MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff91b720363ded7601beba0c3b9f73c4cd677c79e88f9b82113073d0691df7a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff91b720363ded7601beba0c3b9f73c4cd677c79e88f9b82113073d0691df7a9
SHA3-384 hash: 740cc403b1809f2dc791592c163c336aed063275094b02af10ec3a7650432a91018af1824f3542b1d37e3bb713914750
SHA1 hash: 1c1966203f98ce9a5bdec4aeaa7d576a754d6934
MD5 hash: dc92ff1b7a14d65571e1d8c26f4f6f31
humanhash: jersey-bravo-speaker-oscar
File name:dc92ff1b7a14d65571e1d8c26f4f6f31
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:379'392 bytes
First seen:2021-06-25 16:05:03 UTC
Last seen:2021-06-25 18:40:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:ZjFGaJft0N5x0rvgz+o58AX+BYbctjxrYm7uAFMYt9ofYwK9:vGaJljrvEsAXXbeQAFMYt9ow/9
Threatray 1'838 similar samples on MalwareBazaar
TLSH 28846BBC36A035EEC86BD6B99AA83CA5EA657577530B8206801301DD9E0DBC7DF105F3
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dc92ff1b7a14d65571e1d8c26f4f6f31
Verdict:
Malicious activity
Analysis date:
2021-06-25 16:08:55 UTC
Tags:
trojan rat remcos stealer
Link:
https://app.any.run/tasks/4805e8d6-5057-4ec3-a6f8-e87c97a38397

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168361/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.13148.7648.4035.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/53035198-8bfe-49f4-a377-f4642e389e5b
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/808221
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Detected Remcos RAT
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Injects a PE file into a foreign processes
Injects files into Windows application
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: MS Office Product Spawning Exe in User Dir
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 440632 Sample: ZzkrEcK37s Startdate: 25/06/2021 Architecture: WINDOWS Score: 100 61 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->61 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 8 other signatures 2->67 10 ZzkrEcK37s.exe 3 2->10         started        14 EXCEL.exe 2 2->14         started        16 EXCEL.exe 2 2->16         started        process3 file4 53 C:\Users\user\AppData\...\ZzkrEcK37s.exe.log, ASCII 10->53 dropped 77 Contains functionality to detect virtual machines (IN, VMware) 10->77 79 Contains functionality to steal Chrome passwords or cookies 10->79 81 Contains functionality to capture and log keystrokes 10->81 87 2 other signatures 10->87 18 ZzkrEcK37s.exe 1 5 10->18         started        83 Injects a PE file into a foreign processes 14->83 85 Injects files into Windows application 14->85 21 EXCEL.exe 14->21         started        23 EXCEL.exe 14->23         started        25 EXCEL.exe 16->25         started        signatures5 process6 file7 49 C:\Users\user\AppData\Roaming\...XCEL.exe, PE32 18->49 dropped 51 C:\Users\user\...XCEL.exe:Zone.Identifier, ASCII 18->51 dropped 27 cmd.exe 1 18->27         started        process8 signatures9 89 Uses ping.exe to sleep 27->89 91 Uses ping.exe to check the status of other devices and networks 27->91 30 EXCEL.exe 3 27->30         started        33 PING.EXE 1 27->33         started        36 conhost.exe 27->36         started        process10 dnsIp11 93 Multi AV Scanner detection for dropped file 30->93 95 Detected unpacking (creates a PE file in dynamic memory) 30->95 97 Machine Learning detection for dropped file 30->97 99 3 other signatures 30->99 38 EXCEL.exe 1 3 30->38         started        55 127.0.0.1 unknown unknown 33->55 57 192.168.2.1 unknown unknown 33->57 signatures12 process13 dnsIp14 59 KJJJK.3dxtras.com 136.144.41.183, 49739, 49740, 49743 WORLDSTREAMNL Netherlands 38->59 69 Installs a global keyboard hook 38->69 71 Injects a PE file into a foreign processes 38->71 42 EXCEL.exe 38->42         started        45 EXCEL.exe 38->45         started        47 EXCEL.exe 38->47         started        signatures15 process16 signatures17 73 Tries to steal Instant Messenger accounts or passwords 42->73 75 Tries to steal Mail credentials (via file access) 42->75
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ff91b720363ded7601beba0c3b9f73c4cd677c79e88f9b82113073d0691df7a9/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-06-25 06:47:39 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
023946cb10325407c30c9ec45ecd241d5e0e3f9ebaeffe2ab12f8cd5f0646013
RemcosRAT
10c5df44b26355f12a62e1243923e9156150f7c86c0ee0f0b25555fae9fca5bd
RemcosRAT
3ce969a94f4bc8dec526e3551626d7e3639bae986304deba85e8f29f039fe345
RemcosRAT
4c11b7fb217b3675e60d659ce0a2c3eee1bdbd3e3ddba1ad6d762878f62534d1
RemcosRAT
5b474ca6fc8158bd6f14d53bca8962f25db3392dfe324f49ddf376610bd785e4
RemcosRAT
5f4e4a43a01b235d781c6888198b18750529dda9fc4727727940115090e06a6d
RemcosRAT
762d689595557fa3064907433659411b95132e554f7d17fcf62d1a77db51e3e5
RemcosRAT
ac7d008a3ac44bc8dfe3edbbc8542ed5b51bcf911b67eb8e9a715ebb5250ad27
RemcosRAT
ce4962d3126223b4bd68704159cbdc7479fb2df4263fb9f3d57492e770b74a94
RemcosRAT
eeddb4eb1252a45f5a8246d68dc6557f3e0c6f264a0a6f42e81d041c53864a48
RemcosRAT
+ 1'828 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:host persistence rat spyware stealer
Link:
https://tria.ge/reports/210625-wcvfmhfl1e/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
KJJJK.3dxtras.com:7003
Unpacked files
SH256 hash:
d6d88b28ab462e0b15e38773f9883f27070e67610f20786a12bcc51120e557a6
MD5 hash:
9f7cfd831eb0aaf6cd796443ccebb9af
SHA1 hash:
024c65c3b37542519b71d5ae7f472b9d6a8cbd45
Link:
https://www.unpac.me/results/6a4e2e43-8aef-4a93-94b9-bd468a18285d/
SH256 hash:
d728edae920af6ea407bf8b679d4afa3c80cfdccb63159d5bde509713b53d88c
MD5 hash:
fcf4fb660d6ca81cfabae45e4ef81e61
SHA1 hash:
1ceba20006bc0c09be6ac04d786632d89441dd7b
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/6a4e2e43-8aef-4a93-94b9-bd468a18285d/
Parent samples :
ff91b720363ded7601beba0c3b9f73c4cd677c79e88f9b82113073d0691df7a9
f19b2e31a0bc55cb5d4ab540605cfeffca6dd241cbe4e96e065d403a7273534a
463f7c4188aeeeea4da33b41fb0c420a3e9a7855e8e2a139add7d255153ea7ee
de7ce842fcb7346c2bbdf01da4e6d0d8e2ca20332b880fe8ada7d66ed184d630
SH256 hash:
5bede9eedf6ae6df5a9d587c116c9583b31474c159c2b53486b000093cb3fde6
MD5 hash:
072eeac61b35d3f09edee4ff4f80f52d
SHA1 hash:
696fd9905a47e526470c2e234fef32f1ec1b74ad
Link:
https://www.unpac.me/results/6a4e2e43-8aef-4a93-94b9-bd468a18285d/
SH256 hash:
ff91b720363ded7601beba0c3b9f73c4cd677c79e88f9b82113073d0691df7a9
MD5 hash:
dc92ff1b7a14d65571e1d8c26f4f6f31
SHA1 hash:
1c1966203f98ce9a5bdec4aeaa7d576a754d6934
Link:
https://www.unpac.me/results/6a4e2e43-8aef-4a93-94b9-bd468a18285d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff91b720363ded7601beba0c3b9f73c4cd677c79e88f9b82113073d0691df7a9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe ff91b720363ded7601beba0c3b9f73c4cd677c79e88f9b82113073d0691df7a9

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/168361/
  
URLhaus
https://urlhaus.abuse.ch/url/1398049/

Comments