MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2098668fe81c2be59b73307a7f9d4b730dd1a654aff3751ed6698b3f0235c6b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2098668fe81c2be59b73307a7f9d4b730dd1a654aff3751ed6698b3f0235c6b4
SHA3-384 hash: 21f569856e8bedb967e48a9d3d7fcf262da737f593dafec5638a0300db1677fc05738a5d0c4cd08946a46d37d9944dac
SHA1 hash: 65be1b89c1657cf5de8fd5a43b24e4f4ef7bc0db
MD5 hash: e7431988e8a40e71933be99ca885dfc5
humanhash: johnny-leopard-bluebird-foxtrot
File name:2098668fe81c2be59b73307a7f9d4b730dd1a654aff3751ed6698b3f0235c6b4
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'089'536 bytes
First seen:2023-06-02 12:29:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:eXLaVUH999Jj1XUO+0eQbtdhrICc3SwjbVOp:IBH991EOZv0Cc3SwfV
Threatray 2'034 similar samples on MalwareBazaar
TLSH T199350111B1BB4B1BC5BB93F58604A2345BBE5A9CB872E70B8ECBF4D75521F015A80B13
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter adrian__luca
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
248
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
2098668fe81c2be59b73307a7f9d4b730dd1a654aff3751ed6698b3f0235c6b4
Verdict:
Malicious activity
Analysis date:
2023-06-02 12:29:18 UTC
Tags:
remcos
Link:
https://app.any.run/tasks/769027ce-4246-42fd-882a-0029f620ab09

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/394785/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67303257.17752.22541.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin packed remcos
Link:
https://www.filescan.io/uploads/6479e0cc5505e69a23249eb2/reports/a8544d7a-99ee-4d4c-af2e-529dca8cb704/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/2098668fe81c2be59b73307a7f9d4b730dd1a654aff3751ed6698b3f0235c6b4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7e3aa011-d819-48fa-8d11-6420bc7d6b07
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1247563
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 880583 Sample: j8hNdiX5mu.exe Startdate: 02/06/2023 Architecture: WINDOWS Score: 100 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Sigma detected: Scheduled temp file as task from temp location 2->46 48 7 other signatures 2->48 7 cTqBEQFTsgS.exe 5 2->7         started        10 j8hNdiX5mu.exe 7 2->10         started        process3 file4 50 Multi AV Scanner detection for dropped file 7->50 52 Contains functionality to bypass UAC (CMSTPLUA) 7->52 54 Machine Learning detection for dropped file 7->54 62 4 other signatures 7->62 13 schtasks.exe 1 7->13         started        15 cTqBEQFTsgS.exe 7->15         started        30 C:\Users\user\AppData\...\cTqBEQFTsgS.exe, PE32 10->30 dropped 32 C:\Users\...\cTqBEQFTsgS.exe:Zone.Identifier, ASCII 10->32 dropped 34 C:\Users\user\AppData\Local\...\tmpC3FD.tmp, XML 10->34 dropped 36 C:\Users\user\AppData\...\j8hNdiX5mu.exe.log, ASCII 10->36 dropped 56 Uses schtasks.exe or at.exe to add and modify task schedules 10->56 58 Adds a directory exclusion to Windows Defender 10->58 60 Injects a PE file into a foreign processes 10->60 17 j8hNdiX5mu.exe 3 13 10->17         started        20 powershell.exe 21 10->20         started        22 schtasks.exe 1 10->22         started        signatures5 process6 dnsIp7 24 conhost.exe 13->24         started        38 89.37.99.49, 49699, 5888 BANDWIDTH-ASGB Romania 17->38 40 geoplugin.net 178.237.33.50, 49700, 80 ATOM86-ASATOM86NL Netherlands 17->40 26 conhost.exe 20->26         started        28 conhost.exe 22->28         started        process8
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2098668fe81c2be59b73307a7f9d4b730dd1a654aff3751ed6698b3f0235c6b4/
Threat name:
ByteCode-MSIL.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-05-30 14:19:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
24 of 37 (64.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ecmgnd7idqv6lg3tgb5h7hklomg5djsuv7zxkhwwngft6arvy22a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
036f901bbb4baa9472c984aa6c7e9786f252371c85e469d56c656f4b97c47e9f
RemcosRAT
3784e3fe1f4905e731a48543d4eb3b9db4e6ae6352f2a5b46974457e1fa0e27c
RemcosRAT
6606e8e5dbcaf4e3c38620c97849f456c0bac6999a075575d7f24ed742c4ebef
RemcosRAT
697c1f0051fe7230dd1cd8c8a23867cb69912ffe09e0d71950de153b19f41133
RemcosRAT
6ba348dfac24550cca10be771bafa25a19f9baca0651f4467c71b8974a163061
RemcosRAT
77dd08fac6833c6ef555e84c2ef5599ed10b7e6dad2da324e4ad643e843709d0
RemcosRAT
c8f4d475fb49c545a0cf3137ba0078a30f668fd5f638d3d5a4744c76f3db74b5
RemcosRAT
d4bbd5ce6f012df9861c4bee326c87539c7b92b5cbdfb73b54fd7f1321d15eb9
RemcosRAT
d7300cfd284114c32015ed2c8d711f8d5c204428e85addd79fc73539c024ca7e
RemcosRAT
e28f5580f49499fbe090745eb426fce6b027c44a07f9319dd239826aad4f6d8b
RemcosRAT
+ 2'024 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/230602-ppf4psbc82/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
89.37.99.49:5888
Unpacked files
SH256 hash:
eb414edfb8788cfa7e49b8497b653e5914f9194c00a33ba80f370a626f8888af
MD5 hash:
865855c2ce442057ccfa573cf25ebbae
SHA1 hash:
e7b4924a553f53a2a171836ef0c5643c8fb03a5b
Link:
https://www.unpac.me/results/ec63298d-10c6-4463-9526-f742fa7ee996/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/ec63298d-10c6-4463-9526-f742fa7ee996/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
5676b7a9cb31786a924b94b9dd8f92db7bf7beb4fe0267b077e9240c531d3af7
MD5 hash:
f5d1bb9e0efcb13c9c3d60916e671b13
SHA1 hash:
815c85347a0b400d89f6991e5771fa3b6c828f53
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/ec63298d-10c6-4463-9526-f742fa7ee996/
Parent samples :
2098668fe81c2be59b73307a7f9d4b730dd1a654aff3751ed6698b3f0235c6b4
5676b7a9cb31786a924b94b9dd8f92db7bf7beb4fe0267b077e9240c531d3af7
SH256 hash:
f65d6c87102a18d7897c08ba82697e0b4808a8307b584d25a42aea016a41e7f8
MD5 hash:
7299310139d8fd6d9f2c067d13b3824e
SHA1 hash:
3bbc1160b82f289b5e8683d790a2ec1263998930
Link:
https://www.unpac.me/results/ec63298d-10c6-4463-9526-f742fa7ee996/
SH256 hash:
d9e91a067398f7bd1e00b3ce8e026de97286c773ae8e367d09707c88e9b1fc16
MD5 hash:
2630718f17e8377e37f1d9f5c7f35c3d
SHA1 hash:
137c96a992f70249e7f2ead1cd794405672b12e7
Link:
https://www.unpac.me/results/ec63298d-10c6-4463-9526-f742fa7ee996/
SH256 hash:
2098668fe81c2be59b73307a7f9d4b730dd1a654aff3751ed6698b3f0235c6b4
MD5 hash:
e7431988e8a40e71933be99ca885dfc5
SHA1 hash:
65be1b89c1657cf5de8fd5a43b24e4f4ef7bc0db
Link:
https://www.unpac.me/results/ec63298d-10c6-4463-9526-f742fa7ee996/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2098668fe81c2be59b73307a7f9d4b730dd1a654aff3751ed6698b3f0235c6b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/394785/

Comments