MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 08e14938644b60afa9c05d77d66bfd6e91c212f528b9c73b9e3734862fb17c12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 08e14938644b60afa9c05d77d66bfd6e91c212f528b9c73b9e3734862fb17c12
SHA3-384 hash: ee959d4ca9bc1b031461291e9f023c030ea221d8692784346f7a06a3d4891d084cc209552904ee65febec2dedac15ca4
SHA1 hash: 1cf249eb79d02549059cb377ed38f5505e262229
MD5 hash: b09d8da41c25dbe44e71bc2bc16de91c
humanhash: leopard-july-tango-venus
File name:08e14938644b60afa9c05d77d66bfd6e91c212f528b9c73b9e3734862fb17c12
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:998'912 bytes
First seen:2023-06-08 11:35:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:05GoR5a2x18A8DNaUQUzP/F73CjyQKraEyRC5x:0Io22xCDNaUQSPp3CeQ+aVRY
Threatray 2'021 similar samples on MalwareBazaar
TLSH T1EC252341B2668B13F2797BFA15025A7017F6BA17B872F2060EC173DF6939F419A12B07
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter adrian__luca
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
260
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
08e14938644b60afa9c05d77d66bfd6e91c212f528b9c73b9e3734862fb17c12
Verdict:
Malicious activity
Analysis date:
2023-06-08 11:36:04 UTC
Tags:
remcos
Link:
https://app.any.run/tasks/d5d3a1f5-2ad4-4a16-b855-b66299cba9c3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/396926/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67241450.4033.13993.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/6481bd23b941c5c62d622b49/reports/f0a55b5d-e06e-4d0b-9996-cb4498c19c1b/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/08e14938644b60afa9c05d77d66bfd6e91c212f528b9c73b9e3734862fb17c12
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/48c72df7-6df2-4166-b0ff-b1bb00472c0b
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1251333
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 884351 Sample: TpvE9ToZKs.exe Startdate: 08/06/2023 Architecture: WINDOWS Score: 100 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Sigma detected: Scheduled temp file as task from temp location 2->47 49 7 other signatures 2->49 7 TpvE9ToZKs.exe 7 2->7         started        11 PpmDjA.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\Roaming\PpmDjA.exe, PE32 7->31 dropped 33 C:\Users\user\...\PpmDjA.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmp24C2.tmp, XML 7->35 dropped 37 C:\Users\user\AppData\...\TpvE9ToZKs.exe.log, ASCII 7->37 dropped 51 Uses schtasks.exe or at.exe to add and modify task schedules 7->51 53 Adds a directory exclusion to Windows Defender 7->53 13 vbc.exe 3 13 7->13         started        17 powershell.exe 17 7->17         started        19 schtasks.exe 1 7->19         started        55 Multi AV Scanner detection for dropped file 11->55 57 Machine Learning detection for dropped file 11->57 59 Writes to foreign memory regions 11->59 61 Injects a PE file into a foreign processes 11->61 21 schtasks.exe 1 11->21         started        23 vbc.exe 11->23         started        signatures5 process6 dnsIp7 39 89.37.99.49, 49698, 5888 BANDWIDTH-ASGB Romania 13->39 41 geoplugin.net 178.237.33.50, 49699, 80 ATOM86-ASATOM86NL Netherlands 13->41 63 Contains functionality to bypass UAC (CMSTPLUA) 13->63 65 Contains functionality to steal Chrome passwords or cookies 13->65 67 Contains functionality to modify clipboard data 13->67 69 2 other signatures 13->69 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        signatures8 process9
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/08e14938644b60afa9c05d77d66bfd6e91c212f528b9c73b9e3734862fb17c12/
Threat name:
ByteCode-MSIL.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2023-05-26 08:26:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bdqusodejnqk7koalv35m275n2i4eexvfc44oo46g42iml5rpqja._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
032454dace97a2e1d466b0a2749f8a3fbaac125c110a89f43a1ecac98aa05b49
RemcosRAT
088dece027bdaff18c0f6ba9aecc17d2e55bc901ccfef1bbd02ca1f6eb367b1b
RemcosRAT
416529937e7d4b862e92650310ecc0ecdcb2aa8f43fcb8fa0dece926e5963203
RemcosRAT
5241d93369ff133d1aa4381a074806b10d37f414261f89f2198ef76d238b5ec1
RemcosRAT
53823b0378b9a17181fef455b3625e7909e703d600b480ffccc9a1c6d4232c4a
RemcosRAT
539b70f704ffff9cf973a032e01e39d31613a4ce7cd9939d84746d587d0a7ac9
RemcosRAT
577593e5d16e4c0439339d4345505db0eb1595670ebdb271feaeaab510fd8b56
RemcosRAT
7ef10437af99524e348b41e33c32a2c7c6270265b535700f3ec8c97f6c4f8a93
RemcosRAT
899407587a2e6e7c29947306df25f2a535f0616c4d1313f045c5b824fcc0a292
RemcosRAT
92bc5b745a6e3757f5ffbda877cb0b5725606d214642fc37f16ad0cf98c0cd9d
RemcosRAT
+ 2'011 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/230608-nqkmvaeh45/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Uses the VBS compiler for execution
Remcos
Malware Config
C2 Extraction:
89.37.99.49:5888
Unpacked files
SH256 hash:
a08ad4e39392d6e15956b252b0d06a1b4210a99ee8b001ab274c984dda82e6c1
MD5 hash:
701847fa0fb4f63661069ab7b25d3c00
SHA1 hash:
f6bd90b615c6da093a56ebfd7202edc015b11894
Link:
https://www.unpac.me/results/73e5b89b-bf15-4d68-8752-3a7e5503a235/
SH256 hash:
dcf06daa3fa698b1c13d0bf26009b4bfbefca519a6a3752fb3dbcf6706ebce5e
MD5 hash:
50a6292d294284a2c21378f183888508
SHA1 hash:
d6edb6c579287f762463e55cd4c89cbb85f53ef3
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/73e5b89b-bf15-4d68-8752-3a7e5503a235/
Parent samples :
44b9c7b495d855d23b1dce528639b2a726a1b89f0f5968df842a508d0f6d3f43
08e14938644b60afa9c05d77d66bfd6e91c212f528b9c73b9e3734862fb17c12
59d705df5b4d6a3e818d5529de6270397899239ba61a19f746a7149768b47917
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/73e5b89b-bf15-4d68-8752-3a7e5503a235/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
6d213b2c6a2ca11e4c26b75ee7d09a0e0fb839623915e959700a5f4b95f9e4c8
MD5 hash:
ef675b0e6094e0df809c8fc2acad37f4
SHA1 hash:
9a0504700d8ce2c220f3279dcd53eb51c8460479
Link:
https://www.unpac.me/results/73e5b89b-bf15-4d68-8752-3a7e5503a235/
SH256 hash:
aa55a49c4e26b6c0cfb3aa599f5cb5c6eae65e0a7884458e75614092d073cf5f
MD5 hash:
9d9bed3fb41b5b721aafd13220f48c73
SHA1 hash:
069c54846fffaf8ba3abc8f140a60dd9755ff20a
Link:
https://www.unpac.me/results/73e5b89b-bf15-4d68-8752-3a7e5503a235/
SH256 hash:
08e14938644b60afa9c05d77d66bfd6e91c212f528b9c73b9e3734862fb17c12
MD5 hash:
b09d8da41c25dbe44e71bc2bc16de91c
SHA1 hash:
1cf249eb79d02549059cb377ed38f5505e262229
Link:
https://www.unpac.me/results/73e5b89b-bf15-4d68-8752-3a7e5503a235/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/08e14938644b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.93
Link:
https://yomi.yoroi.company/submissions/08e14938644b60afa9c05d77d66bfd6e91c212f528b9c73b9e3734862fb17c12

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/396926/

Comments