MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f883759c2fd1aefb2578344f0ed2de3540ed71bb325ad6f20d58540cc10f79d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f883759c2fd1aefb2578344f0ed2de3540ed71bb325ad6f20d58540cc10f79d
SHA3-384 hash: abce8f3eae1428c5492b6f0d961740d693597b34f0d6e9d96b91afc707b08cf9e7c64759657bd03c63a8845cea283d74
SHA1 hash: 2555138442a2a4e2a46b52687866853369673e3c
MD5 hash: baeb545361863edaeb8865f850a8d60f
humanhash: alaska-washington-seven-massachusetts
File name:KOSVIET HIFDOC.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'250'304 bytes
First seen:2022-09-20 12:10:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:B7MKPfClE2+mJQKH8iowUvAAFX2s8pGLKZMgA1om78:95PfTbmJRcioCAi21om4
Threatray 1'939 similar samples on MalwareBazaar
TLSH T14845D094965DCA06CC396B30D8A3E5300BAB7D94567EC13F8DCA7CB7B237285D863252
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0307612c88000000 (65 x AgentTesla, 47 x RemcosRAT, 9 x MassLogger)
Reporter malwarelabnet
Tags:exe remcos RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
277
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
KOSVIET HIFDOC.exe
Verdict:
Malicious activity
Analysis date:
2022-09-20 12:13:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8389086e-dac0-4178-b7cd-ab65eae6e39e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/311667/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.8082-49972.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6329ade539767769653554a4/reports/f51df106-f34b-4c20-8c3c-c68be92ddeae/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/87088bba-db65-4cea-83c7-b39022f39df2
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1073662
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 706203 Sample: KOSVIET HIFDOC.exe Startdate: 20/09/2022 Architecture: WINDOWS Score: 100 31 Malicious sample detected (through community Yara rule) 2->31 33 Antivirus detection for URL or domain 2->33 35 Multi AV Scanner detection for dropped file 2->35 37 9 other signatures 2->37 7 KOSVIET HIFDOC.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\...behaviorgraphKAlmRWejOSC.exe, PE32 7->23 dropped 25 C:\Users\user\AppData\Local\...\tmp1103.tmp, XML 7->25 dropped 27 C:\Users\user\...\KOSVIET HIFDOC.exe.log, ASCII 7->27 dropped 39 Adds a directory exclusion to Windows Defender 7->39 41 Injects a PE file into a foreign processes 7->41 11 KOSVIET HIFDOC.exe 2 2 7->11         started        15 powershell.exe 21 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 29 37.0.14.199, 1985, 49700, 49701 WKD-ASIE Netherlands 11->29 43 Installs a global keyboard hook 11->43 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started        signatures8 process9
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2f883759c2fd1aefb2578344f0ed2de3540ed71bb325ad6f20d58540cc10f79d/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2022-09-20 07:17:04 UTC
AV detection:
6 of 39 (15.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f6edowoc7uno7msxqncpb3jn4nka5vy3wms223za2wcubtaq66oq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
20d06c9366037f9c7d08d843ddcb74e264accf481dbefd7b1f77669abb4d9be9
RemcosRAT
4f95967b9b1f5532cb570bb1f762328d07ea16c20b6fcf1c4cfde82d06906630
RemcosRAT
58d5e75956574ad0a933ef2c4edaeeb7f601d3360e14ea8bb9a3c2d19e71f974
RemcosRAT
592f15fec50eda79baadcb6bc5c4cb79de60e5bb285f20fb8e8927477495f065
RemcosRAT
b563d460e40277fd18dfa645f16081ed6328f519e218afc6570dafe951f5feea
RemcosRAT
be4f9d4697e47ff2b6d73b0949a39be6f9defba32f4f4070673efc84de4c6113
RemcosRAT
eaea558cf05de77f2b72fe6ccafbcd63198dd067627d801a40b1b7d95251666f
RemcosRAT
+ 1'929 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:hoest rat
Link:
https://tria.ge/reports/220920-qc8hvsgedl/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
37.0.14.199:1985
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4b4b6858-2f0a-4e57-bd5c-bef69cd44810
Unpacked files
SH256 hash:
011d2fe60f4f68630f5652d94f7f1ad34973b0bd3194ced972316e82dcf8248a
MD5 hash:
8096bb9b5715aec239e737cce433146a
SHA1 hash:
f1fbdf62ae74922f6e5bde73e8da9d12c82b4435
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/8b43a08b-bc3b-481e-91c5-98b6183d2ade/
Parent samples :
2f883759c2fd1aefb2578344f0ed2de3540ed71bb325ad6f20d58540cc10f79d
dae59f6bb7ed3f23202800f69c92d15991b0937facb79f39204e9d5796c1af64
SH256 hash:
44c50087cbd9a86677ff5b898c1ad52abf5f25297179a174edcc8b81dec967fc
MD5 hash:
d012ba9057bf67c7f29871326f2af919
SHA1 hash:
1d5b8b512b37f0e1900496b578117082929654c7
Link:
https://www.unpac.me/results/8b43a08b-bc3b-481e-91c5-98b6183d2ade/
SH256 hash:
cd555e61a9ff61d684f6383ec6071ef3b56923f3671772f6eaf669740227399f
MD5 hash:
b4d55277af14b38712a493f37d2ac491
SHA1 hash:
109fa5e10af0e044949eeadf84f6ed74bba8d7a6
Link:
https://www.unpac.me/results/8b43a08b-bc3b-481e-91c5-98b6183d2ade/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/8b43a08b-bc3b-481e-91c5-98b6183d2ade/
SH256 hash:
4360d8d8b2278981e78651184e507e946e126919d676422007f4d4dc3a4cccaa
MD5 hash:
242ad3affa08a40dfd24379fee52a48a
SHA1 hash:
04e94c4a15be46e5387b5a2e254acae322a74a54
Link:
https://www.unpac.me/results/8b43a08b-bc3b-481e-91c5-98b6183d2ade/
SH256 hash:
2f883759c2fd1aefb2578344f0ed2de3540ed71bb325ad6f20d58540cc10f79d
MD5 hash:
baeb545361863edaeb8865f850a8d60f
SHA1 hash:
2555138442a2a4e2a46b52687866853369673e3c
Link:
https://www.unpac.me/results/8b43a08b-bc3b-481e-91c5-98b6183d2ade/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2f883759c2fd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2f883759c2fd1aefb2578344f0ed2de3540ed71bb325ad6f20d58540cc10f79d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/311667/

Comments