MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e6af577e1d5f5fea983228641b0b2f6cacbf4f6c464dcc0d8608ce6fe549338. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e6af577e1d5f5fea983228641b0b2f6cacbf4f6c464dcc0d8608ce6fe549338
SHA3-384 hash: bb0b81df952f737a1336c559b3ff4e2dd06c9a3c82ebec87d70729df9181f99ea7402de461f19f55fd43398b130e5e09
SHA1 hash: 25e62db6f0c021190ae1d22fe55be31fc498de76
MD5 hash: cbc0e92c0e19c01cc99d1fc4175f72ff
humanhash: sixteen-eight-salami-stairway
File name:RFQ Document For December Final Products _Import 20221208_pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:579'804 bytes
First seen:2022-12-08 10:49:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 97318da386948415d08cef4a9006d669 (71 x Formbook, 35 x SnakeKeylogger, 26 x AgentTesla)
ssdeep 12288:X7DVY/4GwaPdMuAH3w/wjXWlb43mZYYLOsgXJkY:X9Y/4Gw6qg4jXWlc0YYBg5D
TLSH T19EC4231376980DB7C65E8971ECAB1A5BD3B6FE298B202EC34B50777C5435186AC2E4C3
TrID 92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon f2d6d6c6c6e6d0d2 (2 x Formbook, 2 x RemcosRAT, 1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
197
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/344274/
Detection(s):
SecuriteInfo.com.Win32.InjectorX-gen.11365.30996.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Setting a keyboard event handler
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6391c15c75655a0108ea7f0e/reports/3fa7e72b-d9dd-4a49-9b22-73637f4a7856/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/18ff3fe3-f514-484a-b509-6dc19d66d584
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1130626
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 763350 Sample: RFQ Document For December F... Startdate: 08/12/2022 Architecture: WINDOWS Score: 100 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected Remcos RAT 2->53 55 3 other signatures 2->55 7 RFQ Document For December Final Products _Import 20221208_pdf.exe 19 2->7         started        10 eldesk32.exe 1 2->10         started        13 eldesk32.exe 1 2->13         started        process3 file4 33 C:\Users\user\AppData\...\vanowituyh.exe, PE32 7->33 dropped 15 vanowituyh.exe 1 3 7->15         started        57 Antivirus detection for dropped file 10->57 59 Multi AV Scanner detection for dropped file 10->59 61 Machine Learning detection for dropped file 10->61 19 WerFault.exe 10 10->19         started        21 conhost.exe 10->21         started        23 WerFault.exe 4 10 13->23         started        25 conhost.exe 13->25         started        signatures5 process6 file7 35 C:\Users\user\AppData\...\eldesk32.exe, PE32 15->35 dropped 41 Antivirus detection for dropped file 15->41 43 Multi AV Scanner detection for dropped file 15->43 45 Performs DNS queries to domains with low reputation 15->45 47 5 other signatures 15->47 27 vanowituyh.exe 2 16 15->27         started        31 conhost.exe 15->31         started        signatures8 process9 dnsIp10 37 fineboy.andosela.xyz 37.120.153.94, 2829, 49696 M247GB Romania 27->37 39 geoplugin.net 178.237.33.50, 49697, 80 ATOM86-ASATOM86NL Netherlands 27->39 63 Installs a global keyboard hook 27->63 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1e6af577e1d5f5fea983228641b0b2f6cacbf4f6c464dcc0d8608ce6fe549338/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-12-08 07:40:46 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
20 of 40 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dzvpk57b2x275kmdekdedmfs63fmx5hwyrsnzqgymcgon7susm4a._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:mainceleb persistence rat
Link:
https://tria.ge/reports/221208-mw82yscf8t/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
fineboy.andosela.xyz:2829
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c4678829-c7c7-4bf8-9428-19fa6b2ef03d
Unpacked files
SH256 hash:
0edfe3e40e9c678761e0f1fcc9a916ad9b20aecea843517dca6cd5f53fffbb12
MD5 hash:
5e1d0c775e2adbd5d636edc7d463041d
SHA1 hash:
4dc93fc8fb444afdaf039320dd0be1f0c88ebd9f
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/7bb4849c-3b4a-4539-9b1c-5df8a0f1a6a1/
Parent samples :
1e6af577e1d5f5fea983228641b0b2f6cacbf4f6c464dcc0d8608ce6fe549338
9e2bf00ed331c02f9ce582339b8cc771a5422998154b7310a5b3bbcc8fc2dc6c
SH256 hash:
545faf663591c5393cac30b9f6a7379023ab5a89cf853ffa28d0e4d9dd4bd466
MD5 hash:
9e13952ff9d01e8059a8b2c3a0496f10
SHA1 hash:
04834f35120d40bc2f66cf8da2098559bafcfb48
Link:
https://www.unpac.me/results/7bb4849c-3b4a-4539-9b1c-5df8a0f1a6a1/
SH256 hash:
1e6af577e1d5f5fea983228641b0b2f6cacbf4f6c464dcc0d8608ce6fe549338
MD5 hash:
cbc0e92c0e19c01cc99d1fc4175f72ff
SHA1 hash:
25e62db6f0c021190ae1d22fe55be31fc498de76
Link:
https://www.unpac.me/results/7bb4849c-3b4a-4539-9b1c-5df8a0f1a6a1/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1e6af577e1d5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1e6af577e1d5f5fea983228641b0b2f6cacbf4f6c464dcc0d8608ce6fe549338

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 1e6af577e1d5f5fea983228641b0b2f6cacbf4f6c464dcc0d8608ce6fe549338

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/344274/

Comments