MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0bb0f23c8514ae2365efb46535f08b01f04cfbadd97baeaa860cca5d634f32e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0bb0f23c8514ae2365efb46535f08b01f04cfbadd97baeaa860cca5d634f32e0
SHA3-384 hash: c31e2a6b77dbd8373337d46282052f05281c76feb342d62b811cf121ddd62bccf2cad85e11cc77ee2a71a4a583da66ef
SHA1 hash: e8baf010dcbf27b1df713dcd768576b9c5e8576a
MD5 hash: 44a7315c7c6a2cbb5322d50f98bf4ffb
humanhash: jersey-berlin-four-twenty
File name:RE00000000000.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:489'984 bytes
First seen:2021-03-01 11:29:40 UTC
Last seen:2021-03-05 17:08:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:QN3//x5lgkD//x5lgkD//x5lgks3uQg92s4eHy81l5xXVrJ9GeuAX+dBKZRM/zBr:mgkNgkNgks3+s6y81dXVl9uAX+4E1X
Threatray 1'604 similar samples on MalwareBazaar
TLSH 39A4F1C5FA65C795E7760EB16435CC004B3A3D136405DE8A3E4AB2CA4DB73078E9AD8B
Reporter GovCERT_CH
Tags:RemcosRAT

Intelligence

File Origin
# of uploads :
8
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RE00000000000.exe
Verdict:
Malicious activity
Analysis date:
2021-03-01 11:32:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6de520b8-60da-4d7f-9848-5c38eb544f7f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/120204/
Detection(s):
SecuriteInfo.com.Variant.Strictor.35271.29182.3551.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Unauthorized injection to a recently created process
Creating a file
Setting a keyboard event handler
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Sending a UDP request
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/622025
Signature
Bypasses PowerShell execution policy
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Detected Remcos RAT
Drops PE files to the startup folder
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Remcos
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Beds Obfuscator
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 360003 Sample: RE00000000000.exe Startdate: 01/03/2021 Architecture: WINDOWS Score: 100 36 Malicious sample detected (through community Yara rule) 2->36 38 Multi AV Scanner detection for dropped file 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 6 other signatures 2->42 7 RE00000000000.exe 3 2->7         started        11 Drivers.exe 3 2->11         started        process3 file4 28 C:\Users\user\...\RE00000000000.exe.log, ASCII 7->28 dropped 44 Contains functionality to detect virtual machines (IN, VMware) 7->44 46 Contains functionality to steal Chrome passwords or cookies 7->46 48 Contains functionality to capture and log keystrokes 7->48 50 3 other signatures 7->50 13 powershell.exe 15 7->13         started        17 RE00000000000.exe 1 2 7->17         started        20 powershell.exe 16 11->20         started        22 Drivers.exe 11->22         started        signatures5 process6 dnsIp7 30 C:\Users\user\AppData\Roaming\...\Drivers.exe, PE32 13->30 dropped 52 Drops PE files to the startup folder 13->52 54 Powershell drops PE file 13->54 24 conhost.exe 13->24         started        34 162.218.211.157, 49714, 8780 ASN-QUADRANET-GLOBALUS United States 17->34 32 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 17->32 dropped 56 Installs a global keyboard hook 17->56 26 conhost.exe 20->26         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0bb0f23c8514ae2365efb46535f08b01f04cfbadd97baeaa860cca5d634f32e0/
Threat name:
ByteCode-MSIL.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2021-03-01 11:11:11 UTC
AV detection:
10 of 48 (20.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=boypepefcsxcgzppwrstl4elahyez65n3f525kugbtff2y2pglqa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0b39a4fbccfbe395762a7c497dd64cea9236fb1c156075f290131c2531c53deb
RemcosRAT
0ef4ceb36c6bc5067390aa323ea7908be59da236315e41d0857d3426cfcc2ce1
RemcosRAT
1619a67b0219aac78f1e5e8ac86ec2cf68641ba65a19653fc176916275b6f6ad
RemcosRAT
19c85373616be5338b379799fa36c19e4ff5d5e7f67fa820ea9040ab5427d516
RemcosRAT
210560d23e3c023c90bd24ed0d76c68732dc267277fc6adcc3c991cb611bb06a
RemcosRAT
22e473a7adb1bf3da0d6b900d5ec9f1b4a455bde122d31d6509b8d7b5bd9eab1
RemcosRAT
5df5e69f38e5fc641a089f213a2791aa1a9d9df801093a6dbd3bfb680c38884c
RemcosRAT
9d692165cbb8d2a181769b723e7300b02f534fec4563d4bd155b4c293d6ebe72
RemcosRAT
a81dc80c4e292405023f9c59504e55045ca754901cd06185d041642ce91a33b2
RemcosRAT
ab64843d1074c1091118c175f2ca85e43d66a7918faf479be9d6d2613583fce3
RemcosRAT
+ 1'594 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos rat
Link:
https://tria.ge/reports/210301-xpjhj8txjj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Beds Protector Packer
Remcos
Unpacked files
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/af464f31-d4ff-48d7-b278-d30d84f0d679/
SH256 hash:
3060ad232e46ed4cb5d32f7e2d032077ab56af5de8079508791cb802973007c9
MD5 hash:
e3c09ad3590fd5c3a4aa15d4ad1dbb55
SHA1 hash:
061f562687541916347e8e5830c68602d6e78653
Link:
https://www.unpac.me/results/af464f31-d4ff-48d7-b278-d30d84f0d679/
SH256 hash:
3a4d18e2e957b6ebd35d7807211e3091562c47ab96a2ea69e8ce9eb0caef4baf
MD5 hash:
3e6b2c9824501646ca2ea1367d0800aa
SHA1 hash:
3b49854174bcc93cf3cb245910d0cbab3b061c7d
Link:
https://www.unpac.me/results/af464f31-d4ff-48d7-b278-d30d84f0d679/
SH256 hash:
0bb0f23c8514ae2365efb46535f08b01f04cfbadd97baeaa860cca5d634f32e0
MD5 hash:
44a7315c7c6a2cbb5322d50f98bf4ffb
SHA1 hash:
e8baf010dcbf27b1df713dcd768576b9c5e8576a
Link:
https://www.unpac.me/results/af464f31-d4ff-48d7-b278-d30d84f0d679/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0bb0f23c8514ae2365efb46535f08b01f04cfbadd97baeaa860cca5d634f32e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip 8d6e166f8dcbe5a2e559f1128e151eb87d4bfdd542c795322943e4308b91be7c

RemcosRAT

Executable exe 0bb0f23c8514ae2365efb46535f08b01f04cfbadd97baeaa860cca5d634f32e0

(this sample)

  
Dropped by
MD5 dae23198022b436c820f2ae25bac7cc5
  
Dropped by
SHA256 8d6e166f8dcbe5a2e559f1128e151eb87d4bfdd542c795322943e4308b91be7c
  
Dropped by
RemcosRAT
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/120204/

Comments