosRAT
91bbc8c0f7a6be5a881fab20f4cbdaf94bed915c0e28fd3f24dfa519ec801cec
RemcosRAT
94798c0478f2ecebff0e05360bb8c6f4646fa267811d15e9d534c7067225df97
RemcosRAT
b7cc11f42808bc13ea70def8382654e7c9294eb30c42ed29d5eb9f2d7bbf9514
RemcosRAT
e1eb708f47303b831f6eb0ddc846e21782e8f727dcb0088fcb997c3bf0d4dbd3
RemcosRAT
edd76f4398cd937c508d229a8482add54c2ec8efe84a6881af90bbd40d8b8601
RemcosRAT
+ 2'087 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:ud-host persistence rat
Link:
https://tria.ge/reports/220910-b2dx8adbdj/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
amegroupofschoos32.sytes.net:4820
Unpacked files
SH256 hash:
a3c85c95ebfd6e42cb775f45cb11dcaa401d8e69b4f3826e520ee07159d44447
MD5 hash:
2d25fd27d40a970c09fd33f9c32d28c3
SHA1 hash:
ed1378f7203170e430083e624dc4c3de52100407
Link:
https://www.unpac.me/results/83e1465b-f857-4898-95ce-aa63ad6ea8f8/
SH256 hash:
fbe93d5ad7e71987cca3e13458042cbae044e84c1748e9f82b5506448bbff275
MD5 hash:
44a889ce18674ed68ac2e39b38af3016
SHA1 hash:
9d7af279d62707c61cb2a0e9ce43ee476c8ff40e
Link:
https://www.unpac.me/results/83e1465b-f857-4898-95ce-aa63ad6ea8f8/
SH256 hash:
a2f4f4303eb8585349b41c5d2c0dcd0ac713204d95d3716bcf995edbeea46373
MD5 hash:
df3127f6c6592defe33e3422e32ba705
SHA1 hash:
59c447549a241b41e088c20f07e669e42a049a29
Link:
https://www.unpac.me/results/83e1465b-f857-4898-95ce-aa63ad6ea8f8/
SH256 hash:
25f7c5d75a5c407b675d76ac54df3ca54b31de51ac64114f98c424027175f60c
MD5 hash:
f20c8e9ee4858bf0cc90bb06fe7024b3
SHA1 hash:
0d67ae6bb9f1f2301b345b2e1e2948d64ab246a4
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/83e1465b-f857-4898-95ce-aa63ad6ea8f8/
Parent samples :
fe800049d4ece336205fd83c50c747fc4f7f18e4cb2f2e80f37d0ec1700166d1
35da234a25a8e05a748bdb3d0e9cad042a3cac0b138d5e9d05fefe8ed62bed32
SH256 hash:
fe800049d4ece336205fd83c50c747fc4f7f18e4cb2f2e80f37d0ec1700166d1
MD5 hash:
3ab5d25f08cf7aaa6bdfbbf32025c5cb
SHA1 hash:
37a1fb2c0bdee0a5e568ce1357382be2bf54d2ad
Link:
https://www.unpac.me/results/83e1465b-f857-4898-95ce-aa63ad6ea8f8/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fe800049d4ec/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fe800049d4ece336205fd83c50c747fc4f7f18e4cb2f2e80f37d0ec1700166d1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe fe800049d4ece336205fd83c50c747fc4f7f18e4cb2f2e80f37d0ec1700166d1

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2298259/
Cape
Cape
https://www.capesandbox.com/analysis/309067/

Comments


Avatar
zbet commented on 2022-09-10 01:37:57 UTC

url : hxxp://81.161.229.156/UUG.exe