MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e8dfb4c4b15bffe7df07f0a9240c2287e23c149b465991da96b73eff7b8f903. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e8dfb4c4b15bffe7df07f0a9240c2287e23c149b465991da96b73eff7b8f903
SHA3-384 hash: e7331dda5ec5916862d2f4b1bd0b6a93af09e2e373269790945dc12df1a7664cf53159d3ba3f889243ebafb674ad965f
SHA1 hash: ecd8a87237094ffcf9e1fc0ce9fe3fdc2be91c87
MD5 hash: 291135e84ac4c935c00a15ab1ce04353
humanhash: comet-saturn-magnesium-venus
File name:RFQ110623.pdf .exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:464'896 bytes
First seen:2023-11-06 16:33:10 UTC
Last seen:2023-11-06 18:16:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b12cc29254d07cadbb008c92468c8361 (2 x MarsStealer, 2 x Smoke Loader, 1 x Stealc)
ssdeep 6144:Xsz6W1aqPuk+dcp707D+Rx+ATKb8GrV7yvgbFSfhTSPeesvs76Kio:8D1aqGkqcp702lGrV7yIRShTSPcEx
TLSH T1B1A4BF0356E06877E5225A328F2EC2A4771EFDA08E5D37DAE358AE1F15713B6C172702
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000150121350112 (1 x RemcosRAT)
Reporter malwarology
Tags:exe remcos RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
347
Origin country :
US US
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
RFQ110623.pdf .exe
Verdict:
Malicious activity
Analysis date:
2023-11-06 16:31:09 UTC
Tags:
remcos rat remote loader
Link:
https://app.any.run/tasks/00296407-b999-4aea-bdfb-fea39f16972c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.20322.8671.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control greyware lolbin masquerade packed remcos
Link:
https://www.filescan.io/uploads/6549157d3dd412119bee8af1/reports/2c074260-582d-4142-9633-36f607ef8e79/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/0e8dfb4c4b15bffe7df07f0a9240c2287e23c149b465991da96b73eff7b8f903
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9a4656cd-9196-4647-b312-36a8bad05ac6
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1337766
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to inject code into remote processes
Contains functionality to modify clipboard data
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Delayed program exit found
Detected unpacking (changes PE section rights)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: Remcos
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1337766 Sample: RFQ110623.pdf_.exe Startdate: 06/11/2023 Architecture: WINDOWS Score: 100 32 novbillions.myddns.me 2->32 34 geoplugin.net 2->34 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for URL or domain 2->44 46 9 other signatures 2->46 7 Adobereaderxi.exe 3 14 2->7         started        11 RFQ110623.pdf_.exe 3 4 2->11         started        14 Adobereaderxi.exe 2->14         started        signatures3 process4 dnsIp5 36 novbillions.myddns.me 5.253.18.198, 2407, 49706, 49717 YISP-ASNL Germany 7->36 38 geoplugin.net 178.237.33.50, 49718, 80 ATOM86-ASATOM86NL Netherlands 7->38 48 Antivirus detection for dropped file 7->48 50 Multi AV Scanner detection for dropped file 7->50 52 Contains functionality to bypass UAC (CMSTPLUA) 7->52 62 8 other signatures 7->62 16 WerFault.exe 7->16         started        18 WerFault.exe 7->18         started        20 WerFault.exe 7->20         started        30 C:\ProgramData\...\Adobereaderxi.exe, PE32 11->30 dropped 54 Detected unpacking (changes PE section rights) 11->54 56 Contains functionalty to change the wallpaper 11->56 58 Creates autostart registry keys with suspicious names 11->58 60 Contains functionality to register a low level keyboard hook 11->60 22 WerFault.exe 16 11->22         started        24 WerFault.exe 16 11->24         started        26 WerFault.exe 16 11->26         started        28 6 other processes 11->28 file6 signatures7 process8
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0e8dfb4c4b15bffe7df07f0a9240c2287e23c149b465991da96b73eff7b8f903
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0e8dfb4c4b15bffe7df07f0a9240c2287e23c149b465991da96b73eff7b8f903/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-11-06 10:39:27 UTC
File Type:
PE (Exe)
Extracted files:
46
AV detection:
13 of 38 (34.21%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b2g7wtclcw7747pqp4fjeqgcfb7chqkjwrszshnjnnz6755y7ebq._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:novbuildmain collection persistence rat spyware stealer
Link:
https://tria.ge/reports/231106-t23kpaea68/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
novbillions.myddns.me:2407
Unpacked files
SH256 hash:
8fe3e92a6cd6b2da9b05b4a7c2f6536728b33220d22efd99f456e2143e898f3b
MD5 hash:
3791b8c5950698b555a95121519a498f
SHA1 hash:
7e3dd9d45f001fc7754f9c69e3c6f8dacb051e73
Detections:
Remcos
Create hunting rule
win_remcos_w0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/b0a599ea-9bb7-4be2-9081-83673494b2c6/
SH256 hash:
0e8dfb4c4b15bffe7df07f0a9240c2287e23c149b465991da96b73eff7b8f903
MD5 hash:
291135e84ac4c935c00a15ab1ce04353
SHA1 hash:
ecd8a87237094ffcf9e1fc0ce9fe3fdc2be91c87
Link:
https://www.unpac.me/results/b0a599ea-9bb7-4be2-9081-83673494b2c6/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0e8dfb4c4b15/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0e8dfb4c4b15bffe7df07f0a9240c2287e23c149b465991da96b73eff7b8f903

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Smokeloader_ea14b2a5
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.
Rule name:win_remcos_w0
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:yarahub_win_remcos_rat_unpacked_aug_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip 1f710524e7365c5c9d80ee6c44ef274fd05f637a6524ec831fe4886dbede6678

RemcosRAT

Executable exe 0e8dfb4c4b15bffe7df07f0a9240c2287e23c149b465991da96b73eff7b8f903

(this sample)

anyrun
any.run
https://app.any.run/tasks/00296407-b999-4aea-bdfb-fea39f16972c
  
Dropped by
SHA256 1f710524e7365c5c9d80ee6c44ef274fd05f637a6524ec831fe4886dbede6678
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
MD5 d509f13af941f7953a2b75af786e33ee

Comments