MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02232dd152bdb1747266d1e0970e37b243dcf2c75abedcab3ded8e04ee2868f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02232dd152bdb1747266d1e0970e37b243dcf2c75abedcab3ded8e04ee2868f0
SHA3-384 hash: 4a9d0bf206795eb516115ec638763d9b88aad908d6e7d73a080aa59ec18ddc09db35aa5f2bb8afcbcc72fab9a7567b96
SHA1 hash: a7295920c52685e50dabe8ff6663f6cf36e2e2bb
MD5 hash: c9f1d6b436d6bb9ca5d41b35a230dad4
humanhash: winter-echo-echo-alpha
File name:SOA as of 29-09-2022.pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'171'456 bytes
First seen:2022-10-24 19:22:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:B81fEu5rp0t3zC22i75bYseg3eB/+Ho4NG4ExLyjKWPdqt/7J8BzUjgePspXCbIz:B8xpIO41Ysu+I4NkGPlmltpPspXaUvT
Threatray 3'580 similar samples on MalwareBazaar
TLSH T1CD459DB626D50217E42972759083E5F326FBAE506041E1C7A1D74F6FBC812BBD62338B
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13101/52/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter GovCERT_CH
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
254
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
SOA as of 29-09-2022.pdf.exe
Verdict:
Malicious activity
Analysis date:
2022-10-24 19:27:18 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/2b5ac9c3-7778-45e3-a51e-6a22fb08eb2a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/323617/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f667f04a-7c49-4d90-b176-c6ed563930b8
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1096913
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 729551 Sample: SOA as of 29-09-2022.pdf.exe Startdate: 24/10/2022 Architecture: WINDOWS Score: 100 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 Sigma detected: Scheduled temp file as task from temp location 2->48 50 12 other signatures 2->50 7 SOA as of 29-09-2022.pdf.exe 7 2->7         started        11 ravskC.exe 5 2->11         started        process3 file4 32 C:\Users\user\AppData\Roaming\ravskC.exe, PE32 7->32 dropped 34 C:\Users\user\...\ravskC.exe:Zone.Identifier, ASCII 7->34 dropped 36 C:\Users\user\AppData\Local\...\tmpE753.tmp, XML 7->36 dropped 38 C:\Users\...\SOA as of 29-09-2022.pdf.exe.log, ASCII 7->38 dropped 52 Adds a directory exclusion to Windows Defender 7->52 54 Injects a PE file into a foreign processes 7->54 13 SOA as of 29-09-2022.pdf.exe 2 2 7->13         started        18 powershell.exe 21 7->18         started        20 schtasks.exe 1 7->20         started        56 Multi AV Scanner detection for dropped file 11->56 58 Machine Learning detection for dropped file 11->58 22 schtasks.exe 1 11->22         started        24 ravskC.exe 11->24         started        signatures5 process6 dnsIp7 42 185.136.170.229, 1960 VELIANET-ASvelianetInternetdiensteGmbHDE United Kingdom 13->42 40 C:\ProgramData\remcos\logs.dat, data 13->40 dropped 60 Installs a global keyboard hook 13->60 26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/02232dd152bdb1747266d1e0970e37b243dcf2c75abedcab3ded8e04ee2868f0/
Threat name:
Win32.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2022-10-20 15:25:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
27 of 42 (64.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=airs3uksxwyxi4tg2hqjodrxwjb5z4whlk7nzkz55whaj3rindya._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
4bd1f385e71c2b0c8bb27ce271cfd26c696e3049e3e92cd150ba62666bc6221f
RemcosRAT
4c26268e01117b5cf41d2f14689452912d708e64af0040ed75a40c94b0a943ea
RemcosRAT
592f15fec50eda79baadcb6bc5c4cb79de60e5bb285f20fb8e8927477495f065
RemcosRAT
7f89f38c1c2a3e42e7fe2d1c286816361fe77aa49d1d474de200df6eb2dbda81
RemcosRAT
9d724226a2a3c8676d4a58b64b636d9dcc178c1d40fcf321309afa14505cf285
RemcosRAT
ad87f3ad6fb14d2b79d7b7aac1b38bc04fd20757460da0f02cac139408df9969
RemcosRAT
e1eb708f47303b831f6eb0ddc846e21782e8f727dcb0088fcb997c3bf0d4dbd3
RemcosRAT
e68ebc948356b0560fee06f52939504005fd848a93ccc41b4840c1db318a5409
RemcosRAT
+ 3'570 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost kaptain rat
Link:
https://tria.ge/reports/221024-x3snnaaccq/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
185.136.170.229:1960
Unpacked files
SH256 hash:
9a2e448055eb88b824442ad8d1d6506ce9be2dad3a2d519b89cd11c28f93731f
MD5 hash:
69838bfbfdc85f19c6d7d69fc6855912
SHA1 hash:
d2c3e89b3f705d8e04d5880260945d9d18ddab54
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/069ea3ef-8f3f-4032-ad3b-c8b1cf4f135b/
Parent samples :
a82398e3798998a98573b4255a7e2c5a6db73ffd724dbc463e293026815f206e
cf85ece20b01cf286079c455bf6cf3dc6a2fce9386641f4458edf2bdc7bbf65a
f5faaf973c1d19ec62c271762f887d0a419e5d17ffc8a385e13728867aa1620a
02232dd152bdb1747266d1e0970e37b243dcf2c75abedcab3ded8e04ee2868f0
SH256 hash:
3f3f4596459846866a025a799062a9b916a618e779c4d94e81f6b13babc50ab1
MD5 hash:
11d4cd6eae7a1bff924f18fef1c5d3a9
SHA1 hash:
b733c4ce0b791fe6f4a03efdeb9e6f06c3a44cac
Link:
https://www.unpac.me/results/069ea3ef-8f3f-4032-ad3b-c8b1cf4f135b/
SH256 hash:
32e1cace9dedbeb56c6f8f317dc3d6d8962eca0b338386b0d64dc018be10fc9d
MD5 hash:
b7aad37e1a1fd66cc94b47197c425d56
SHA1 hash:
685115cd06faf2e12df689f49465e5dc3d9065a3
Link:
https://www.unpac.me/results/069ea3ef-8f3f-4032-ad3b-c8b1cf4f135b/
SH256 hash:
678d527fc01a0eaa1be366ca97b0ad5a3fe890b1ef8267d2fc981ff43c4d08e5
MD5 hash:
2da433d67db4775d8f02a8fed4b31bf3
SHA1 hash:
235fe8f2076f3b5cfffacc574825550cee8e61e9
Link:
https://www.unpac.me/results/069ea3ef-8f3f-4032-ad3b-c8b1cf4f135b/
SH256 hash:
edadc813f4440ada276da601d8f31780e5e138b8ee392e3f49a509322a1fb51e
MD5 hash:
574597554c69083c1af2b742a97a92b6
SHA1 hash:
043eea660b8650c5a0042f842fd8db3516d37a2c
Link:
https://www.unpac.me/results/069ea3ef-8f3f-4032-ad3b-c8b1cf4f135b/
SH256 hash:
02232dd152bdb1747266d1e0970e37b243dcf2c75abedcab3ded8e04ee2868f0
MD5 hash:
c9f1d6b436d6bb9ca5d41b35a230dad4
SHA1 hash:
a7295920c52685e50dabe8ff6663f6cf36e2e2bb
Link:
https://www.unpac.me/results/069ea3ef-8f3f-4032-ad3b-c8b1cf4f135b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/02232dd152bdb1747266d1e0970e37b243dcf2c75abedcab3ded8e04ee2868f0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 02232dd152bdb1747266d1e0970e37b243dcf2c75abedcab3ded8e04ee2868f0

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/323617/

Comments