MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 063e8dc308fea1f6ab248e3704894c8311b85959301e6389ae5ee55726e3ba2a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 29 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 063e8dc308fea1f6ab248e3704894c8311b85959301e6389ae5ee55726e3ba2a
SHA3-384 hash: d2882d1bf0a91a8b513d3f2088f51d4dafe374bd0a3a1c679c7ead75a7c39588b3eacb8672cf0e6f11c3e91cf07f75ef
SHA1 hash: bde4253bc87f9311f25530fa57a83cc2b58460e6
MD5 hash: d00bc0bb8327bcd47bf1edf2f947f009
humanhash: sweet-lactose-july-blossom
File name:z58FAC0987690009000090.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:908'800 bytes
First seen:2024-02-06 20:27:32 UTC
Last seen:2024-02-14 14:12:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 24576:Cx7nA7b6yCGFkEZqGLxi7MR0hlI0j/FKMhD+ZlNnX4UVFTWtim:Cx7nAH6y9F/ZJ9i7hhlBKMhiZlN4sFy/
Threatray 626 similar samples on MalwareBazaar
TLSH T1581523DC3A58593FD8F92AFC5940291E93F2FB6D1577E3D4CC941AA70ADAB104A0C84B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f269b44aadd268b0 (3 x Formbook, 2 x RemcosRAT, 1 x AgentTesla)
Reporter FXOLabs
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
8
# of downloads :
313
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
063e8dc308fea1f6ab248e3704894c8311b85959301e6389ae5ee55726e3ba2a.exe
Verdict:
Malicious activity
Analysis date:
2024-02-07 03:17:04 UTC
Tags:
rat remcos stealer keylogger
Link:
https://app.any.run/tasks/7852d0c8-4e83-4645-8cfd-3b9ca34c86ec

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/474937/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2511.30919.16814.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed remcos
Link:
https://www.filescan.io/uploads/65c2965caad213d35d5ec879/reports/654b7ea1-651d-4ec9-b546-9234a4ab4ee2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/063e8dc308fea1f6ab248e3704894c8311b85959301e6389ae5ee55726e3ba2a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/63901192-05d3-4ae6-a697-95c91c8585cb
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1387837
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1387837 Sample: z58FAC0987690009000090.exe Startdate: 06/02/2024 Architecture: WINDOWS Score: 100 54 geoplugin.net 2->54 64 Snort IDS alert for network traffic 2->64 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 12 other signatures 2->70 8 z58FAC0987690009000090.exe 7 2->8         started        12 HbbKHWNWN.exe 5 2->12         started        signatures3 process4 file5 48 C:\Users\user\AppData\Roaming\HbbKHWNWN.exe, PE32 8->48 dropped 50 C:\Users\user\AppData\Local\...\tmp9D19.tmp, XML 8->50 dropped 72 Tries to steal Mail credentials (via file registry) 8->72 74 Uses schtasks.exe or at.exe to add and modify task schedules 8->74 76 Adds a directory exclusion to Windows Defender 8->76 78 Injects a PE file into a foreign processes 8->78 14 z58FAC0987690009000090.exe 3 15 8->14         started        19 powershell.exe 23 8->19         started        21 powershell.exe 23 8->21         started        23 schtasks.exe 1 8->23         started        80 Multi AV Scanner detection for dropped file 12->80 82 Contains functionality to bypass UAC (CMSTPLUA) 12->82 84 Contains functionalty to change the wallpaper 12->84 86 5 other signatures 12->86 25 schtasks.exe 12->25         started        27 HbbKHWNWN.exe 12->27         started        signatures6 process7 dnsIp8 56 107.175.229.139, 49732, 49733, 8087 AS-COLOCROSSINGUS United States 14->56 58 geoplugin.net 178.237.33.50, 49735, 80 ATOM86-ASATOM86NL Netherlands 14->58 52 C:\Users\user\AppData\Roaming\aka\yes.png, data 14->52 dropped 60 Maps a DLL or memory area into another process 14->60 62 Installs a global keyboard hook 14->62 29 z58FAC0987690009000090.exe 14->29         started        32 z58FAC0987690009000090.exe 14->32         started        34 z58FAC0987690009000090.exe 14->34         started        36 z58FAC0987690009000090.exe 14->36         started        38 conhost.exe 19->38         started        40 WmiPrvSE.exe 19->40         started        42 conhost.exe 21->42         started        44 conhost.exe 23->44         started        46 conhost.exe 25->46         started        file9 signatures10 process11 signatures12 88 Tries to steal Instant Messenger accounts or passwords 29->88 90 Tries to steal Mail credentials (via file / registry access) 29->90 92 Tries to harvest and steal browser information (history, passwords, etc) 32->92
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/063e8dc308fea1f6ab248e3704894c8311b85959301e6389ae5ee55726e3ba2a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/063e8dc308fea1f6ab248e3704894c8311b85959301e6389ae5ee55726e3ba2a/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2024-02-06 15:07:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ay7i3qyi72q7nkzery3qjckmqmi3qwkzgapghcnol3svojxdxiva._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
2db991b9ae725ec59f9a29654e4c5f8d2bf363662cfa8d271a8692fea4883744
RemcosRAT
7d5fb292b4477237a05a35eb135a13c9f6d1177987217e94c3558b91fa97c285
RemcosRAT
9c6493910b2ebd8fc274c1bd93ca54205f124aa1484aa4d17bbe7bee10cd3ff6
RemcosRAT
a739f75be90696d11429b7b5003af6ae0318009bdabdecdcd49b18d80c60d946
RemcosRAT
d9c0ac6c117e35a6b1423e933e975eba76102d7a4bc864b43d9801fa711fa5a4
RemcosRAT
fdbce12941b40f0a4be868f3034eee854add3b2193fd7b6cc9df4c2c1fec1778
RemcosRAT
+ 616 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost collection rat spyware stealer
Link:
https://tria.ge/reports/240206-y8zjtshbfk/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Checks computer location settings
Reads user/profile data of web browsers
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
107.175.229.139:8087
Unpacked files
SH256 hash:
6edc7cb5271655eb893ef15120eff10cc6cc139512a0c242f91b90fba27076af
MD5 hash:
fb706c71306d377d489c6f7f4e4e3232
SHA1 hash:
52864807a001f968c7d7ce929d70793bf86bc6aa
Detections:
Remcos
Create hunting rule
win_remcos_w0
Create hunting rule
win_remcos_auto
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Link:
https://www.unpac.me/results/beb096db-d0a8-4f25-b99f-cbcb455f4e9c/
Parent samples :
905bd3872269255c88f05afff2eedaf2986300d8fe0ac44cd3651bf19c86fc76
20a6b7999fb3ff90688026a1c27ba38b36a2b164f949fc340373832388abf727
9495e0f3e772cc191122fe78219f48ecba27aabb814d9c9c5116e019ff37dbf7
063e8dc308fea1f6ab248e3704894c8311b85959301e6389ae5ee55726e3ba2a
d49d62c643b50bf3244c59a483309cfbd227386bc68a95fbae0adbad87aa34af
f73e8d1f28812d763bbe7854b60a34b6b86b997944135480862304e9893830dc
3e21b228b8e069458460dc632de5d378f51ff7438a26197c50193580ec68e78d
e55772f5522dfeefe0f5004aa6781c10290d3fb4e0fdf246c0893114baec051c
a6a3d95c04dca683d66b1e6dcf729a7ad0811c7bd7f9c19aa7076ba28f66fd0b
7fe4e53ab09ec648bd7cf8e6563dded6ae5591988cbfd05062420dceeb2ce2f2
15dab0e3dfa44f1bee01b858a4a32cd2b4dd83c4b059450adb60cd68ef6d7a59
a745120f8c630fc43742d0127740278ea80a9f397833f2aef584d20924588191
42460c32bf624fab49e385e8bb9efe77dc1f3c73ab82401fd072433268aa9ec5
ba3620d676a6fc5516ac7c962349ce9cafe964489080c00a4a0d38d4372bad67
5fe1de0adf99f8dff660c75a7e9f2c1d0720f6694f63a7aa406fc16f8bf498d3
2a27d03dbf5754170f5b096506af34a6ad46fa386bf05500b559c6cd210eb4f7
7946865787ec14985dbeb9fd9b08f426a2aabe834e5110b9f22f3c6dcede79b2
7589ffb799213de396869e27f027e07fc5f04177401255af211079a594c09a09
60f400af52d794d640cf91ea3ad8ce901fbee155039a442abe15a2d79fd053d9
SH256 hash:
04bf7ce1da4e3158d36db2660b550aeffd925d9dd1263be60f003aa728899544
MD5 hash:
5bbeeca05c6014e79632284d4bc679ab
SHA1 hash:
2b5b730b4bcdf81293725ee15e2d691ca17a7922
Link:
https://www.unpac.me/results/beb096db-d0a8-4f25-b99f-cbcb455f4e9c/
SH256 hash:
cb319974d7a355a8d22debf9b2d9abb19b80ac2675bcd17f77eb8f7b847a36c5
MD5 hash:
90c9a268091c9b0bfd86cff184e7d984
SHA1 hash:
1294ecc0348b2ff9ff12b976d91062b0715671cb
Link:
https://www.unpac.me/results/beb096db-d0a8-4f25-b99f-cbcb455f4e9c/
SH256 hash:
a3b82e2d17f660c450ba4dae95a26b906f12626462a4bb9a6c2833071dd9faf5
MD5 hash:
cf3241f04cc546fa617566e84b5c1793
SHA1 hash:
0b9cbe0c45fba268857e11ad4d71105193c19d02
Link:
https://www.unpac.me/results/beb096db-d0a8-4f25-b99f-cbcb455f4e9c/
SH256 hash:
063e8dc308fea1f6ab248e3704894c8311b85959301e6389ae5ee55726e3ba2a
MD5 hash:
d00bc0bb8327bcd47bf1edf2f947f009
SHA1 hash:
bde4253bc87f9311f25530fa57a83cc2b58460e6
Link:
https://www.unpac.me/results/beb096db-d0a8-4f25-b99f-cbcb455f4e9c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/063e8dc308fe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/063e8dc308fea1f6ab248e3704894c8311b85959301e6389ae5ee55726e3ba2a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:TeslaCryptPackedMalware
Create hunting rule
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.
Rule name:win_remcos_w0
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:yarahub_win_remcos_rat_unpacked_aug_2023
Create hunting rule
Author:Matthew @ Embee_Research
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 063e8dc308fea1f6ab248e3704894c8311b85959301e6389ae5ee55726e3ba2a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/474937/

Comments