MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 082baf651937a61c656a7166f6e672341808068663c21bd4111feccf71b78983. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 082baf651937a61c656a7166f6e672341808068663c21bd4111feccf71b78983
SHA3-384 hash: 5abc0e363932a7059e677170c01e064a3727a8d8b791e965715e7beb0e635d76f21ebf31ed601ebe91470bf00f682e3d
SHA1 hash: eb0d35a80550db99c1adc40c1ceae3f015a683ed
MD5 hash: eb7a5438f88f49074ea39ae1403ada1d
humanhash: louisiana-foxtrot-zebra-triple
File name:PO#BTX18000211.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'029'120 bytes
First seen:2021-10-29 06:18:30 UTC
Last seen:2021-10-29 11:03:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3f5ed924d88345a5aae215811a2cff84 (6 x RemcosRAT, 4 x Formbook, 1 x DBatLoader)
ssdeep 12288:qXIL69gWfTG2pMP1o6C+8zix8sdaPp62E4Ja6NuLpjqayC94M0LdEegD:q4uBfTG2pM9o6NN+swhY4tMjF9Bey
Threatray 470 similar samples on MalwareBazaar
TLSH T19C25AE2167D2A036C0B79E785D5B8A442807FF317E25BC8236F89C8CBEB91096D7D593
File icon (PE):PE icon
dhash icon e4eee286acb4bcb4 (16 x RemcosRAT, 12 x Formbook, 3 x DBatLoader)
Reporter lowmal3
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
4
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Artemis8980A24AEB5D.2064.4196.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ead21a30-e1b8-4c6e-b615-c7aa9f77cb12
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/879064
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 511497 Sample: PO#BTX18000211.exe Startdate: 29/10/2021 Architecture: WINDOWS Score: 100 44 tajelisalamat.duckdns.org 2->44 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->66 68 5 other signatures 2->68 9 PO#BTX18000211.exe 1 22 2->9         started        14 Pyjzxb.exe 15 2->14         started        16 Pyjzxb.exe 15 2->16         started        signatures3 process4 dnsIp5 48 uriggw.dm.files.1drv.com 9->48 56 2 other IPs or domains 9->56 42 C:\Users\Public\Libraries\Pyjzxb\Pyjzxb.exe, PE32 9->42 dropped 78 Writes to foreign memory regions 9->78 80 Creates a thread in another existing process (thread injection) 9->80 82 Injects a PE file into a foreign processes 9->82 18 DpiScaling.exe 2 3 9->18         started        22 cmd.exe 1 9->22         started        24 cmd.exe 1 9->24         started        50 uriggw.dm.files.1drv.com 14->50 58 2 other IPs or domains 14->58 26 DpiScaling.exe 14->26         started        52 192.168.2.1 unknown unknown 16->52 54 uriggw.dm.files.1drv.com 16->54 60 2 other IPs or domains 16->60 28 logagent.exe 16->28         started        file6 signatures7 process8 dnsIp9 46 tajelisalamat.duckdns.org 194.147.140.26, 3936 PTPEU unknown 18->46 70 Contains functionality to steal Chrome passwords or cookies 18->70 72 Contains functionality to inject code into remote processes 18->72 74 Contains functionality to steal Firefox passwords or cookies 18->74 76 Delayed program exit found 18->76 30 reg.exe 1 22->30         started        32 conhost.exe 22->32         started        34 cmd.exe 1 24->34         started        36 conhost.exe 24->36         started        signatures10 process11 process12 38 conhost.exe 30->38         started        40 conhost.exe 34->40         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/082baf651937a61c656a7166f6e672341808068663c21bd4111feccf71b78983/
Threat name:
Win32.Trojan.Hesv
Create hunting rule
Status:
Malicious
First seen:
2021-10-29 06:19:05 UTC
AV detection:
4 of 44 (9.09%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bav26zizg6tbyzlkoftpnztsgqmaqbugmpbbxvard7wm64nxrgbq._file
Verdict:
malicious
Similar samples:
0f795e11fe7833c1dbe5c9f2f4aba409fa6acab6e408def8a4543cf6d6a825be
RemcosRAT
1c07a02b2048d98c65295d00be10605198d719e0e0f89e8331ce31ac8f107cd0
RemcosRAT
27ff7f17af5f02ca3fd208d84c6c7c401f20cd615b5bc15f0825c6f406606f6a
RemcosRAT
31ccfd52379f73629cf34d1e2864648befed8f571785811c1936919f36b807c0
RemcosRAT
3bfb18b65c870e3c012f8d38fa70ea7441d6b09530e5f77d837d636c0e2abd0d
RemcosRAT
7777398dbc3f599ad36ce53b25d7991898b10168e825285a4dcd21cdd042f93b
RemcosRAT
9e68a0780d3c86c44563ecb3ff063bd0daa87fa141de7e1022fa285f812dacae
RemcosRAT
a67796ab32ba225ab871923548c5b98147a848edeffb72089724d6131d20dc0c
RemcosRAT
+ 460 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat
Link:
https://tria.ge/reports/211029-g27s7acga8/
Behaviour
Modifies registry key
Suspicious use of WriteProcessMemory
Adds Run key to start application
Remcos
Unpacked files
SH256 hash:
e232e1cd61ca125fbb698cb32222a097216c83f16fe96e8ea7a8b03b00fe3e40
MD5 hash:
f6d3a43210b0ae176ecbbf2fb450d93c
SHA1 hash:
da2a958b6d503853b27456e0a97694f30a73b68d
Detections:
win_temple_loader_w0
Create hunting rule
Link:
https://www.unpac.me/results/52f7d166-13e5-4c57-95d3-f9ee17232f2c/
Parent samples :
7777398dbc3f599ad36ce53b25d7991898b10168e825285a4dcd21cdd042f93b
1c07a02b2048d98c65295d00be10605198d719e0e0f89e8331ce31ac8f107cd0
bcbd57aad6980bd5734bd1d9cd0b4c88d46202a5b6c92e2421d3ce97678e4561
28771bdeb8fc15fe6c571d0a9ab08c6d2f46b2bc594a4e0395256988d0f8b38e
94c92dd25fe499f5afd0590fcc18cb9ed9a0078fdccbf6021ebaedb21298864f
3045902d7104e67ca88ca54360d9ef5bfe5bec8b575580bc28205ca67eeba96d
567a5fef6b29e55518559e2020951d873a53a73f14feb8e58d9fe746e9f2161b
b3bb5068e9b2b78e445c0c560322c6bf244c7f008fd964394a0ee46ff8e17fda
52b65e7c2b466f1cc0cad7561145209448614999197a881f0f06dc936ecaa992
0ede7febc557ad60a79097e1f1edf2356d2697aaca2142cc64d70240323acd21
e70ca541f94d8cca778993ca8ac74fdfb9dea65e7d450bc6bac9a5b350f1e9f4
b5b4d9ff557a75779e7d90ce17ab8ccb549e10c41be3a67211dae10fe6daec4b
b1685b4946df16daf7ee4ecda64cc48bb48e5d0259eb0bddaca95df314de857d
ddf8299e0a1e35d69a3a0157d5238d754c60e6d1acc944da7345868a9fac2fa6
c397d21c0d43e8142340885612260771f78efd2e97c512293d08fa377f860a5b
93b7a518e97ad29f0c71d0af14a8e1f0db10564300bdeee1d71a2490d34615cc
b8f1babcc7e2cb18330c303f5b3c30811857a015a39932e7e3339893fd813360
d9ca56d191efaa8ac5beee52f508082d6e8efb29045bb61c23851537982fa6bf
a67796ab32ba225ab871923548c5b98147a848edeffb72089724d6131d20dc0c
8a4f39f938cbe854d8c74e2e3f4b067540a127844d2dc66892f65caa4292985f
c3c712f6cafb2e2768423e6e5dd623177962b820e140d1942099090ba67b8100
9e68a0780d3c86c44563ecb3ff063bd0daa87fa141de7e1022fa285f812dacae
27ff7f17af5f02ca3fd208d84c6c7c401f20cd615b5bc15f0825c6f406606f6a
b142625ba28f57154451adec427e264f09d3ab6ab976d27fc8a0638053ff5417
3eb92d82dbb561740df8bcb6bd9098b9ab3a2c11bff100ee82f30b2ac80a4c78
2cbd7b218fee7aaff31980c7f2bb3e42e08471518483071be365d4a36df2e59d
52c4899a67f258c48e17e26574fe854b99c03447d67fc9a6dfab07ce50a92afe
259cffd1c854b49d3b957c410271779f19cf73817fd31ddfcdc04d7cb7b974f7
31ccfd52379f73629cf34d1e2864648befed8f571785811c1936919f36b807c0
082baf651937a61c656a7166f6e672341808068663c21bd4111feccf71b78983
025a2d38afc9db265d6064588e38f6529d289f1549b5b129f2dbc52e72151920
7dba35b377cad91017112d639eb803269ee4b56dec7d0bfbfdab908ff711ff9b
f209e4caf270335b9688781274f169ce1bd46e12c0585295a0c31dcde7e57e8b
988bdc2407982afc0484bd010bee96515d2594d4bd770453c3a74812633075c2
a6ebeec300be5fbf0da778e99ab91f2af1470c5863784212a520cf5d378426e3
0132df77e1dfe29165f39d4fffdf58350fa6e6136ba1fdfd095868d1dc1e6fb0
0ca9bb0c14fad0f33e013afb8894a888cac9cc5cbb5caef4fce1b61f70a0dbae
a0faca6b2272201f92435b1764849ab99bfd22e025605e1e2e71e7328ce306d9
60b7ee7c678553708c9ef357f9922acea8736a66ba9109eed68a7b2680bc8c68
9b4ca94ec5ec101754d54a2d73aa5f84fdfe97bc1021d166f07ddcaf5482c059
4251ebd4c8908b8822ca47a236a24b1e537602917e8ff9b45f0e430a0702922a
8a6b5ff11c2262fe557e43a8a818d22d01a82b6aceed9f1d6a189c8b25b4843b
16ed3359cc5de49c5ceb1770bbde0652438ab15a910ba51814803fff7f68393a
3b87e4ce782e2d6612b48c89a8fe965be84a3cb110db731845101a4243575789
95af4df2aea94c9836fe7a3c8fbb8ef28e2a377c4d9d5c9530825e0cb7a350d6
d72799be34725e6cc9665e17895075ad8c5aa22835440abb4a342a202426379c
e748e76168a7e308c718a4caff95bcee0e5315937c293169015aed60b27ab135
f857f10f0537c3e73d9d180b473bffb3bc43aeec4bf3c71a3b37c66bf199926c
1aa28435e63887b1ee372f54ce2e926888d19f5d3d3ab4d35d39da4b5272d721
b8e835b3ef97bd5ba4f5a1fa76637a11acc301d317ca87dacac8195f19bdce83
068ef52fbc36b06106b0ae63138ecf1cd37b82564dc3909939a0478eb21bc3c9
eda50e4a1eb0d707a898dda7a1919bceff050eb6f528aa907e49f573888a6f2a
e2c2491c8e787f549265256f4d778ac632b7e8e8d8923ddb17772bb926adfe31
230cbdb86d21c1e70ecf946e99178feed5ec21caebfd9695feaa51ab4bbcefe8
1e586ce592f186e4200b8b787ad6b632ba6160f5dcbc8662d27bc0804726cc78
2cabf83aab4b0138620bee4d622ab0b9c5774f5520422fa362257716cf3260bc
fc987865d9443b0a2e9367d07da163a588ef2ec6cef5be08d1ef0bc10f58cd3d
a5f047cd5a1f181b220f8a68e01f7003c3f81d5b6601a4578977b89cf4ea5246
4e74f02c08998baf0273de8e78238f82b271e017a88483413d2527b5e7401151
fc791a24b4250988196f8c8b174d778e0ed1f4ea2a3c8601b25ab4431df56f08
8db032a108bfbc9b5d4d2be6f466add20a81685196253867b99e6456e02adadf
214dc633d8cda71fa724675e530ef5e8b554389ee07268d4bcc54d44c6b1cc81
809848407af2f6ed9a66c96b184a49bcf88496a70d7c200e534739ceb23b97de
SH256 hash:
f8845a4de92d121e2cf5962482d533d4251665bb846b689ebb9ca5bcaec947bd
MD5 hash:
0f690f4d7f1fa83846461bb6fb9bada9
SHA1 hash:
d4ff5288b2506e0f4b2feda94e1c3ad39cfc0023
Link:
https://www.unpac.me/results/52f7d166-13e5-4c57-95d3-f9ee17232f2c/
SH256 hash:
03b7da84d6e30d60ecac865df72e7a958d1850a47a2ad5a78bd044f3fd48b823
MD5 hash:
56051d64684d776c3dad9bac1bef530d
SHA1 hash:
36a7dcb1bbc679bd2cf28e98400b52ddd72ec436
Link:
https://www.unpac.me/results/52f7d166-13e5-4c57-95d3-f9ee17232f2c/
SH256 hash:
082baf651937a61c656a7166f6e672341808068663c21bd4111feccf71b78983
MD5 hash:
eb7a5438f88f49074ea39ae1403ada1d
SHA1 hash:
eb0d35a80550db99c1adc40c1ceae3f015a683ed
Link:
https://www.unpac.me/results/52f7d166-13e5-4c57-95d3-f9ee17232f2c/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/082baf651937/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/082baf651937a61c656a7166f6e672341808068663c21bd4111feccf71b78983

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 082baf651937a61c656a7166f6e672341808068663c21bd4111feccf71b78983

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments