MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e1b5e7257b490e22a966862602dee637a6a192f55527137d6c3a94bc9dc34ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e1b5e7257b490e22a966862602dee637a6a192f55527137d6c3a94bc9dc34ca
SHA3-384 hash: b9ab55fad0dc831a7874a9312ab4688ff4ac0075542dab0266c4c25da6e96adf41186659fd204ad7e4e7ba307b139552
SHA1 hash: bc642bea056be7400336ef782795b77fbda936bd
MD5 hash: dddcd09b7840137bfa8c340f65b43970
humanhash: oscar-lamp-island-burger
File name:SecuriteInfo.com.Win32.MalwareX-gen.25648.14638
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:867'328 bytes
First seen:2022-12-17 04:27:34 UTC
Last seen:2022-12-19 08:55:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:gjWQ7lCxLkjQSRBkrTQywHee0lxuS1uIBMimwH:e5EkBLkAPHeeaxuSQ+MBwH
TLSH T15005D0B8C5CB0D969AB1F874C2C63D9300B2C9C8D473995E363D5298E889A73F52758F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter SecuriteInfoCom
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.MalwareX-gen.25648.14638
Verdict:
Malicious activity
Analysis date:
2022-12-17 04:29:05 UTC
Tags:
remcos
Link:
https://app.any.run/tasks/4c57ceb3-cd7f-4757-95a9-2724dbdfd463

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/347200/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.25648.14638.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/639d45521c985b348d9fe5f4/reports/ff2ebedc-cfc3-4de7-bbc3-19764895861e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4725e580-62b4-4dce-b544-5b88e8b2cf7e
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1136595
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Drops PE files with benign system names
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Costura Assembly Loader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 769320 Sample: SecuriteInfo.com.Win32.Malw... Startdate: 18/12/2022 Architecture: WINDOWS Score: 100 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus detection for URL or domain 2->58 60 Antivirus detection for dropped file 2->60 62 11 other signatures 2->62 11 SecuriteInfo.com.Win32.MalwareX-gen.25648.14638.exe 1 7 2->11         started        15 Jfbabodo.exe 2 2->15         started        17 explorer.exe 2->17         started        19 2 other processes 2->19 process3 file4 50 C:\Users\user\AppData\...\Jfbabodo.exe, PE32 11->50 dropped 52 C:\Users\...\Jfbabodo.exe:Zone.Identifier, ASCII 11->52 dropped 54 SecuriteInfo.com.W...25648.14638.exe.log, ASCII 11->54 dropped 68 Encrypted powershell cmdline option found 11->68 70 Creates multiple autostart registry keys 11->70 72 Drops PE files with benign system names 11->72 74 Injects a PE file into a foreign processes 11->74 21 SecuriteInfo.com.Win32.MalwareX-gen.25648.14638.exe 4 5 11->21         started        25 powershell.exe 16 11->25         started        27 SecuriteInfo.com.Win32.MalwareX-gen.25648.14638.exe 11->27         started        76 Antivirus detection for dropped file 15->76 78 Multi AV Scanner detection for dropped file 15->78 80 Machine Learning detection for dropped file 15->80 signatures5 process6 file7 44 C:\Users\user\AppData\...\explorer.exe, PE32 21->44 dropped 46 C:\Users\...\explorer.exe:Zone.Identifier, ASCII 21->46 dropped 48 C:\...\mqkkwrttyvuipvlrypweuogvaoahx.vbs, data 21->48 dropped 66 Creates multiple autostart registry keys 21->66 29 wscript.exe 1 21->29         started        31 conhost.exe 25->31         started        signatures8 process9 process10 33 cmd.exe 1 29->33         started        process11 35 explorer.exe 3 33->35         started        38 conhost.exe 33->38         started        signatures12 64 Encrypted powershell cmdline option found 35->64 40 powershell.exe 35->40         started        process13 process14 42 conhost.exe 40->42         started       
Gathering data
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2022-12-16 21:30:21 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
17 of 26 (65.38%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bynv44sxwsioekuwnbrgalpomn5gugjpkvjhcn6wyouuxso4gtfa._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:ikmerro v4 persistence rat
Link:
https://tria.ge/reports/221217-e3netsgb67/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
76.8.53.133:1198
Unpacked files
SH256 hash:
33652c38868d56b00ce15fd2fab9e1a077bd406ea302494c5e6fc84df96f4f58
MD5 hash:
74bbe928fc9a828fb80b68d94940a824
SHA1 hash:
7b0a04a3f057478c1dbc62b6fa9e7aae1fcdad3b
Link:
https://www.unpac.me/results/14b54bee-2816-45b0-81a6-2f5af2fb29f8/
SH256 hash:
0e1b5e7257b490e22a966862602dee637a6a192f55527137d6c3a94bc9dc34ca
MD5 hash:
dddcd09b7840137bfa8c340f65b43970
SHA1 hash:
bc642bea056be7400336ef782795b77fbda936bd
Link:
https://www.unpac.me/results/14b54bee-2816-45b0-81a6-2f5af2fb29f8/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0e1b5e7257b4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/0e1b5e7257b490e22a966862602dee637a6a192f55527137d6c3a94bc9dc34ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

img a04fa921a789d7726a42da585cdf302baab2ee4739ed40f9ff963ffd3e6f52d4

RemcosRAT

Executable exe 0e1b5e7257b490e22a966862602dee637a6a192f55527137d6c3a94bc9dc34ca

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/347200/
  
Dropped by
SHA256 a04fa921a789d7726a42da585cdf302baab2ee4739ed40f9ff963ffd3e6f52d4
  
Dropped by
MD5 4f86138bc4c59204c221700e78644099

Comments