MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0359874ac9be35e969500ffe552298ea0c8056b51c8eac0e3e835c564ef39148. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0359874ac9be35e969500ffe552298ea0c8056b51c8eac0e3e835c564ef39148
SHA3-384 hash: 30e1a71761ef5cd2ab8e205b523c0714dbe8b1761dc84887440cfbbda125b62a9e74555fd141e33150685a207513a049
SHA1 hash: e1bfd5c9493aac048af6a03d2003abdfbf64d31c
MD5 hash: 4d83e58ab22eda61302b755a827ffa57
humanhash: eighteen-sodium-hotel-stairway
File name:4d83e58ab22eda61302b755a827ffa57
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'246'720 bytes
First seen:2022-12-02 00:10:24 UTC
Last seen:2023-08-27 09:02:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'634 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:QwqpTiwAAgEEY4+FsS9ous35qIw9L7Zl1V3fWGKso5KF9Qgs:ATQp+GZJ/w9Ln1VnzuU9Qgs
Threatray 2'444 similar samples on MalwareBazaar
TLSH T12A45AE62D7B1C946F93388EEA3DC9B514CA851C148A84849CD173E905E78C6BF4FC9FA
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
187
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
proforma invoice.doc
Verdict:
Malicious activity
Analysis date:
2022-12-01 14:08:10 UTC
Tags:
exploit cve-2017-11882 loader rat remcos
Link:
https://app.any.run/tasks/578620d8-5057-4b6f-939f-524e5db26436

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/341663/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1701.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Running batch commands
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63894298579915b6b303ef40/reports/b972fbde-e1ad-43d3-b32d-252876fc769c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/17e6eada-7371-4880-bc8d-6c45d6e438e6
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1126109
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to capture screen (.Net source)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 758830 Sample: 30x4Wzu6Fj.exe Startdate: 02/12/2022 Architecture: WINDOWS Score: 100 62 Multi AV Scanner detection for domain / URL 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Antivirus detection for URL or domain 2->66 68 10 other signatures 2->68 11 30x4Wzu6Fj.exe 3 2->11         started        14 remcos.exe 2 2->14         started        17 remcos.exe 2 2->17         started        process3 file4 50 C:\Users\user\AppData\...\30x4Wzu6Fj.exe.log, ASCII 11->50 dropped 19 30x4Wzu6Fj.exe 5 5 11->19         started        76 Injects a PE file into a foreign processes 14->76 22 remcos.exe 2 14 14->22         started        26 remcos.exe 17->26         started        signatures5 process6 dnsIp7 44 C:\ProgramData\Remcos\remcos.exe, PE32 19->44 dropped 46 C:\Users\user\...\youctbjglbdpcwwipv.vbs, data 19->46 dropped 48 C:\ProgramData\...\remcos.exe:Zone.Identifier, ASCII 19->48 dropped 28 wscript.exe 1 19->28         started        52 45.139.105.174, 3111, 49696 CMCSUS Italy 22->52 54 geoplugin.net 178.237.33.50, 49697, 80 ATOM86-ASATOM86NL Netherlands 22->54 74 Tries to harvest and steal browser information (history, passwords, etc) 22->74 file8 signatures9 process10 process11 30 cmd.exe 1 28->30         started        process12 32 remcos.exe 3 30->32         started        35 conhost.exe 30->35         started        signatures13 56 Multi AV Scanner detection for dropped file 32->56 58 Machine Learning detection for dropped file 32->58 60 Injects a PE file into a foreign processes 32->60 37 remcos.exe 2 1 32->37         started        40 remcos.exe 32->40         started        process14 signatures15 70 Writes to foreign memory regions 37->70 72 Maps a DLL or memory area into another process 37->72 42 iexplore.exe 37->42         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0359874ac9be35e969500ffe552298ea0c8056b51c8eac0e3e835c564ef39148/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-12-01 17:04:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=anmyoswjxy26s2kqb77fkiuy5igiavvvdshkydr6qnofmtxtsfea._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
06b2052e224e19c8956871c8d1c29baa5bb9732a7981d940063d955be6b471e1
RemcosRAT
1e48f5be58b577bc76423894dadf647800f1da1afab2f3c1c82c08f3b66b4981
RemcosRAT
47884208f8a644ae2107eecef208a905e03839cb331ccf0dc6c50a72e969b17a
RemcosRAT
4d87f600c35b4b795142195bbe75c8e1a80f3c587c0c5eea6afa20d2f6587861
RemcosRAT
7337db69a20a40af35453369ceabe00d6bff13e5ba8199a294f7bad7c0ee007d
RemcosRAT
7666415f1d2f03e6a14e4f058b012ec6ed4a77cd3ecd1398817b2ac97b25cbc5
RemcosRAT
7d6e946592986be2a5f72c17860a55fcd18a8a42aa9b8ae32069627ad2539796
RemcosRAT
902b8354b83848d9ebffb587eae97814fc98b3a71c16c4b2b97d306cf02148a0
RemcosRAT
+ 2'434 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost brand:microsoft persistence phishing rat
Link:
https://tria.ge/reports/221202-agm5qaec44/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Detected potential entity reuse from brand microsoft.
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
45.139.105.174:3111
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/77654cfb-e60e-4086-9cf9-a1daaedcebc5
Unpacked files
SH256 hash:
8acb8ff6a5565f9d8b56e2712858db04e577c53906c8045fa43bdf1e7669120a
MD5 hash:
8f6f561ec65b393126f5b648f890e78a
SHA1 hash:
cea6ff88ba56fcfdcf5992b5b35ec2accbd234a3
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/c0c8c8e2-5de6-4888-82b5-1db9a9557306/
Parent samples :
88729c3c2f0d440cb964a0b14af9f726a961700288ea860cc8db492685ca4546
0359874ac9be35e969500ffe552298ea0c8056b51c8eac0e3e835c564ef39148
SH256 hash:
3624268b1bf67fd3f560f345e5171f3a2f8968a776c23816ea76fc0ef41b0f03
MD5 hash:
1619753b625e58c25b73fbf1f0bff482
SHA1 hash:
c0d7922bdbc10ef0ee1606a40c2dedd22cb180d4
Link:
https://www.unpac.me/results/c0c8c8e2-5de6-4888-82b5-1db9a9557306/
SH256 hash:
260a109ef504d521d666c714aff3b4bd825cc2fd463cb4678cb027afda9fea8e
MD5 hash:
64ff345f4bdf3a4f770174156e2a6f27
SHA1 hash:
7ce8bb4ec07f010461316c1ef3621091a00766de
Link:
https://www.unpac.me/results/c0c8c8e2-5de6-4888-82b5-1db9a9557306/
SH256 hash:
340ba2312d5cdfc3d89f3f35f627187dcb406e5afea134bc76b04f52f4285df3
MD5 hash:
85f9290aa8900e9fd74b01ee23125706
SHA1 hash:
310eb5e4aea5471b74a6385f1da283b9d8e3d698
Link:
https://www.unpac.me/results/c0c8c8e2-5de6-4888-82b5-1db9a9557306/
SH256 hash:
80f06bab276015a85cc6944fcdc30ce65bb75d5edb3db760d46bd4c80a997b7b
MD5 hash:
c70cec3cbb02fcaddf9e17835829fd44
SHA1 hash:
1dc2710769952964f1dfef00135e23032ff68450
Link:
https://www.unpac.me/results/c0c8c8e2-5de6-4888-82b5-1db9a9557306/
SH256 hash:
0359874ac9be35e969500ffe552298ea0c8056b51c8eac0e3e835c564ef39148
MD5 hash:
4d83e58ab22eda61302b755a827ffa57
SHA1 hash:
e1bfd5c9493aac048af6a03d2003abdfbf64d31c
Link:
https://www.unpac.me/results/c0c8c8e2-5de6-4888-82b5-1db9a9557306/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0359874ac9be/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0359874ac9be35e969500ffe552298ea0c8056b51c8eac0e3e835c564ef39148

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 0359874ac9be35e969500ffe552298ea0c8056b51c8eac0e3e835c564ef39148

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2440886/
Cape
Cape
https://www.capesandbox.com/analysis/341663/

Comments


Avatar
zbet commented on 2022-12-02 00:10:26 UTC

url : hxxp://208.67.105.179/bigletterzx.exe