MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e9efc4850c235d1d5e91b6dd70967f7c1f9d41e52b712ecd9a1d997a630db00. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e9efc4850c235d1d5e91b6dd70967f7c1f9d41e52b712ecd9a1d997a630db00
SHA3-384 hash: d346290c71dabc2425db6f00c23c738b81c02bb8d8d87efea1028c5b7e7438ff38deb0c2ac41722e359a5b321ebc4a6e
SHA1 hash: 044b5c0672c37b1f940ac2ca2b607773539386f8
MD5 hash: 32b6dd6d0050db25e5a042d97f8bc1e9
humanhash: fanta-alpha-utah-lithium
File name:ORDER SPECIFICATION INQ..exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:673'590 bytes
First seen:2023-12-08 10:00:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5f0c714c36e6cc016b3a1f4bc86559e4 (199 x GuLoader, 14 x Formbook, 4 x AgentTesla)
ssdeep 12288:NsGgR4OkE5oIAEqavr//JNYGTTOu+9G2HRWSHyVYY5NmPCipQ+k:NsGghz5o9par/EGTTz+9rRWSHMYY5o/4
Threatray 3'256 similar samples on MalwareBazaar
TLSH T1E7E4125BB72C939ED399C9B2787A033087985F5306509957BFC8FEAE287220D6E071D1
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e2ee8a8eb6d8ecf4 (56 x AgentTesla, 39 x RemcosRAT, 38 x GuLoader)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
322
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/463522/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Sending a custom TCP request
Launching a process
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/6572e95e855eb2633d637891/reports/0a41c1dc-27d4-4627-a05f-502274abdfc7/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/1e9efc4850c235d1d5e91b6dd70967f7c1f9d41e52b712ecd9a1d997a630db00
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/06382c06-41f9-4762-8c9b-f3d13dccc91a
Result
Threat name:
Remcos, GuLoader
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1356099
Signature
Antivirus detection for URL or domain
Contains functionality to modify clipboard data
Found suspicious powershell code related to unpacking or dynamic code loading
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Very long command line found
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1356099 Sample: ORDER_SPECIFICATION_INQ..exe Startdate: 08/12/2023 Architecture: WINDOWS Score: 100 42 geoplugin.net 2->42 54 Snort IDS alert for network traffic 2->54 56 Antivirus detection for URL or domain 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 8 other signatures 2->60 10 ORDER_SPECIFICATION_INQ..exe 3 43 2->10         started        signatures3 process4 file5 34 C:\Users\user\AppData\...\Tronflgeren.Bis213, data 10->34 dropped 36 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 10->36 dropped 38 C:\Users\user\AppData\Local\...\Banner.dll, PE32 10->38 dropped 40 C:\Users\user\AppData\Local\...\AdvSplash.dll, PE32 10->40 dropped 13 powershell.exe 12 10->13         started        process6 signatures7 72 Suspicious powershell command line found 13->72 74 Very long command line found 13->74 76 Found suspicious powershell code related to unpacking or dynamic code loading 13->76 16 powershell.exe 15 13->16         started        19 conhost.exe 13->19         started        process8 signatures9 50 Writes to foreign memory regions 16->50 52 Maps a DLL or memory area into another process 16->52 21 wab.exe 4 13 16->21         started        process10 dnsIp11 44 64.188.19.16, 49712, 80 ASN-QUADRANET-GLOBALUS United States 21->44 46 geoplugin.net 178.237.33.50, 49715, 80 ATOM86-ASATOM86NL Netherlands 21->46 48 107.150.18.214, 2404, 49713, 49714 ASN-QUADRANET-GLOBALUS United States 21->48 62 Writes to foreign memory regions 21->62 64 Maps a DLL or memory area into another process 21->64 25 wab.exe 21->25         started        28 wab.exe 21->28         started        30 wab.exe 21->30         started        32 31 other processes 21->32 signatures12 process13 signatures14 66 Tries to steal Instant Messenger accounts or passwords 25->66 68 Tries to steal Mail credentials (via file / registry access) 25->68 70 Tries to harvest and steal browser information (history, passwords, etc) 28->70
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1e9efc4850c235d1d5e91b6dd70967f7c1f9d41e52b712ecd9a1d997a630db00
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1e9efc4850c235d1d5e91b6dd70967f7c1f9d41e52b712ecd9a1d997a630db00/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-12-08 08:37:43 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
14 of 23 (60.87%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d2ppyscqyi25dvpjdnw5oclh67a7tva6kk3rf3gzuhmzpjrq3maa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
00efaea983bd75aa20453d6a0807f5f41d8b117ec6fa7e28d8ca58dbd54a441c
RemcosRAT
045b514767dbbe5c411284ea83b2d47b62b1f7a258f866871bfebc14667ef5e6
RemcosRAT
0d88f2b2b699bec2ecb080ade2b4ac4706f39ff90c547d28f09ca3e38e009862
RemcosRAT
4dc004e3df7a834d16e8510e90b61e5b211dbef9e563c9d5471ae9ec9f7b9a2c
RemcosRAT
4f22fda1b8750f74b9888362da59a7207f21b3c2321a77ec470f30ada4bbfe62
RemcosRAT
b33f1430088ad3c77a02a36d407b8928b2dfe9ffb03a6c62e43845e086926eb9
RemcosRAT
b94bcb3ea1cef8b1759856c06c57264332223216fda926fdb58bc848e5a5494d
RemcosRAT
d4c96c493952ab9601201dc7875a664148107c06a5481ae53414037fc1edccda
RemcosRAT
ec604e744a669546187f8460fa7f28a4deccefb8ec1bdd2115d593351b609d93
RemcosRAT
+ 3'246 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos botnet:logs collection downloader rat
Link:
https://tria.ge/reports/231208-l17t1sae38/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Loads dropped DLL
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Guloader,Cloudeye
Remcos
Malware Config
C2 Extraction:
107.150.18.214:2404
Unpacked files
SH256 hash:
a87bd092fa5bc00661525455b9f866b68c14c29224520c4e38f56f47234cfc1e
MD5 hash:
f5b0c649b0cfc103fb113d013d48cacb
SHA1 hash:
f89286966000cb053b7e94100c76ec6d1129af07
Link:
https://www.unpac.me/results/dcf90bd2-9d85-47d7-8949-33d27c160d03/
SH256 hash:
1e9efc4850c235d1d5e91b6dd70967f7c1f9d41e52b712ecd9a1d997a630db00
MD5 hash:
32b6dd6d0050db25e5a042d97f8bc1e9
SHA1 hash:
044b5c0672c37b1f940ac2ca2b607773539386f8
Link:
https://www.unpac.me/results/dcf90bd2-9d85-47d7-8949-33d27c160d03/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1e9efc4850c2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1e9efc4850c235d1d5e91b6dd70967f7c1f9d41e52b712ecd9a1d997a630db00

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 1e9efc4850c235d1d5e91b6dd70967f7c1f9d41e52b712ecd9a1d997a630db00

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/463522/

Comments