MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10e7d385a77db70e2905f90926006e74f0a0d5b4cd205d761056d84f70276daa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 10e7d385a77db70e2905f90926006e74f0a0d5b4cd205d761056d84f70276daa
SHA3-384 hash: f48701eee36274735fc7a2e89a4ac5e1a904289ffced0e3fd8ea562219509ffffa3c8747c791b6d0db2f0dc91efca903
SHA1 hash: aa6e8a58ac01bdaec78b5e5c721f5406ae2b24dc
MD5 hash: 5a62d41c251715b9cf665e9d8a15387e
humanhash: seven-timing-winter-failed
File name:10e7d385a77db70e2905f90926006e74f0a0d5b4cd205d761056d84f70276daa
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'014'784 bytes
First seen:2023-02-13 07:06:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 24576:JlFzV0YQTxx9ElT1G8re1CvCxSiiEGQlQX:Jlv0YAxxqtr1ISKbK
TLSH T1DB25233D35B89A2EF2ED47B969F0420697F7B146B152FB1C0B4438D02AF6BC141179A7
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter adrian__luca
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
201
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
VESTEL-20230209-54.doc
Verdict:
Malicious activity
Analysis date:
2023-02-09 06:52:06 UTC
Tags:
exploit cve-2017-11882 loader
Link:
https://app.any.run/tasks/a1843cb4-8a8e-49c6-ae8f-37a614f500e9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/364796/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.97443.23242.30051.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching cmd.exe command interpreter
Launching a process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed remcos
Link:
https://www.filescan.io/uploads/63e9e19d843466d9d5fe2ace/reports/f0f23ce2-071c-426c-a794-28cbbbf542ee/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/10e7d385a77db70e2905f90926006e74f0a0d5b4cd205d761056d84f70276daa
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/89fde3b1-39d0-4bbf-80a7-d5cf6292672a
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1173884
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Creates an autostart registry key pointing to binary in C:\Windows
Delayed program exit found
Disables UAC (registry)
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 806675 Sample: N63Y5EfKPs.exe Startdate: 13/02/2023 Architecture: WINDOWS Score: 100 87 zekeriyasolek44.duckdns.org 2->87 109 Malicious sample detected (through community Yara rule) 2->109 111 Multi AV Scanner detection for submitted file 2->111 113 Yara detected UAC Bypass using CMSTP 2->113 115 5 other signatures 2->115 11 N63Y5EfKPs.exe 3 2->11         started        15 Windows Data Start.exe 2 2->15         started        signatures3 process4 file5 85 C:\Users\user\AppData\...8563Y5EfKPs.exe.log, ASCII 11->85 dropped 129 Contains functionality to bypass UAC (CMSTPLUA) 11->129 131 Injects a PE file into a foreign processes 11->131 133 Delayed program exit found 11->133 17 N63Y5EfKPs.exe 2 4 11->17         started        135 Drops executables to the windows directory (C:\Windows) and starts them 15->135 21 Windows Data Start.exe 2 3 15->21         started        signatures6 process7 dnsIp8 81 C:\Windows\...\Windows Data Start.exe, PE32 17->81 dropped 83 C:\...\Windows Data Start.exe:Zone.Identifier, ASCII 17->83 dropped 101 Creates an autostart registry key pointing to binary in C:\Windows 17->101 24 Windows Data Start.exe 3 17->24         started        27 cmd.exe 1 17->27         started        89 zekeriyasolek44.duckdns.org 79.134.225.41, 2044, 49701, 49702 FINK-TELECOM-SERVICESCH Switzerland 21->89 103 Writes to foreign memory regions 21->103 105 Maps a DLL or memory area into another process 21->105 107 Installs a global keyboard hook 21->107 29 cmd.exe 1 21->29         started        31 svchost.exe 12 21->31         started        33 svchost.exe 21->33         started        35 4 other processes 21->35 file9 signatures10 process11 signatures12 123 Injects a PE file into a foreign processes 24->123 37 Windows Data Start.exe 2 1 24->37         started        125 Uses cmd line tools excessively to alter registry or file data 27->125 40 reg.exe 1 27->40         started        42 conhost.exe 27->42         started        53 2 other processes 29->53 44 chrome.exe 31->44         started        47 chrome.exe 33->47         started        49 chrome.exe 33->49         started        51 chrome.exe 35->51         started        55 5 other processes 35->55 process13 dnsIp14 117 Writes to foreign memory regions 37->117 119 Maps a DLL or memory area into another process 37->119 57 cmd.exe 1 37->57         started        60 iexplore.exe 37->60         started        121 Disables UAC (registry) 40->121 91 192.168.2.1 unknown unknown 44->91 93 239.255.255.250 unknown Reserved 44->93 62 chrome.exe 44->62         started        65 chrome.exe 47->65         started        67 chrome.exe 49->67         started        69 chrome.exe 51->69         started        71 chrome.exe 55->71         started        73 chrome.exe 55->73         started        75 3 other processes 55->75 signatures15 process16 dnsIp17 127 Uses cmd line tools excessively to alter registry or file data 57->127 77 conhost.exe 57->77         started        79 reg.exe 1 57->79         started        95 part-0032.t-0009.fdv2-t-msedge.net 13.107.237.60, 443, 49731, 49732 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 62->95 97 www.google.com 142.250.180.132, 443, 49725, 49965 GOOGLEUS United States 62->97 99 7 other IPs or domains 62->99 signatures18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/10e7d385a77db70e2905f90926006e74f0a0d5b4cd205d761056d84f70276daa/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-02-10 09:45:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
23 of 39 (58.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cdt5hbnhpw3q4kif7eesmadootykbvnuzuqf25qqk3me64bhnwva._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:valentine brand:microsoft evasion persistence phishing rat trojan
Link:
https://tria.ge/reports/230213-hxm4nabe77/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Detected potential entity reuse from brand microsoft.
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Remcos
UAC bypass
Malware Config
C2 Extraction:
zekeriyasolek44.duckdns.org:2044
Unpacked files
SH256 hash:
e52486765dbe7417e58da6855d24bcba5ce72cca3611147c9a1f7eecde14425a
MD5 hash:
e1923e7eca34835bcab357f3c06faf11
SHA1 hash:
d014c1b81751ea3b54e4dc63d2c56b9e8bb76844
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/e46dd777-7d97-405b-9eab-28f22afe8ba6/
Parent samples :
e9b9ee1dc81aa5f6446ae52d861ae97fd211a3ccf58746e7154ce384457d3460
10e7d385a77db70e2905f90926006e74f0a0d5b4cd205d761056d84f70276daa
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/e46dd777-7d97-405b-9eab-28f22afe8ba6/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
aed1d220251b6c5b991035cf078fee3291490a619f90a4a462a77fecab0e9e95
MD5 hash:
2aa018a3878c09afb633bdfdd0eaae86
SHA1 hash:
7f4d8784eeb2e060bde4f1a088d4d8f522037ec5
Link:
https://www.unpac.me/results/e46dd777-7d97-405b-9eab-28f22afe8ba6/
SH256 hash:
46cb32256dba295b72212185d3bf29e54de9f78fe32a8e43c82288285c3bf721
MD5 hash:
453d8d23d417dacecac4ad0235d2b420
SHA1 hash:
6aaffef79f32f151aef9d5c548ac9055ea6c2f35
Link:
https://www.unpac.me/results/e46dd777-7d97-405b-9eab-28f22afe8ba6/
SH256 hash:
9103b9f24f63b9f03b759f5fb58fa6d22f4fce459cde0b8e9cbc99fc0f1f499c
MD5 hash:
e3f08bd8ba3022b075686c20807ac923
SHA1 hash:
5c4af0abdf1f6cb793b4d62c8848ddfb9ce027ac
Link:
https://www.unpac.me/results/e46dd777-7d97-405b-9eab-28f22afe8ba6/
SH256 hash:
10e7d385a77db70e2905f90926006e74f0a0d5b4cd205d761056d84f70276daa
MD5 hash:
5a62d41c251715b9cf665e9d8a15387e
SHA1 hash:
aa6e8a58ac01bdaec78b5e5c721f5406ae2b24dc
Link:
https://www.unpac.me/results/e46dd777-7d97-405b-9eab-28f22afe8ba6/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/10e7d385a77d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.94
Link:
https://yomi.yoroi.company/submissions/10e7d385a77db70e2905f90926006e74f0a0d5b4cd205d761056d84f70276daa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 10e7d385a77db70e2905f90926006e74f0a0d5b4cd205d761056d84f70276daa

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/364796/

Comments