MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c6e03f0293adc6df77070e0e6988a677753333b185c5ab965d159d75e07b640. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c6e03f0293adc6df77070e0e6988a677753333b185c5ab965d159d75e07b640
SHA3-384 hash: 1eafb56e0316cfdfd3ccff344cd387ff26fa13a09ba277b698ce6af40485fe8171db15e52a92c16e976ddeb4a7cef03f
SHA1 hash: ec811a7cd3929fbc484e998bb3d80499115f23e3
MD5 hash: 4dbf4f14350bf4d3fe882d437538a3cc
humanhash: cat-mars-minnesota-muppet
File name:Request For Quotation 01.300.TRGVH.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'230'336 bytes
First seen:2022-10-22 15:47:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'473 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:e06SX1TnLMAvCGVcTHZifsxD3AbXAXENdNJKiden:HXHaGVcQK3ADGqBU
Threatray 3'536 similar samples on MalwareBazaar
TLSH T1DD458CB626D51217E42972B59083E1F326FBAE406041E2C395D35F6FBC852FB961338B
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter GovCERT_CH
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
295
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Request For Quotation 01.300.TRGVH.exe
Verdict:
Malicious activity
Analysis date:
2022-10-22 15:50:17 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/7898452a-5173-43d8-a6a5-4026db68d90a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/322697/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed remcos
Link:
https://www.filescan.io/uploads/635410b34fc319a52d56464b/reports/96d5cdcb-758c-4006-8863-c8ecb63c01a9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/90df7acb-9b24-450f-9d49-dae909782b6b
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1095555
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 728196 Sample: Request For Quotation 01.30... Startdate: 22/10/2022 Architecture: WINDOWS Score: 100 55 Malicious sample detected (through community Yara rule) 2->55 57 Sigma detected: Scheduled temp file as task from temp location 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 9 other signatures 2->61 7 Request For Quotation 01.300.TRGVH.exe 7 2->7         started        12 cWeSROK.exe 5 2->12         started        process3 dnsIp4 47 192.168.2.1 unknown unknown 7->47 37 C:\Users\user\AppData\Roaming\cWeSROK.exe, PE32 7->37 dropped 39 C:\Users\user\...\cWeSROK.exe:Zone.Identifier, ASCII 7->39 dropped 41 C:\Users\user\AppData\Local\...\tmpC191.tmp, XML 7->41 dropped 43 Request For Quotat...1.300.TRGVH.exe.log, ASCII 7->43 dropped 63 Adds a directory exclusion to Windows Defender 7->63 65 Injects a PE file into a foreign processes 7->65 14 Request For Quotation 01.300.TRGVH.exe 2 16 7->14         started        19 powershell.exe 21 7->19         started        21 powershell.exe 19 7->21         started        27 2 other processes 7->27 67 Multi AV Scanner detection for dropped file 12->67 69 Machine Learning detection for dropped file 12->69 23 schtasks.exe 12->23         started        25 cWeSROK.exe 12->25         started        file5 signatures6 process7 dnsIp8 49 51.75.209.245, 2404, 49702 OVHFR France 14->49 51 geoplugin.net 178.237.33.50, 49703, 80 ATOM86-ASATOM86NL Netherlands 14->51 45 C:\ProgramData\remcos\logs.dat, data 14->45 dropped 53 Installs a global keyboard hook 14->53 29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        33 conhost.exe 23->33         started        35 conhost.exe 27->35         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1c6e03f0293adc6df77070e0e6988a677753333b185c5ab965d159d75e07b640/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-21 20:36:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=drxah4bjhlog353qodqongekm53vgmz3dbofvolf2fm5oxqhwzaa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
4bd1f385e71c2b0c8bb27ce271cfd26c696e3049e3e92cd150ba62666bc6221f
RemcosRAT
592f15fec50eda79baadcb6bc5c4cb79de60e5bb285f20fb8e8927477495f065
RemcosRAT
7f89f38c1c2a3e42e7fe2d1c286816361fe77aa49d1d474de200df6eb2dbda81
RemcosRAT
8e7d1931cfe215a12acad3beb975cd78099a295a721069b35c05b469e2f703f9
RemcosRAT
9d724226a2a3c8676d4a58b64b636d9dcc178c1d40fcf321309afa14505cf285
RemcosRAT
e1eb708f47303b831f6eb0ddc846e21782e8f727dcb0088fcb997c3bf0d4dbd3
RemcosRAT
e76cebc404b8a79e2ab806a3e501b9d2f7260ea1d12f804320c1130be205dff6
RemcosRAT
+ 3'526 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/221022-s8rlbsdhe4/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
51.75.209.245:2404
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/49d00cfe-c107-468a-a285-2002b0163b4a
Unpacked files
SH256 hash:
f14b13530018ea5997fb258fa2b48e6458341a48c637675d82bd4d3b32d71248
MD5 hash:
424b510a4f3621187803d06e6113da28
SHA1 hash:
803aacca490839761996e1742a0ecd41e728b19e
Link:
https://www.unpac.me/results/dd97c4e6-df97-4def-a854-71f58d9ae959/
SH256 hash:
0a8b70b33ceded0ea1ad2e7bb0f800770ca765f3922122c69c0e4ffa094aa5a5
MD5 hash:
5d1e46ab2ff0d4e2a422a8ebfe36b36c
SHA1 hash:
40d7390baf44b22280c133b60487015211a2516f
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/dd97c4e6-df97-4def-a854-71f58d9ae959/
Parent samples :
1c6e03f0293adc6df77070e0e6988a677753333b185c5ab965d159d75e07b640
881c36d477296d428586f4dbb755fe83e9f4a2555d5f7f3cb463c63703c101f7
SH256 hash:
c218e7e36f1b4d4707f5708c13926c4e336d4c3b9554aa42f83bc871dc85a171
MD5 hash:
b79814b96c2f17ba4e2b8e79db7164c5
SHA1 hash:
3893a451db3ecaab9073fd50bc9a6c14aabc13b6
Link:
https://www.unpac.me/results/dd97c4e6-df97-4def-a854-71f58d9ae959/
SH256 hash:
678d527fc01a0eaa1be366ca97b0ad5a3fe890b1ef8267d2fc981ff43c4d08e5
MD5 hash:
2da433d67db4775d8f02a8fed4b31bf3
SHA1 hash:
235fe8f2076f3b5cfffacc574825550cee8e61e9
Link:
https://www.unpac.me/results/dd97c4e6-df97-4def-a854-71f58d9ae959/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/dd97c4e6-df97-4def-a854-71f58d9ae959/
SH256 hash:
1c6e03f0293adc6df77070e0e6988a677753333b185c5ab965d159d75e07b640
MD5 hash:
4dbf4f14350bf4d3fe882d437538a3cc
SHA1 hash:
ec811a7cd3929fbc484e998bb3d80499115f23e3
Link:
https://www.unpac.me/results/dd97c4e6-df97-4def-a854-71f58d9ae959/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1c6e03f0293a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1c6e03f0293adc6df77070e0e6988a677753333b185c5ab965d159d75e07b640

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 1c6e03f0293adc6df77070e0e6988a677753333b185c5ab965d159d75e07b640

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/322697/

Comments