MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01d06c356ad0e65c56b677bb9b4ed5172f610fe92bb75612e19f2b36e342190f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 13

Intelligence 13 IOCs YARA 4 File information Comments

SHA256 hash:	01d06c356ad0e65c56b677bb9b4ed5172f610fe92bb75612e19f2b36e342190f
SHA3-384 hash:	b5ac332c449352cdc4b6b2fb4d5f50bef626be35154c78a4021f3b274ac0b5d715549edb3d63162a17f210c3c3a3773b
SHA1 hash:	a5686f42071824d5203c1d3a2e9c7243bba8fc49
MD5 hash:	449274051e74b76e58b44fc4a7d624cc
humanhash:	mexico-eight-kentucky-steak
File name:	ORDER 06.10.2023.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'063'936 bytes
First seen:	2023-10-09 09:34:45 UTC
Last seen:	2023-10-09 10:50:15 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	24576:Oi07s9aXrxkoEyM1C0lGqRjl4w7xOwO/dcPayP:AHtUHllRjSw7tOlR
TLSH	T1D035025496EDCE7AD4B907F8653010100BB2AECB0602E39DDDCD78FA9835B1366A4D7B
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	b0cf4a4c4c4ccfb0 (31 x Formbook, 20 x RemcosRAT, 18 x AgentTesla)
Reporter	lowmal3
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

318

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.2431.26920.14438.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Restart of the analyzed sample

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/6523c948426c8727d6f55f35/reports/c1be513e-ac06-46de-afdf-40615f1fb78f/overview

Verdict:

Malicious

Labled as:

Lazy.Generic

Link:

https://www.hybrid-analysis.com/sample/01d06c356ad0e65c56b677bb9b4ed5172f610fe92bb75612e19f2b36e342190f

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/34849f20-0956-42d1-8a44-c617513f2fda

Result

Threat name:

Remcos

Detection:

malicious

Classification:

rans.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1322077

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to bypass UAC (CMSTPLUA)

Contains functionality to modify clipboard data

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Yara detected AntiVM3

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/01d06c356ad0e65c56b677bb9b4ed5172f610fe92bb75612e19f2b36e342190f/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-10-06 11:25:14 UTC

AV detection:

24 of 38 (63.16%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ahigynlk2dtfyvvwo65zwtwvc4xwcd7jfo3vmexbt4vtny2cdehq._file

Verdict:

malicious

Label(s):

remcos

agenttesla

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost rat

Link:

https://tria.ge/reports/231009-lkcnyabh6w/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Remcos

Malware Config

C2 Extraction:

167.114.189.33:2404

Unpacked files

SH256 hash:

b1270dc9ec3f22c6fd2296239426ac7c48589589580d4a1b3da8188920b22a63

MD5 hash:

5c904da8528cfb1b87b15a6aa7c059cd

SHA1 hash:

f0a192969485d1bc34bf52adf37d9c20176d6b85

Link:

https://www.unpac.me/results/a7c9f570-dd6d-4c1a-ac36-8d222e39cc56/

SH256 hash:

cd9df6d678f9a6294c550300f33707e6dd10c2ea702ca6ee49a33fc24bbde208

MD5 hash:

6127afe2e7d6cc865b9e892000aa56fd

SHA1 hash:

e7707a00870becef3d4764b8bcea15d97170888c

Link:

https://www.unpac.me/results/a7c9f570-dd6d-4c1a-ac36-8d222e39cc56/

SH256 hash:

af10a81d30ea6c14a0857caa64697f78672a941419d679b34eedb82e080ad46b

MD5 hash:

ec0b80883f0b18fb75a48dd18795f514

SHA1 hash:

afe9537c27362b6769a1df0ad414b8e58d34ea40

Link:

https://www.unpac.me/results/a7c9f570-dd6d-4c1a-ac36-8d222e39cc56/

SH256 hash:

0c65cc63943ef047c4604d51017264cb699337750d110c3b9558c3b6d9b218d0

MD5 hash:

d3dbba0102a129dfd4009d5886d9f11b

SHA1 hash:

8e9a6b10047ba4e99e82a9b09bd79335830e74a6

Detections:

Remcos

win_remcos_w0

win_remcos_auto

Link:

https://www.unpac.me/results/a7c9f570-dd6d-4c1a-ac36-8d222e39cc56/

Parent samples :

8851e86e484da01c9cc4aafb401df05999ea4d61c128a236ef9d002a13aeda78
41e5e1da54fb730fb90a677edcc8a725d62cbddfdfb7e8d25aa4267de18f7118
4f827733e06b0ec1cb7edf3b3982487e6be429842e0cb09ff7900771ab58e8bb
455b4cd97ab95cd380baa5060f7cc787f917ddf1d03c873519b2394db4fe0302
0c65cc63943ef047c4604d51017264cb699337750d110c3b9558c3b6d9b218d0
ca3eaa04774a75d793a2e06e566457f10e464d92dd1f193413ad285981773a96
bd9df3adf1e6c84fcab2206d63d2f02e3f1ce1b715c09459d21ff47c09cac2f8
91755d1873b073b6799b3eb655e69847c08f4a932963a2dba60bb18296710a68
b2fc36f6f4e72e2700737425abab14e4d75a190195c7cd8397cb9ae9761ec34b
9103e2815438759a349705607f3be586c2129551e74cd2a875a04faab7ac43a9
f7838011d80f88b2b618bb27382f58ab8d96b9d6ead76c17ece8b19e2a7403a2
4ff54bc771dc97403996794c50ded1a97b000c3f6eeff64afe3d049735e6bcdc
8be324c37f356ce39300e054d452a5d5aa215449a25f431371aab8585d234d2b
e98b47568deded212c6c6aaf8157929f5db1254a49a5e47c84e36d4d954ff21f
f4c3fd0e00326b94391240d6f460ef2501f5985e6e09d3e2e4728441c91417e2
01d06c356ad0e65c56b677bb9b4ed5172f610fe92bb75612e19f2b36e342190f
1c6b0eb5c224c46a65fb5022852905a1293a148bd97bb81593b813e8ed814ba8
5d8702a242d06cfeb840c8a6fbf8d2bdd3f7e2c58f8c1cc0d74135cc9c1baeb4

SH256 hash:

01d06c356ad0e65c56b677bb9b4ed5172f610fe92bb75612e19f2b36e342190f

MD5 hash:

449274051e74b76e58b44fc4a7d624cc

SHA1 hash:

a5686f42071824d5203c1d3a2e9c7243bba8fc49

Link:

https://www.unpac.me/results/a7c9f570-dd6d-4c1a-ac36-8d222e39cc56/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/01d06c356ad0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/01d06c356ad0e65c56b677bb9b4ed5172f610fe92bb75612e19f2b36e342190f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

exe 01d06c356ad0e65c56b677bb9b4ed5172f610fe92bb75612e19f2b36e342190f

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample