MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11327f3b5123a0f6325b9370d4321bddc00ef1619f6da209503ae1370b24121e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 11327f3b5123a0f6325b9370d4321bddc00ef1619f6da209503ae1370b24121e
SHA3-384 hash: 91eb51377eb6730f13ead365198486b0478dda6da6508823c3f838a7dd3772500f524d296c3ae6238a8bb992057fa161
SHA1 hash: 9ca786b5151b12a83c87e53e66eddf2ef795cef2
MD5 hash: 291a8d6fe1adf2fca024566c8503d764
humanhash: fifteen-oxygen-april-november
File name:hesaphareketi-01.PDF.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:906'240 bytes
First seen:2023-04-05 19:02:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:lIUXw/ofMskDYVNszZVN480r+LiPkUuYtnkr0SHckG:l1Agc0m50iLOkUuv0
Threatray 1'789 similar samples on MalwareBazaar
TLSH T12915224B2B329F2DC82417BED433694483B997A2A961E3A6ADC47CD91E37F41C950DC3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe geo RAT RemcosRAT TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
287
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
hesaphareketi-01.PDF.exe
Verdict:
Malicious activity
Analysis date:
2023-04-05 19:04:43 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/9188075c-fd06-4b10-bd3f-1cf4aec05360

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/380440/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.10051.12933.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed remcos
Link:
https://www.filescan.io/uploads/642dc5e8497fb6f23efd98a3/reports/55833905-56fb-41f9-972f-f2ecc66bee2a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/11327f3b5123a0f6325b9370d4321bddc00ef1619f6da209503ae1370b24121e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ad51561d-6020-4f4a-9829-0d7a96be07eb
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1209197
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 842119 Sample: hesaphareketi-01.PDF.exe Startdate: 05/04/2023 Architecture: WINDOWS Score: 100 106 Malicious sample detected (through community Yara rule) 2->106 108 Antivirus detection for URL or domain 2->108 110 Sigma detected: Scheduled temp file as task from temp location 2->110 112 10 other signatures 2->112 9 hesaphareketi-01.PDF.exe 7 2->9         started        13 lxFRWDm.exe 5 2->13         started        process3 file4 80 C:\Users\user\AppData\Roaming\lxFRWDm.exe, PE32 9->80 dropped 82 C:\Users\user\...\lxFRWDm.exe:Zone.Identifier, ASCII 9->82 dropped 84 C:\Users\user\AppData\Local\...\tmp4501.tmp, XML 9->84 dropped 86 C:\Users\...\hesaphareketi-01.PDF.exe.log, ASCII 9->86 dropped 114 Uses schtasks.exe or at.exe to add and modify task schedules 9->114 116 Adds a directory exclusion to Windows Defender 9->116 118 Injects a PE file into a foreign processes 9->118 15 hesaphareketi-01.PDF.exe 5 3 9->15         started        20 powershell.exe 21 9->20         started        22 schtasks.exe 1 9->22         started        120 Multi AV Scanner detection for dropped file 13->120 122 Machine Learning detection for dropped file 13->122 24 schtasks.exe 13->24         started        26 lxFRWDm.exe 13->26         started        28 lxFRWDm.exe 13->28         started        signatures5 process6 dnsIp7 98 ennenbach.duckdns.org 193.42.33.155, 49685, 49686, 49687 EENET-ASEE Germany 15->98 78 C:\ProgramData\remcos\logs.dat, data 15->78 dropped 100 Writes to foreign memory regions 15->100 102 Maps a DLL or memory area into another process 15->102 104 Installs a global keyboard hook 15->104 30 svchost.exe 12 15->30         started        32 svchost.exe 15->32         started        34 svchost.exe 15->34         started        36 svchost.exe 15->36         started        38 conhost.exe 20->38         started        40 conhost.exe 22->40         started        42 conhost.exe 24->42         started        file8 signatures9 process10 process11 44 chrome.exe 30->44         started        47 chrome.exe 30->47         started        49 chrome.exe 32->49         started        51 chrome.exe 32->51         started        53 chrome.exe 34->53         started        55 chrome.exe 34->55         started        57 chrome.exe 36->57         started        59 chrome.exe 36->59         started        dnsIp12 88 192.168.2.1 unknown unknown 44->88 90 239.255.255.250 unknown Reserved 44->90 61 chrome.exe 44->61         started        64 chrome.exe 47->64         started        66 chrome.exe 49->66         started        68 chrome.exe 51->68         started        70 chrome.exe 53->70         started        72 chrome.exe 55->72         started        74 chrome.exe 57->74         started        76 chrome.exe 59->76         started        process13 dnsIp14 92 microsoftmscompoc.tt.omtrdc.net 61->92 94 mdec.nelreports.net 61->94 96 20 other IPs or domains 61->96
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/11327f3b5123a0f6325b9370d4321bddc00ef1619f6da209503ae1370b24121e/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-04-04 08:35:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
16 of 37 (43.24%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cezh6o2reoqpmms3snynimq33xaa54lbt5w2eckqhlqtoczecipa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
2e4c6cc30705e1398ea19d064bd7cfba58448798a81f3c89b86fa66750904a7b
RemcosRAT
3d1a75579ef0717708782f63318b36e8dc0356fc477370ad9c69feac793a6a95
RemcosRAT
50ca98ba2d54858b97cbbfff758edf7f81a29a8a4884a4319ae994cb8a434de3
RemcosRAT
50e39da793e84dc45780be3dca5aed8fa300ae2aaf7708a58da92e31865f2e81
RemcosRAT
7e09b162052fa0f01f2d48609446e1cc66fea01afa412d5aee4cca9afa98fe52
RemcosRAT
aecb74252f3ae4e3d912c1983de70c06ac29c69b287b31e45d29fbee0ccb5772
RemcosRAT
c3653e6517e48603a356a5978cdc1b210bd20e023146fd561c611c3b82c0736c
RemcosRAT
f3c280a30bfcb13a09179451fc8a2885ea9a95258ee5b52bfd24a1caf7896e54
RemcosRAT
+ 1'779 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost brand:microsoft phishing rat
Link:
https://tria.ge/reports/230405-xqcfxaba3z/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Detected potential entity reuse from brand microsoft.
Suspicious use of SetThreadContext
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
ennenbach.duckdns.org:5800
Unpacked files
SH256 hash:
0906cd504b8a4489aec23b72b945f6b44340bd1d7402ea9d852c108295ee8239
MD5 hash:
8e56ca138d2e8630c48be8766aafc3c6
SHA1 hash:
e74c57394ea991ab61bc60611bd6db0f41892e1b
Link:
https://www.unpac.me/results/e2b5d008-3ee6-4a16-bc9e-8f21fd759fd5/
SH256 hash:
3f1c9d71ca7382eea5dcc794d8b367e9678cd2edad233bad19a68206c8c81b90
MD5 hash:
c78bc6bad2035cc323f85fc1afb0a10b
SHA1 hash:
d9dae4e43fe38c68cebffe81d2520ce218029ae1
Link:
https://www.unpac.me/results/e2b5d008-3ee6-4a16-bc9e-8f21fd759fd5/
SH256 hash:
3c507afadbb1c31a9ebdd24baac5739d47576159e01c5e84f973c951885100aa
MD5 hash:
e79bf0e7e9d52d398e0b23b352394c68
SHA1 hash:
682325763a0ec77e0fd475ea3a4021b4651eceac
Link:
https://www.unpac.me/results/e2b5d008-3ee6-4a16-bc9e-8f21fd759fd5/
SH256 hash:
b0a29e7522c9c5c2823dead60d5fcb5b23c46f69c92be3253fb710a933e4bfbd
MD5 hash:
a86adabcfd26d1a5fa8163df71738bda
SHA1 hash:
2f44b433028b08d1b57d3763210ad54b8d827484
Link:
https://www.unpac.me/results/e2b5d008-3ee6-4a16-bc9e-8f21fd759fd5/
SH256 hash:
15ca78849861201e845b0146eed78e3a9887dd7f12193794b0a550498c0494ab
MD5 hash:
549ea2e6dd2144db2b2ceef0b88379b1
SHA1 hash:
2b570430800217b93b80b52b3e446ff2810a71ca
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/e2b5d008-3ee6-4a16-bc9e-8f21fd759fd5/
Parent samples :
7e09b162052fa0f01f2d48609446e1cc66fea01afa412d5aee4cca9afa98fe52
c9ec59e23695adca831f06aca398c511cac81f2fd65c7353f14b4725791ab80a
11327f3b5123a0f6325b9370d4321bddc00ef1619f6da209503ae1370b24121e
SH256 hash:
11327f3b5123a0f6325b9370d4321bddc00ef1619f6da209503ae1370b24121e
MD5 hash:
291a8d6fe1adf2fca024566c8503d764
SHA1 hash:
9ca786b5151b12a83c87e53e66eddf2ef795cef2
Link:
https://www.unpac.me/results/e2b5d008-3ee6-4a16-bc9e-8f21fd759fd5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/11327f3b5123a0f6325b9370d4321bddc00ef1619f6da209503ae1370b24121e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 11327f3b5123a0f6325b9370d4321bddc00ef1619f6da209503ae1370b24121e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/380440/

Comments