MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1441b168107cb5a38d4ef470b80e7a68c215732d74409f97461076ae0a3b43da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1441b168107cb5a38d4ef470b80e7a68c215732d74409f97461076ae0a3b43da
SHA3-384 hash: 2a1228b24259e7092f301b1c10efb33cbce0a62c2858f2eba890f99efb367e87fb0c2c44db8a85525203827373ffdbd5
SHA1 hash: eeb2cf0fa02aee4a59357361f68108e873b07994
MD5 hash: 63a22deccf7a8916cdf1dd0e633393e1
humanhash: winner-twenty-quebec-chicken
File name:1441b168107cb5a38d4ef470b80e7a68c215732d74409f97461076ae0a3b43da
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'086'976 bytes
First seen:2023-07-06 11:02:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 24576:HpQOyqGUL8wWJgEOjS3/KCsvEFbH/oFLFt9pCP:aNqGo8cEmSPqM1f2r9pC
Threatray 2'193 similar samples on MalwareBazaar
TLSH T14535126873A6A40FC82DAE3C1D4A67B9D2F919D27052D3835EE7788FDC5DB8D5A00183
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2ccf4e0e8d1c29c (12 x AgentTesla, 10 x Loki, 2 x SnakeKeylogger)
Reporter adrian__luca
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
280
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1441b168107cb5a38d4ef470b80e7a68c215732d74409f97461076ae0a3b43da
Verdict:
No threats detected
Analysis date:
2023-07-06 11:02:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4193458e-c9d5-47cf-b4f5-49287c3cd81b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/409037/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67413938.28533.18724.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed powershell
Link:
https://www.filescan.io/uploads/64a69f66631db84968f1fee2/reports/d11d14c8-e6df-412c-8816-c4e1df3126c3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/1441b168107cb5a38d4ef470b80e7a68c215732d74409f97461076ae0a3b43da
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/de51d59b-758c-4ff2-acf1-30a59a5feb72
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1268042
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1268042 Sample: U1jP78wYak.exe Startdate: 06/07/2023 Architecture: WINDOWS Score: 100 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for URL or domain 2->48 50 8 other signatures 2->50 7 cFeEarSuWf.exe 5 2->7         started        10 U1jP78wYak.exe 7 2->10         started        process3 file4 52 Multi AV Scanner detection for dropped file 7->52 54 Contains functionality to bypass UAC (CMSTPLUA) 7->54 56 Machine Learning detection for dropped file 7->56 64 4 other signatures 7->64 13 schtasks.exe 1 7->13         started        15 cFeEarSuWf.exe 7->15         started        17 cFeEarSuWf.exe 7->17         started        32 C:\Users\user\AppData\...\cFeEarSuWf.exe, PE32 10->32 dropped 34 C:\Users\...\cFeEarSuWf.exe:Zone.Identifier, ASCII 10->34 dropped 36 C:\Users\user\AppData\Local\...\tmp8077.tmp, XML 10->36 dropped 38 C:\Users\user\AppData\...\U1jP78wYak.exe.log, ASCII 10->38 dropped 58 Uses schtasks.exe or at.exe to add and modify task schedules 10->58 60 Adds a directory exclusion to Windows Defender 10->60 62 Injects a PE file into a foreign processes 10->62 19 U1jP78wYak.exe 3 13 10->19         started        22 powershell.exe 19 10->22         started        24 schtasks.exe 1 10->24         started        signatures5 process6 dnsIp7 26 conhost.exe 13->26         started        40 89.37.99.49, 49697, 5888 BANDWIDTH-ASGB Romania 19->40 42 geoplugin.net 178.237.33.50, 49698, 80 ATOM86-ASATOM86NL Netherlands 19->42 28 conhost.exe 22->28         started        30 conhost.exe 24->30         started        process8
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1441b168107cb5a38d4ef470b80e7a68c215732d74409f97461076ae0a3b43da/
Threat name:
ByteCode-MSIL.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-06-07 02:11:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cra3c2aqps22hdko6rylqdt2ndbbk4znoraj7f2gcb3k4cr3ipna._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
112264028268157848387579f46a7b70b4aea67c65c635f1cea9651e0e413467
RemcosRAT
1297278ef746096841eeadfbd09a124e044a52bee1be093b4484f95af475c2b3
RemcosRAT
19d950b878e737ae460d86a723a31b651d9130001b9f1b24b178affa9ceff606
RemcosRAT
7795f522a55ae41cb43c380f7bb4150a2170b9fca1e8b98070ee32934f32fb1a
RemcosRAT
882a895b320ba323dccd33d6d82e02b4506b7386a91c63c0c505345796352d67
RemcosRAT
a0dc108bb4d6bc2c36acf6f8ad2333cffdff1e2276ddd55eb8225edb6e8c0cd7
RemcosRAT
f2b2a8bc43696328f9650d218fe0e57e7c55c0e4799a1f28721b85e37e85eaf4
RemcosRAT
+ 2'183 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/230706-m5pdxabe4t/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
89.37.99.49:5888
Unpacked files
SH256 hash:
abacd80a01bac5ab3716c11e09359943d274a95d089c26d323a5dd10efaf0b41
MD5 hash:
e45ee9b269d810d4b8a58429f371c6f6
SHA1 hash:
db2bd8314e3cac29d66b90d50e5da325d452698e
Link:
https://www.unpac.me/results/d237a339-97b6-4179-b9a6-f0a81a0f9402/
SH256 hash:
c440617e04a50ced73c8ab992cbe8d8954a3e41f21f046ee9d1f2a41ea9b416d
MD5 hash:
9390df6c9a6111978dee5414bc42eda6
SHA1 hash:
d3cb1c366b9e466afa93eb369838a04d30777795
Link:
https://www.unpac.me/results/d237a339-97b6-4179-b9a6-f0a81a0f9402/
SH256 hash:
3f1bb439dc1e39bdc7ea992cdbacc9583d53e6c4949433f94a8e5be5fa4d3d29
MD5 hash:
be030d800cea4838ad5a4a7559ed3c32
SHA1 hash:
81a03d90b451475d7b229ae91a811800e03f6cb2
Link:
https://www.unpac.me/results/d237a339-97b6-4179-b9a6-f0a81a0f9402/
SH256 hash:
58fb573c639d62595f7d87b34b86ad790e1031308953aeeaa7598aa690aa7731
MD5 hash:
66dec3cfbfa9b0c0e3338190a1257984
SHA1 hash:
5e9759c2ea437ce7b889277a1472570bc403c010
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/d237a339-97b6-4179-b9a6-f0a81a0f9402/
Parent samples :
58fb573c639d62595f7d87b34b86ad790e1031308953aeeaa7598aa690aa7731
1441b168107cb5a38d4ef470b80e7a68c215732d74409f97461076ae0a3b43da
SH256 hash:
0e1d78999734d78fe46a4ed698f562a501deb597af7e258725406ad64b0f80d9
MD5 hash:
9f716cbae6501c076e5f5dd36a79c145
SHA1 hash:
4c3075a7fcd297e4f3d7d68514b1635a05be0b3e
Link:
https://www.unpac.me/results/d237a339-97b6-4179-b9a6-f0a81a0f9402/
SH256 hash:
abacd80a01bac5ab3716c11e09359943d274a95d089c26d323a5dd10efaf0b41
MD5 hash:
e45ee9b269d810d4b8a58429f371c6f6
SHA1 hash:
db2bd8314e3cac29d66b90d50e5da325d452698e
Link:
https://www.unpac.me/results/d237a339-97b6-4179-b9a6-f0a81a0f9402/
SH256 hash:
c440617e04a50ced73c8ab992cbe8d8954a3e41f21f046ee9d1f2a41ea9b416d
MD5 hash:
9390df6c9a6111978dee5414bc42eda6
SHA1 hash:
d3cb1c366b9e466afa93eb369838a04d30777795
Link:
https://www.unpac.me/results/d237a339-97b6-4179-b9a6-f0a81a0f9402/
SH256 hash:
3f1bb439dc1e39bdc7ea992cdbacc9583d53e6c4949433f94a8e5be5fa4d3d29
MD5 hash:
be030d800cea4838ad5a4a7559ed3c32
SHA1 hash:
81a03d90b451475d7b229ae91a811800e03f6cb2
Link:
https://www.unpac.me/results/d237a339-97b6-4179-b9a6-f0a81a0f9402/
SH256 hash:
abacd80a01bac5ab3716c11e09359943d274a95d089c26d323a5dd10efaf0b41
MD5 hash:
e45ee9b269d810d4b8a58429f371c6f6
SHA1 hash:
db2bd8314e3cac29d66b90d50e5da325d452698e
Link:
https://www.unpac.me/results/d237a339-97b6-4179-b9a6-f0a81a0f9402/
SH256 hash:
58fb573c639d62595f7d87b34b86ad790e1031308953aeeaa7598aa690aa7731
MD5 hash:
66dec3cfbfa9b0c0e3338190a1257984
SHA1 hash:
5e9759c2ea437ce7b889277a1472570bc403c010
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/d237a339-97b6-4179-b9a6-f0a81a0f9402/
Parent samples :
58fb573c639d62595f7d87b34b86ad790e1031308953aeeaa7598aa690aa7731
1441b168107cb5a38d4ef470b80e7a68c215732d74409f97461076ae0a3b43da
SH256 hash:
c440617e04a50ced73c8ab992cbe8d8954a3e41f21f046ee9d1f2a41ea9b416d
MD5 hash:
9390df6c9a6111978dee5414bc42eda6
SHA1 hash:
d3cb1c366b9e466afa93eb369838a04d30777795
Link:
https://www.unpac.me/results/d237a339-97b6-4179-b9a6-f0a81a0f9402/
SH256 hash:
3f1bb439dc1e39bdc7ea992cdbacc9583d53e6c4949433f94a8e5be5fa4d3d29
MD5 hash:
be030d800cea4838ad5a4a7559ed3c32
SHA1 hash:
81a03d90b451475d7b229ae91a811800e03f6cb2
Link:
https://www.unpac.me/results/d237a339-97b6-4179-b9a6-f0a81a0f9402/
SH256 hash:
0e1d78999734d78fe46a4ed698f562a501deb597af7e258725406ad64b0f80d9
MD5 hash:
9f716cbae6501c076e5f5dd36a79c145
SHA1 hash:
4c3075a7fcd297e4f3d7d68514b1635a05be0b3e
Link:
https://www.unpac.me/results/d237a339-97b6-4179-b9a6-f0a81a0f9402/
SH256 hash:
58fb573c639d62595f7d87b34b86ad790e1031308953aeeaa7598aa690aa7731
MD5 hash:
66dec3cfbfa9b0c0e3338190a1257984
SHA1 hash:
5e9759c2ea437ce7b889277a1472570bc403c010
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/d237a339-97b6-4179-b9a6-f0a81a0f9402/
Parent samples :
58fb573c639d62595f7d87b34b86ad790e1031308953aeeaa7598aa690aa7731
1441b168107cb5a38d4ef470b80e7a68c215732d74409f97461076ae0a3b43da
SH256 hash:
0e1d78999734d78fe46a4ed698f562a501deb597af7e258725406ad64b0f80d9
MD5 hash:
9f716cbae6501c076e5f5dd36a79c145
SHA1 hash:
4c3075a7fcd297e4f3d7d68514b1635a05be0b3e
Link:
https://www.unpac.me/results/d237a339-97b6-4179-b9a6-f0a81a0f9402/
SH256 hash:
abacd80a01bac5ab3716c11e09359943d274a95d089c26d323a5dd10efaf0b41
MD5 hash:
e45ee9b269d810d4b8a58429f371c6f6
SHA1 hash:
db2bd8314e3cac29d66b90d50e5da325d452698e
Link:
https://www.unpac.me/results/d237a339-97b6-4179-b9a6-f0a81a0f9402/
SH256 hash:
c440617e04a50ced73c8ab992cbe8d8954a3e41f21f046ee9d1f2a41ea9b416d
MD5 hash:
9390df6c9a6111978dee5414bc42eda6
SHA1 hash:
d3cb1c366b9e466afa93eb369838a04d30777795
Link:
https://www.unpac.me/results/d237a339-97b6-4179-b9a6-f0a81a0f9402/
SH256 hash:
3f1bb439dc1e39bdc7ea992cdbacc9583d53e6c4949433f94a8e5be5fa4d3d29
MD5 hash:
be030d800cea4838ad5a4a7559ed3c32
SHA1 hash:
81a03d90b451475d7b229ae91a811800e03f6cb2
Link:
https://www.unpac.me/results/d237a339-97b6-4179-b9a6-f0a81a0f9402/
SH256 hash:
58fb573c639d62595f7d87b34b86ad790e1031308953aeeaa7598aa690aa7731
MD5 hash:
66dec3cfbfa9b0c0e3338190a1257984
SHA1 hash:
5e9759c2ea437ce7b889277a1472570bc403c010
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/d237a339-97b6-4179-b9a6-f0a81a0f9402/
Parent samples :
58fb573c639d62595f7d87b34b86ad790e1031308953aeeaa7598aa690aa7731
1441b168107cb5a38d4ef470b80e7a68c215732d74409f97461076ae0a3b43da
SH256 hash:
0e1d78999734d78fe46a4ed698f562a501deb597af7e258725406ad64b0f80d9
MD5 hash:
9f716cbae6501c076e5f5dd36a79c145
SHA1 hash:
4c3075a7fcd297e4f3d7d68514b1635a05be0b3e
Link:
https://www.unpac.me/results/d237a339-97b6-4179-b9a6-f0a81a0f9402/
SH256 hash:
1441b168107cb5a38d4ef470b80e7a68c215732d74409f97461076ae0a3b43da
MD5 hash:
63a22deccf7a8916cdf1dd0e633393e1
SHA1 hash:
eeb2cf0fa02aee4a59357361f68108e873b07994
Link:
https://www.unpac.me/results/d237a339-97b6-4179-b9a6-f0a81a0f9402/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1441b168107c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1441b168107cb5a38d4ef470b80e7a68c215732d74409f97461076ae0a3b43da

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/409037/

Comments