MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 07a3c580cbf48fdcc0bfd313eb490b1a45690c71b5bcedf386c8e4e3f1fe0581. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 07a3c580cbf48fdcc0bfd313eb490b1a45690c71b5bcedf386c8e4e3f1fe0581
SHA3-384 hash: aa9a3e001f0bf545177b9ac93ef810b5b845e107aa0ee45d4be58dd2aa111f81ae92fc4ddb210d64914914b2543d2dab
SHA1 hash: ac87d1a9565defc3c3b8bbc315c4e5d4013330bb
MD5 hash: d960d444a42ab3d68c7592d6cf619f89
humanhash: mississippi-aspen-fish-seven
File name:Inquiry No. 301-2022-ST00.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:833'536 bytes
First seen:2022-04-20 07:17:42 UTC
Last seen:2022-04-20 12:46:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:x5kaJgFqFXrKPK677IUWwY8bU19H49Qm/rn35DtJ:x1J45C677IUlbgYQmr5Dt
Threatray 1'968 similar samples on MalwareBazaar
TLSH T12805220895E843D8E87F17FD9E76B640D7FAD8736A0AF70D0E8A68C57AE73428444931
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter GovCERT_CH
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
251
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/264821/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.6696.20480.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed remcos update.exe
Link:
https://www.filescan.io/uploads/625fb3adeab80a7a6c48826c/reports/1c22cde4-9b0c-494c-8af4-df65b0494478/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/551fa38a-18e8-493f-b063-5b6afa719ef9
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/979355
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/07a3c580cbf48fdcc0bfd313eb490b1a45690c71b5bcedf386c8e4e3f1fe0581/
Threat name:
ByteCode-MSIL.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-04-20 02:45:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=a6r4lagl6sh5zqf72mj6wsildjcwsddrww6o344gzdsoh4p6awaq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
2d6b7a5513ed0cb451701bb494fb87382061195c115ede553f062b4fc0fd4f97
RemcosRAT
48d05f98dc0e107ca09492b3f4e3728464d8c844870057c0aabc728f0043b2f7
RemcosRAT
7b5f70276fe64b0ec64ff186af6706b1dbbf2e2dc69e4b1546745b293121116f
RemcosRAT
902f4adc25817f82a216b60a7658cb9a267e877ea0197d69cc279fc02ba4906d
RemcosRAT
a4b821d0cadc92c344c8b60f5290a5e5520fd1fb3813b88c529c48d285b72c63
RemcosRAT
bd250e1cb4f8d322a5464549dc067ac7bcbecfc2d4fca46c40af8d23173011d3
RemcosRAT
c530ab34e439bbcaf995290504072a5f77ec085e2ef485e4ef324b7a957f5738
RemcosRAT
+ 1'958 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:more rat
Link:
https://tria.ge/reports/220420-h4x77shgcn/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Remcos
Malware Config
C2 Extraction:
kashbilly.ddns.net:6060
Unpacked files
SH256 hash:
e649e0d6c577aac4d57e7093d75b1dafcbf641f62110d177a9286749846ddc43
MD5 hash:
ecb7908b31c84e773559219d97756922
SHA1 hash:
ec70bff9e7e0f25b35e99a197a493b41b7553022
Link:
https://www.unpac.me/results/4ac88401-3c57-42e5-8082-ea251c2e8113/
SH256 hash:
d130b2d5440d69b92d127640decd8feca9661fbc03a93a39023b3ec8b589dec7
MD5 hash:
085c646c94caa963841ffc1bfa6d20eb
SHA1 hash:
cf06f6590c32379cfb01db776398df15d341f741
Link:
https://www.unpac.me/results/4ac88401-3c57-42e5-8082-ea251c2e8113/
Parent samples :
8c45a06d9b4a601333c206c47747108e511e9609b184a26de49b925e463ed808
0d08258ee5cde4341d641b04c11d01427309a865ef0ae0601d5a8663ae3a79eb
287899f0c2ed9274def6614ce3f658335cb1f832e1afbfc1d8e3076bdf097054
e9f0de091b5fd4d63fb10f0deca4e360a78341675f2bbef4c03f8cb89c081844
451ab9846f3c63a6b5f2e25ab5f58bb4180cf414062f52e280bd98eafea81963
36eae83dd16e98d3f62475ff48c33f731651e41ff52b0558b509d7a4d665e0b8
SH256 hash:
1a8ed6847f5d8b98a310e3d3a6a69fb03eacfa8ceb34648037d67a0c19ab7351
MD5 hash:
36b96d1dff037560a39046e0fe24db33
SHA1 hash:
bbe379cbfada551c5d9d63a71651127b50a08c7d
Link:
https://www.unpac.me/results/4ac88401-3c57-42e5-8082-ea251c2e8113/
SH256 hash:
f1995c0e8836e408366b146e12538f7ab5138d8a718b18d3e89a973d5006305c
MD5 hash:
ffb3f03a3613fa9f6eb66750f2cd8755
SHA1 hash:
2855ad2de31bf1c9bf39b85f9ec89b60f3485e7e
Link:
https://www.unpac.me/results/4ac88401-3c57-42e5-8082-ea251c2e8113/
SH256 hash:
07a3c580cbf48fdcc0bfd313eb490b1a45690c71b5bcedf386c8e4e3f1fe0581
MD5 hash:
d960d444a42ab3d68c7592d6cf619f89
SHA1 hash:
ac87d1a9565defc3c3b8bbc315c4e5d4013330bb
Link:
https://www.unpac.me/results/4ac88401-3c57-42e5-8082-ea251c2e8113/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/07a3c580cbf48fdcc0bfd313eb490b1a45690c71b5bcedf386c8e4e3f1fe0581

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:pe_imphash
Create hunting rule
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 07a3c580cbf48fdcc0bfd313eb490b1a45690c71b5bcedf386c8e4e3f1fe0581

(this sample)

  
Dropped by
RemcosRAT
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/264821/

Comments