MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f8c7d288333c8d1c5d450abeaf869de3d58eb5e8d16138c52b0391cf7a645cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f8c7d288333c8d1c5d450abeaf869de3d58eb5e8d16138c52b0391cf7a645cc
SHA3-384 hash: cf1d879066d1bd32b812e6e3dd51daa466e807feab26351dd17c806fdb0c08a6bf1726d765d132b1798bafd1be8499a3
SHA1 hash: 6c1f07ef6dd7135556b78c7eb1143a3a3159d91e
MD5 hash: 1f99929fbd7495eef4b6e0ec6b0e73ff
humanhash: magazine-freddie-steak-carbon
File name:03-22-SO-0078 (SO+INV+PKW) 文件有2套 LOAD# 423606406.pdf............................................................
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'241'600 bytes
First seen:2023-03-22 15:55:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:2KgkraIAUjhRn/F+3WRDY4fEUe/RM2Iq+nSscsQ48dSl06MF:2RkGUtZ9+3n4fEbu2Iq+SF4iSlL8
Threatray 1'718 similar samples on MalwareBazaar
TLSH T1C845120173AA5F52C5F9ABF819B7A08013B5BF762321EB4C1ECA35CF12377588652A47
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
257
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e32d177b-f006-4808-98d1-06a849df1ef3
Verdict:
Suspicious activity
Analysis date:
2023-03-22 16:03:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f6b2e8d4-cb87-4155-813c-57531e0c1e80

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/376515/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed remcos
Link:
https://www.filescan.io/uploads/641b2516b236355850d766a3/reports/2c5f2508-3a9a-4535-a16f-3f22de53d8ae/overview
Verdict:
Malicious
Labled as:
Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/0f8c7d288333c8d1c5d450abeaf869de3d58eb5e8d16138c52b0391cf7a645cc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/616e557d-26a0-42cb-96c3-28de3389e46d
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1199979
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 832887 Sample: .........exe Startdate: 23/03/2023 Architecture: WINDOWS Score: 100 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected UAC Bypass using CMSTP 2->47 49 3 other signatures 2->49 8 .........exe 3 2->8         started        12 Freight.exe 2 2->12         started        14 Freight.exe 2 2->14         started        16 Freight.exe 2 2->16         started        process3 file4 39 C:\Users\user\AppData\...\.........exe.log, ASCII 8->39 dropped 51 Contains functionality to bypass UAC (CMSTPLUA) 8->51 53 Contains functionality to steal Chrome passwords or cookies 8->53 55 Contains functionality to steal Firefox passwords or cookies 8->55 57 Delayed program exit found 8->57 18 .........exe 2 4 8->18         started        21 Freight.exe 12->21         started        23 Freight.exe 12->23         started        25 Freight.exe 14->25         started        27 Freight.exe 16->27         started        signatures5 process6 file7 35 C:\ProgramData\Freight\Freight.exe, PE32 18->35 dropped 37 C:\...\Freight.exe:Zone.Identifier, ASCII 18->37 dropped 29 Freight.exe 3 18->29         started        process8 signatures9 59 Multi AV Scanner detection for dropped file 29->59 61 Injects a PE file into a foreign processes 29->61 32 Freight.exe 3 1 29->32         started        process10 dnsIp11 41 188.72.124.143, 2109 M247GB Netherlands 32->41
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0f8c7d288333c8d1c5d450abeaf869de3d58eb5e8d16138c52b0391cf7a645cc/
Threat name:
ByteCode-MSIL.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-03-22 14:15:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
31
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b6gh2kedgpendroukcv6v6dj3y6vr226rulbhdcswa4rz55gixga._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
02ced6da9cf24901681948deae308d36975cb623dcc6735f2142f4252bc7e197
RemcosRAT
0f27e5f647e28a535aa0ab9dde5c707150431f10c62d12f1e192ea02d698b3e4
RemcosRAT
37ebb9622d13e5e8db8d9fa58aef6cfe9278877a18357a91a65022130892f8a6
RemcosRAT
4bfea5eeb97d0ca4f3f2edd8114048e9a14f43f89187c55f29f2142cdef8da9a
RemcosRAT
52062e748f2857bf6bc3161cdfade85ec042d45093673514ca1787f7216a70f3
RemcosRAT
7e09b162052fa0f01f2d48609446e1cc66fea01afa412d5aee4cca9afa98fe52
RemcosRAT
881b9954a4f1debc7e45fecb6072f05daa542c368af208156fd624d5b5fabc95
RemcosRAT
dabb657acfa0d239bcd7f26fa84eb567790a3ab47d46bbf1a3bb9f5c4e6e3b25
RemcosRAT
df98e5b50efcf7aedf479030e51ca5b9990fad9f0d20d729bb106198ddee923e
RemcosRAT
f3c280a30bfcb13a09179451fc8a2885ea9a95258ee5b52bfd24a1caf7896e54
RemcosRAT
+ 1'708 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230322-tddawshg58/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
d9bb9a65674be3399fee5c0b18f511fd0bcb590e6aa58f6c7caf70a1d456801a
MD5 hash:
8a766fb87ec1990c71d44f81a8d2f078
SHA1 hash:
c6d5ac7ef7c3c55a17107ddb89abff9f4729708f
Link:
https://www.unpac.me/results/6b729457-ee2f-4f6d-8365-65aa4fb8c0e8/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/6b729457-ee2f-4f6d-8365-65aa4fb8c0e8/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
1887303d896fa491540a584b8fbb038d35eee7fdd684eff39cd110bddbd6d6ae
MD5 hash:
69426ab2fa6f434a2fdb4e5e79d47d0b
SHA1 hash:
7b3b5e0aba5f83d3991b8d43657cd35b90b544d6
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/6b729457-ee2f-4f6d-8365-65aa4fb8c0e8/
SH256 hash:
e1feb16a5ef439b478f2915ad878921cdaadbb87d9992dc59f3c4fc5f2a4a74e
MD5 hash:
8bcc89128791f87bf51dee24c444b7f1
SHA1 hash:
1b0c7eaa9a7ab41c4b7adc69b59dbf915e950612
Link:
https://www.unpac.me/results/6b729457-ee2f-4f6d-8365-65aa4fb8c0e8/
SH256 hash:
8ade51373213c24e2ea738ec05e83151a0ea5cac9898b3208a749a42931e9907
MD5 hash:
8998ac11c12c2fa8bfbcfb38a4dd07f2
SHA1 hash:
0e5253bc6709f5d9582702179b79eaf985146c5e
Link:
https://www.unpac.me/results/6b729457-ee2f-4f6d-8365-65aa4fb8c0e8/
SH256 hash:
0f8c7d288333c8d1c5d450abeaf869de3d58eb5e8d16138c52b0391cf7a645cc
MD5 hash:
1f99929fbd7495eef4b6e0ec6b0e73ff
SHA1 hash:
6c1f07ef6dd7135556b78c7eb1143a3a3159d91e
Link:
https://www.unpac.me/results/6b729457-ee2f-4f6d-8365-65aa4fb8c0e8/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0f8c7d288333/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/376515/

Comments