MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19836f65b08970b838c64ef0ffd5f8f4d8ed2063a1df2b826e3dc9e66b3c8f37. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 19836f65b08970b838c64ef0ffd5f8f4d8ed2063a1df2b826e3dc9e66b3c8f37
SHA3-384 hash: d16eb32fdc265709fe94fe2cbf734a4d179fd0993565130481f117d354a844e204b2c9d9be6e550a65a20a9fe8d0645b
SHA1 hash: 5abc7f1ed4be2703f084e4c964398a3a26abfa0d
MD5 hash: 330486023aa5bab06c365929237ccdc9
humanhash: idaho-iowa-october-moon
File name:22098846839_ FW 00066823_pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'025'024 bytes
First seen:2023-05-05 10:20:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'739 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:mS+CJ8PwGZajtOFNrclmZ7397OGUHkhTVbG:EPKhOMlmv7DBV
Threatray 1'999 similar samples on MalwareBazaar
TLSH T1E625011133B9FBA1ECE583F8B208E1015F655C61E3B9F7E84ECBF0D84458729A654A93
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter cocaman
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
246
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
22098846839_ FW 00066823_pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-05-05 10:23:15 UTC
Tags:
remcos
Link:
https://app.any.run/tasks/c40fa007-80ab-4d4f-850c-fd9da1acf7dd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/386749/
Detection(s):
SecuriteInfo.com.Variant.Barys.351838.4092.18130.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Gathering data
Verdict:
Malicious
Labled as:
Barys.Generic
Link:
https://www.hybrid-analysis.com/sample/19836f65b08970b838c64ef0ffd5f8f4d8ed2063a1df2b826e3dc9e66b3c8f37
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/673bcce0-69a5-4e37-9898-ae14312ecce8
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1226791
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 859755 Sample: 22098846839__FW_00066823_pdf.exe Startdate: 05/05/2023 Architecture: WINDOWS Score: 100 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Sigma detected: Scheduled temp file as task from temp location 2->50 52 8 other signatures 2->52 7 GhkbgYlwhgywzf.exe 5 2->7         started        10 22098846839__FW_00066823_pdf.exe 7 2->10         started        process3 file4 54 Multi AV Scanner detection for dropped file 7->54 56 Contains functionality to bypass UAC (CMSTPLUA) 7->56 58 Machine Learning detection for dropped file 7->58 64 5 other signatures 7->64 13 schtasks.exe 1 7->13         started        15 GhkbgYlwhgywzf.exe 7->15         started        17 GhkbgYlwhgywzf.exe 7->17         started        32 C:\Users\user\AppData\...behaviorgraphhkbgYlwhgywzf.exe, PE32 10->32 dropped 34 C:\...behaviorgraphhkbgYlwhgywzf.exe:Zone.Identifier, ASCII 10->34 dropped 36 C:\Users\user\AppData\Local\...\tmpE726.tmp, XML 10->36 dropped 38 C:\...\22098846839__FW_00066823_pdf.exe.log, ASCII 10->38 dropped 60 Uses schtasks.exe or at.exe to add and modify task schedules 10->60 62 Adds a directory exclusion to Windows Defender 10->62 19 22098846839__FW_00066823_pdf.exe 3 13 10->19         started        22 powershell.exe 18 10->22         started        24 schtasks.exe 1 10->24         started        signatures5 process6 dnsIp7 26 conhost.exe 13->26         started        40 64.112.85.218, 4888, 49695, 49697 UNIREGISTRYKY Reserved 19->40 42 geoplugin.net 178.237.33.50, 49696, 80 ATOM86-ASATOM86NL Netherlands 19->42 44 192.168.2.1 unknown unknown 19->44 28 conhost.exe 22->28         started        30 conhost.exe 24->30         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/19836f65b08970b838c64ef0ffd5f8f4d8ed2063a1df2b826e3dc9e66b3c8f37/
Threat name:
ByteCode-MSIL.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-05-05 10:21:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dgbw6znqrfylqoggj3yp7vpy6tmo2idduhpsxatohxe6m2z4r43q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
10889504234fe600c781aefe6ba0918e2e1d98a777f6e4e03da6d006a06bffb0
RemcosRAT
2416e5bfdf5fc88f9d7ceaf117cd1173370b357b8d4b5070f81f0df7a0253075
RemcosRAT
3c2ffc42864aba9e07bb8cd494141ea7125a2d24a8717f0cf0a33da8020dbdfb
RemcosRAT
481424e182c128fe78c458c8939ab2a928e04793c1f888f93899fbd9ba3f6954
RemcosRAT
4c88e26f710c4aec376be1d0162bc0edbb5dc0092f5c786c9f5c15b4c5bc9706
RemcosRAT
61141d9453d13d203de8255903f1aec9fea4906616f000cca0b906a58d754cca
RemcosRAT
6118fb1f75058c3bd77040399fad44126181a9b131396a4f1ab7e6622c826dda
RemcosRAT
658096abeec050d60d6fd1bfbf66e1f7b4496b0d3fa17eb84bc9c5badd587e06
RemcosRAT
814e073523aed94d4433e76ef0d0ecaa94224313fb4e54e6716b26e22f06e5ac
RemcosRAT
b84d775cf5de9234ec178e4a94c5c459f0c6e8ad3bffc977ba20b116b4d9d88e
RemcosRAT
+ 1'989 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/230505-mdncjabd2y/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
64.112.85.218:4888
Unpacked files
SH256 hash:
aa658f742c9a3e77b8be71f04892859ace28176dfb1261a30601b07b782285fa
MD5 hash:
4613aa3188742c2a26906373b319d161
SHA1 hash:
cf74a7dc2cf335f5852832f9d3f04c715421f5db
Link:
https://www.unpac.me/results/7feae2bb-65ce-4bc1-95bd-36c24ae353d3/
SH256 hash:
c8808b69b0f4d52c253e35b001da94086786b34162fd51daa3f17eda94bac7f0
MD5 hash:
da56041df789c24cb2a36a364431f766
SHA1 hash:
876e6c579d1092a76ce90c500c43af0cf11724a4
Link:
https://www.unpac.me/results/7feae2bb-65ce-4bc1-95bd-36c24ae353d3/
SH256 hash:
d9a5cb223770f259e4b777d9aa0056405d84cb3a369ff729eab610a9da689a86
MD5 hash:
a349abfb6a1dc8fed4ee0bbd72bd9d5c
SHA1 hash:
64681923a3b2b5204af2d5595bd1d03b435ed794
Link:
https://www.unpac.me/results/7feae2bb-65ce-4bc1-95bd-36c24ae353d3/
SH256 hash:
0fd3b2b83fd32d325c883e0c6a576bb2dd9f2f37973eca5b9095fca7fce0e108
MD5 hash:
2f4a0cb398c13ca691687b3b1a98e90e
SHA1 hash:
5f7a070f3ff0a81941dfff94f194e9350306297e
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/7feae2bb-65ce-4bc1-95bd-36c24ae353d3/
Parent samples :
19836f65b08970b838c64ef0ffd5f8f4d8ed2063a1df2b826e3dc9e66b3c8f37
1a925bac006fd8d7a5d58d0229eabe2e30634626731add96939b0ab542c446a5
3bebabea8a9d00a8add9979fe330b1e0494a4595677929f8c94f3d7e9e04997d
cf8056e691bd5d73dbffedb8228a1cb2bee27791633c7cf2114041112f66b93d
d6f7d0850a40002f01cc66f19db67872e8606dd114825a351fcd618b8f375599
SH256 hash:
be17db13feec5ace2d7d85f8331eedd56784662b48706be78985e0e35f238335
MD5 hash:
1558e7e7d08714a45ad2a729c91126bc
SHA1 hash:
1abef9e5218c28e54ca7c749145a5a17148241b0
Link:
https://www.unpac.me/results/7feae2bb-65ce-4bc1-95bd-36c24ae353d3/
SH256 hash:
19836f65b08970b838c64ef0ffd5f8f4d8ed2063a1df2b826e3dc9e66b3c8f37
MD5 hash:
330486023aa5bab06c365929237ccdc9
SHA1 hash:
5abc7f1ed4be2703f084e4c964398a3a26abfa0d
Link:
https://www.unpac.me/results/7feae2bb-65ce-4bc1-95bd-36c24ae353d3/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/19836f65b089/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/19836f65b08970b838c64ef0ffd5f8f4d8ed2063a1df2b826e3dc9e66b3c8f37

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

rar 611823a53d33e7dd2cae401be4b3836a4ffa9b85737610e0bf2e36159c7a3861

RemcosRAT

Executable exe 19836f65b08970b838c64ef0ffd5f8f4d8ed2063a1df2b826e3dc9e66b3c8f37

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 611823a53d33e7dd2cae401be4b3836a4ffa9b85737610e0bf2e36159c7a3861
Cape
Cape
https://www.capesandbox.com/analysis/386749/
  
Dropped by
MD5 8800c1f0fd580b3c42290e7372418751

Comments