MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 05285eb0b45ead00948244e6aa80fae084907341a3ec9eb5458b514413da0b91. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 05285eb0b45ead00948244e6aa80fae084907341a3ec9eb5458b514413da0b91
SHA3-384 hash: bb9df7836c5b087fedaeb5efc484fda24800232fbb6ec75ed04486bceff8bb94c0a1ec333bd1f200e0d2a60060becc62
SHA1 hash: 960c3706dee2524b11b94c3836bc910749bfee45
MD5 hash: d2642b47198f8a10c4dbfa02545d2d49
humanhash: mars-mars-fanta-mexico
File name:05285eb0b45ead00948244e6aa80fae084907341a3ec9eb5458b514413da0b91
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'106'944 bytes
First seen:2023-04-05 15:15:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 24576:ULU5+JhmD1Ado5tvUnVGG0UvGClc5uHPf:S45KdEvUVGGRl3HP
Threatray 1'788 similar samples on MalwareBazaar
TLSH T10A352316B6E2CF25C19C6BBDA9A71510037363AB1533F7492EC815D66F23BD90A01F8B
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b8b4dcecf2b4c6c8 (13 x AgentTesla, 4 x SnakeKeylogger, 3 x Formbook)
Reporter adrian__luca
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
257
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
05285eb0b45ead00948244e6aa80fae084907341a3ec9eb5458b514413da0b91
Verdict:
Malicious activity
Analysis date:
2023-04-05 15:14:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f7d83af0-3384-4b31-8b1f-85820944c86b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/380374/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Running batch commands
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/642d90b2497fb6f23efd919c/reports/9811cbdf-01ef-4a1b-a21f-33c7ddfd1261/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/05285eb0b45ead00948244e6aa80fae084907341a3ec9eb5458b514413da0b91
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4cbb028b-fac4-4f52-997a-c8100c55b2be
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1208996
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 841910 Sample: KqpoaZ2OkW.exe Startdate: 05/04/2023 Architecture: WINDOWS Score: 100 106 Malicious sample detected (through community Yara rule) 2->106 108 Antivirus detection for dropped file 2->108 110 Sigma detected: Scheduled temp file as task from temp location 2->110 112 6 other signatures 2->112 11 KqpoaZ2OkW.exe 7 2->11         started        15 jmZHGBd.exe 5 2->15         started        17 BIN.exe 2->17         started        19 2 other processes 2->19 process3 file4 90 C:\Users\user\AppData\Roaming\jmZHGBd.exe, PE32 11->90 dropped 92 C:\Users\user\...\jmZHGBd.exe:Zone.Identifier, ASCII 11->92 dropped 94 C:\Users\user\AppData\Local\...\tmpBF1C.tmp, XML 11->94 dropped 96 C:\Users\user\AppData\...\KqpoaZ2OkW.exe.log, ASCII 11->96 dropped 124 Contains functionality to steal Chrome passwords or cookies 11->124 126 Uses schtasks.exe or at.exe to add and modify task schedules 11->126 128 Adds a directory exclusion to Windows Defender 11->128 134 2 other signatures 11->134 21 KqpoaZ2OkW.exe 5 5 11->21         started        24 powershell.exe 21 11->24         started        26 schtasks.exe 1 11->26         started        130 Multi AV Scanner detection for dropped file 15->130 132 Injects a PE file into a foreign processes 15->132 36 3 other processes 15->36 28 schtasks.exe 17->28         started        30 BIN.exe 17->30         started        32 schtasks.exe 19->32         started        34 schtasks.exe 19->34         started        38 2 other processes 19->38 signatures5 process6 file7 84 C:\Users\user\AppData\Roaming\BIN\BIN.exe, PE32 21->84 dropped 86 C:\Users\user\...\BIN.exe:Zone.Identifier, ASCII 21->86 dropped 88 C:\Users\user\AppData\Local\...\install.vbs, data 21->88 dropped 40 wscript.exe 1 21->40         started        42 conhost.exe 24->42         started        44 conhost.exe 26->44         started        46 conhost.exe 28->46         started        48 conhost.exe 32->48         started        50 conhost.exe 34->50         started        52 conhost.exe 36->52         started        process8 process9 54 cmd.exe 40->54         started        process10 56 BIN.exe 54->56         started        59 conhost.exe 54->59         started        signatures11 118 Multi AV Scanner detection for dropped file 56->118 120 Adds a directory exclusion to Windows Defender 56->120 122 Injects a PE file into a foreign processes 56->122 61 BIN.exe 56->61         started        66 powershell.exe 56->66         started        68 schtasks.exe 56->68         started        process12 dnsIp13 102 ucremcz1.ddns.net 45.88.67.110, 1823, 49698, 49701 LVLT-10753US Bulgaria 61->102 104 geoplugin.net 178.237.33.50, 49699, 80 ATOM86-ASATOM86NL Netherlands 61->104 98 C:\Users\user\AppData\Roaming\...\logs.dat, data 61->98 dropped 136 Maps a DLL or memory area into another process 61->136 138 Installs a global keyboard hook 61->138 70 BIN.exe 61->70         started        73 BIN.exe 61->73         started        75 BIN.exe 61->75         started        78 BIN.exe 61->78         started        80 conhost.exe 66->80         started        82 conhost.exe 68->82         started        file14 signatures15 process16 dnsIp17 114 Tries to steal Instant Messenger accounts or passwords 70->114 116 Tries to steal Mail credentials (via file / registry access) 70->116 100 192.168.2.1 unknown unknown 75->100 signatures18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/05285eb0b45ead00948244e6aa80fae084907341a3ec9eb5458b514413da0b91/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-03-24 10:34:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=auuf5mful2wqbfecittkvah24ccja42bupwj5nkfrniuie62boiq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0771775f6646f28170c196d4ddba3ecdd1b0ada28c15dcc5b85f5c374c7b6987
RemcosRAT
1d0a51787f8726c44aa40f88422d01f084c4e533c2f190f4aef1696f9fd600d9
RemcosRAT
52062e748f2857bf6bc3161cdfade85ec042d45093673514ca1787f7216a70f3
RemcosRAT
7e09b162052fa0f01f2d48609446e1cc66fea01afa412d5aee4cca9afa98fe52
RemcosRAT
c9ec59e23695adca831f06aca398c511cac81f2fd65c7353f14b4725791ab80a
RemcosRAT
dabb657acfa0d239bcd7f26fa84eb567790a3ab47d46bbf1a3bb9f5c4e6e3b25
RemcosRAT
f3c280a30bfcb13a09179451fc8a2885ea9a95258ee5b52bfd24a1caf7896e54
RemcosRAT
+ 1'778 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:uc persistence rat
Link:
https://tria.ge/reports/230405-snfckafe76/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Remcos
Malware Config
C2 Extraction:
ucremcz1.ddns.net:1823
Unpacked files
SH256 hash:
bb016540432270c8976e9a11a2afccfd421a210c26451bb1a61e3bd6db1e4241
MD5 hash:
30dd9671cb8a9ee7217b3021f115bfb7
SHA1 hash:
c0fa007ef2afe9921f9df0cced7056e2e6258dc1
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/a8b34f73-08fd-474d-b456-5a65ada5c4bf/
Parent samples :
1c3b5e967fb3efae83f711802606597cfd5454deb03f8d69cb68f9fef22d6e9b
ecb9ed9d6b4967e3f0bdf5abfe253e2c3b80919272b8427f02f5c33a6e815755
f19755963c94dc74b9f91b947ed0e54f7045d07d1acaa94faab62cdcb8f3cd27
c1cebdad413c58af5cdb7e0f77185381605296bd2544a8a05c7e3600a83a1ed7
fc2bcad21d96b3e31b27f0610209f0aa33fb1aa83504e8c346d390ac2da19504
05285eb0b45ead00948244e6aa80fae084907341a3ec9eb5458b514413da0b91
c85b76b0a102f76dd2e9b5fa71d6f9e599fccc63879a666b3d019d61d8e68101
394bf9a9a60175d3d7bc71aab92df900a59f2205435196129cad78ce7460140c
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/a8b34f73-08fd-474d-b456-5a65ada5c4bf/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
ca690f978fd9fedf57b7413bf47ad5b5dc03f290ce3a8f98ff91c066cccfc549
MD5 hash:
817e397abed2582f8ddd6e53a5b4ee91
SHA1 hash:
0f39afb51f302da01257e31f1193573b511a0433
Link:
https://www.unpac.me/results/a8b34f73-08fd-474d-b456-5a65ada5c4bf/
SH256 hash:
4ce4638c4bfbcccf979ba24271030d329d56ea2828c6fafc965ad70e19fd3dcd
MD5 hash:
d39913a6ee47706ccde4256fa9ffd08c
SHA1 hash:
026398ed9476bd7c1ca7b29cc5e1b8e850f8a062
Link:
https://www.unpac.me/results/a8b34f73-08fd-474d-b456-5a65ada5c4bf/
SH256 hash:
38d57f2fd9c1befc31f221c4645ebe6f7c7f43078878374e647e5abe6bbc5465
MD5 hash:
6606708a940cec2b63fdd3ac493531d0
SHA1 hash:
7473c8dfa3564b69d03ea2a533c34a353b0a1bcc
Link:
https://www.unpac.me/results/a8b34f73-08fd-474d-b456-5a65ada5c4bf/
SH256 hash:
05285eb0b45ead00948244e6aa80fae084907341a3ec9eb5458b514413da0b91
MD5 hash:
d2642b47198f8a10c4dbfa02545d2d49
SHA1 hash:
960c3706dee2524b11b94c3836bc910749bfee45
Link:
https://www.unpac.me/results/a8b34f73-08fd-474d-b456-5a65ada5c4bf/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/05285eb0b45e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/05285eb0b45ead00948244e6aa80fae084907341a3ec9eb5458b514413da0b91

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Suspicious_Macro_Presence
Create hunting rule
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/380374/

Comments