MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18f51c19c22914e634d9cfcd86018e676e91d1c4a9293c247a3c9da84dce3f60. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 18f51c19c22914e634d9cfcd86018e676e91d1c4a9293c247a3c9da84dce3f60
SHA3-384 hash: 322bafeeb77cd08025bbadaae70cc7995fad5977afc55226de390c02cc767d6b3e201c880dea826407797aae747558bf
SHA1 hash: cb471f55730e97ddb6cb00bd7d681e22ff2846b8
MD5 hash: e6d7b1f7db7c426bc64b5917699cd239
humanhash: washington-maine-king-pip
File name:PURCHASE ORDER.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'176'064 bytes
First seen:2021-12-01 03:52:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 24576:9OtwRgr4pTBJTIOe1t7BKEmE5/EeImCMj1Mt:LeX1tdKEZ/VLCMh
Threatray 1'467 similar samples on MalwareBazaar
TLSH T15145467461F9C6D6C1A874B8EC0BB0F442A0EE25D465DD8F3C897E8A31B1B91F53225E
File icon (PE):PE icon
dhash icon 316d4d4d5d554569 (4 x AgentTesla, 4 x Stealc, 3 x RemcosRAT)
Reporter GovCERT_CH
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
167
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PURCHASE ORDER.exe
Verdict:
Malicious activity
Analysis date:
2021-12-01 03:56:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/553543e6-f0eb-4e19-bc7a-36b3c75f223e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/210153/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Creating a file in the %AppData% subdirectories
Changing a file
Running batch commands
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking the User Account Control
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61a6f1a09954e0c6bf794937/reports/4c7874cd-4b5a-413b-821d-7a0a13c44e7d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/6003f9f2-06ed-4e6c-9e39-66f8fab9a39f
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/899144
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Deletes itself after installation
Detected Remcos RAT
Disables UAC (registry)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Sigma detected: Suspicius Add Task From User AppData Temp
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 531622 Sample: PURCHASE ORDER.exe Startdate: 01/12/2021 Architecture: WINDOWS Score: 100 120 mdec.nelreports.net 2->120 122 js.monitor.azure.com 2->122 124 3 other IPs or domains 2->124 140 Malicious sample detected (through community Yara rule) 2->140 142 Multi AV Scanner detection for dropped file 2->142 144 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->144 146 19 other signatures 2->146 14 PURCHASE ORDER.exe 7 2->14         started        18 eth.exe 2->18         started        20 eth.exe 2->20         started        signatures3 process4 file5 114 C:\Users\user\AppData\...\xVxWQCfjRGpcE.exe, PE32 14->114 dropped 116 C:\Users\user\AppData\Local\Temp\tmpEDE.tmp, XML 14->116 dropped 118 C:\Users\user\...\PURCHASE ORDER.exe.log, ASCII 14->118 dropped 172 Adds a directory exclusion to Windows Defender 14->172 22 PURCHASE ORDER.exe 4 5 14->22         started        25 powershell.exe 21 14->25         started        27 schtasks.exe 1 14->27         started        signatures6 process7 file8 108 C:\Users\user\AppData\Roaming\eth\eth.exe, PE32 22->108 dropped 110 C:\Users\user\...\eth.exe:Zone.Identifier, ASCII 22->110 dropped 112 C:\Users\user\AppData\Local\...\install.vbs, data 22->112 dropped 29 wscript.exe 1 22->29         started        32 cmd.exe 1 22->32         started        34 conhost.exe 25->34         started        36 conhost.exe 27->36         started        process9 signatures10 162 Deletes itself after installation 29->162 38 cmd.exe 1 29->38         started        40 reg.exe 1 32->40         started        43 conhost.exe 32->43         started        process11 signatures12 45 eth.exe 4 38->45         started        48 conhost.exe 38->48         started        156 Disables UAC (registry) 40->156 process13 signatures14 164 Multi AV Scanner detection for dropped file 45->164 166 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 45->166 168 Adds a directory exclusion to Windows Defender 45->168 170 2 other signatures 45->170 50 eth.exe 45->50         started        55 powershell.exe 45->55         started        57 schtasks.exe 45->57         started        process15 dnsIp16 126 23.105.131.244, 2404, 49750, 49751 LEASEWEB-USA-NYC-11US United States 50->126 128 127.0.0.1 unknown unknown 50->128 100 C:\Users\user\...\time_20211201_082457.dat, data 50->100 dropped 102 C:\Users\user\...\time_20211201_081447.dat, data 50->102 dropped 104 C:\Users\user\...\time_20211201_080445.dat, data 50->104 dropped 106 19 other malicious files 50->106 dropped 148 Detected Remcos RAT 50->148 150 Tries to harvest and steal browser information (history, passwords, etc) 50->150 152 Writes to foreign memory regions 50->152 154 3 other signatures 50->154 59 eth.exe 50->59         started        62 eth.exe 50->62         started        64 svchost.exe 50->64         started        70 9 other processes 50->70 66 conhost.exe 55->66         started        68 conhost.exe 57->68         started        file17 signatures18 process19 signatures20 158 Tries to steal Instant Messenger accounts or passwords 59->158 160 Tries to steal Mail credentials (via file / registry access) 59->160 72 chrome.exe 64->72         started        75 chrome.exe 64->75         started        77 chrome.exe 70->77         started        79 chrome.exe 70->79         started        81 chrome.exe 70->81         started        83 5 other processes 70->83 process21 dnsIp22 136 192.168.2.1 unknown unknown 72->136 138 239.255.255.250 unknown Reserved 72->138 85 chrome.exe 72->85         started        88 chrome.exe 75->88         started        90 chrome.exe 77->90         started        92 chrome.exe 79->92         started        94 chrome.exe 81->94         started        96 chrome.exe 83->96         started        98 chrome.exe 83->98         started        process23 dnsIp24 130 googlehosted.l.googleusercontent.com 142.250.180.161, 443, 49936 GOOGLEUS United States 85->130 132 clients.l.google.com 142.250.184.46, 443, 49755, 49915 GOOGLEUS United States 85->132 134 8 other IPs or domains 85->134
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/18f51c19c22914e634d9cfcd86018e676e91d1c4a9293c247a3c9da84dce3f60/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-01 03:53:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dd2rygocfekomngzz7gymamom5xjduoeveutyjd2hso2qtooh5qa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
62960caf3d007638be89631e502733f30c42a9ba0269e8c00457c9dec10e9136
RemcosRAT
8cb9b0ac073c398ffc0147a1a84ffa9c2db217df67c5a89f34f4a5fb12be7cc3
RemcosRAT
8d99a854713aa68aafd4d6bc5d3b37677e1f1bdd65b0fc8ac459100541ee0415
RemcosRAT
ba4b51ae64c68b32d126322b51b41dce7c300c01faed97aca35ff142e121a914
RemcosRAT
bba5c5738cb5e83793455f2fd91f77382197d36ef98c4a8580814f9da29da9dc
RemcosRAT
bc6387778b4a0caf34719e4de78d1ea6ecd96ba40a2e1e0997ae91dfe221807e
RemcosRAT
da71644ee66cad527be192aefdfb9e5c70f0977d111d95e3591c8221aca1ccfc
RemcosRAT
ded1412f9509d9fbc0c48687c3611d6cd8356ff0f00a9a2c5836890a5df03925
RemcosRAT
e6e8bb23ac6b68e1d48dd81f6012451d62b292fda9140e6012fe9702ab283732
RemcosRAT
+ 1'457 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost brand:microsoft evasion persistence phishing rat spyware stealer trojan
Link:
https://tria.ge/reports/211201-efmj1sdaa9/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Detected potential entity reuse from brand microsoft.
Suspicious use of SetThreadContext
Adds Run key to start application
Maps connected drives based on registry
Checks BIOS information in registry
Deletes itself
Reads user/profile data of web browsers
Executes dropped EXE
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
NirSoft WebBrowserPassView
Nirsoft
Remcos
UAC bypass
Malware Config
C2 Extraction:
127.0.0.1:2404
23.105.131.244:2404
23.105.131.244:3390
23.105.131.244:4290
Unpacked files
SH256 hash:
9ce0b0e11c7c1b2cfc2378182ec7ba54608806970f105355859f6c8eb5fdfbeb
MD5 hash:
6fd7c312b4d0764fc6aefbfa6ef16d8f
SHA1 hash:
817e0bc9eb9d5b719b82710290e6e44b317e04e7
Link:
https://www.unpac.me/results/14c1c2b0-1dad-468b-aff1-f9147e0c5882/
SH256 hash:
b1171c0b6e400356f32c55c92ba34ce2c02469d0e4e12d116be87dbb234a2e4c
MD5 hash:
c48b3b87a9c63b3df10462c74b8e95c1
SHA1 hash:
568c1b8ec2dad126affccde78a5da58054f5bedb
Link:
https://www.unpac.me/results/14c1c2b0-1dad-468b-aff1-f9147e0c5882/
SH256 hash:
18f51c19c22914e634d9cfcd86018e676e91d1c4a9293c247a3c9da84dce3f60
MD5 hash:
e6d7b1f7db7c426bc64b5917699cd239
SHA1 hash:
cb471f55730e97ddb6cb00bd7d681e22ff2846b8
Link:
https://www.unpac.me/results/14c1c2b0-1dad-468b-aff1-f9147e0c5882/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/18f51c19c229/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/18f51c19c22914e634d9cfcd86018e676e91d1c4a9293c247a3c9da84dce3f60

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 18f51c19c22914e634d9cfcd86018e676e91d1c4a9293c247a3c9da84dce3f60

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/210153/

Comments