MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35bac7b8798c166302e93664c027dc312d0f956e4b9091c8b6c43ea7afbf4977. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 35bac7b8798c166302e93664c027dc312d0f956e4b9091c8b6c43ea7afbf4977
SHA3-384 hash: 2f4e6ce47247345ea21c340f0836d2b1c7df0d806313bb46819180b9e93ebff4e7894939f8363507f0adaa1d6ce9e3ff
SHA1 hash: 1cc2efd766b673566961e397ec1088f988c7f762
MD5 hash: 84d034b010bac73cd55bfb6a7f14dede
humanhash: kentucky-princess-hawaii-sierra
File name:Payment Copy.pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:976'896 bytes
First seen:2023-05-24 15:07:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'476 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:j2N8jiZ4zypIPslJTDETLeWIAmZoMhHcRosX32J/PW/ZmvsSX:j2N8jiZ4zypIPoJTDEWqsoM5cXmtiZ0X
Threatray 1'947 similar samples on MalwareBazaar
TLSH T13A25128176BE7B46DCBB5BF14550653C073A6CA6B433E20B9E83B0C656B1B450E12F2B
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon eccc8c94d4d8e8f4 (21 x Formbook, 15 x AgentTesla, 5 x Loki)
Reporter abuse_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
259
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment Copy.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-05-24 15:08:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9b31004e-57d5-4464-89fd-660ef5e614ab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/391192/
Detection(s):
SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.3612.1176.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin packed remcos
Link:
https://www.filescan.io/uploads/646e2853e3a9e80a32bf3298/reports/0862b177-ed9f-4f40-99b5-0e58fa6e9ec9/overview
Verdict:
Malicious
Labled as:
Trojan.IEC.Generic
Link:
https://www.hybrid-analysis.com/sample/35bac7b8798c166302e93664c027dc312d0f956e4b9091c8b6c43ea7afbf4977
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dc9d21c8-c309-46d0-bdf1-04aa9110f8d5
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1241861
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 874869 Sample: Payment_Copy.pdf.exe Startdate: 24/05/2023 Architecture: WINDOWS Score: 100 87 Found malware configuration 2->87 89 Malicious sample detected (through community Yara rule) 2->89 91 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->91 93 7 other signatures 2->93 11 Payment_Copy.pdf.exe 4 2->11         started        15 mysoftware.exe 2 2->15         started        17 mysoftware.exe 2->17         started        process3 file4 71 C:\Users\user\...\Payment_Copy.pdf.exe.log, ASCII 11->71 dropped 107 Contains functionality to bypass UAC (CMSTPLUA) 11->107 109 Contains functionality to steal Chrome passwords or cookies 11->109 111 Contains functionality to modify clipboard data 11->111 115 3 other signatures 11->115 19 Payment_Copy.pdf.exe 2 3 11->19         started        22 powershell.exe 20 11->22         started        24 Payment_Copy.pdf.exe 11->24         started        26 Payment_Copy.pdf.exe 11->26         started        113 Injects a PE file into a foreign processes 15->113 28 mysoftware.exe 15->28         started        30 mysoftware.exe 15->30         started        32 mysoftware.exe 17->32         started        signatures5 process6 file7 67 C:\Users\user\AppData\...\mysoftware.exe, PE32 19->67 dropped 69 C:\Users\...\mysoftware.exe:Zone.Identifier, ASCII 19->69 dropped 34 mysoftware.exe 4 19->34         started        37 conhost.exe 22->37         started        process8 signatures9 95 Multi AV Scanner detection for dropped file 34->95 97 Machine Learning detection for dropped file 34->97 99 Adds a directory exclusion to Windows Defender 34->99 39 mysoftware.exe 34->39         started        43 powershell.exe 19 34->43         started        45 mysoftware.exe 34->45         started        process10 dnsIp11 77 85.217.144.119, 4031, 49721, 49822 WS171-ASRU Bulgaria 39->77 79 geoplugin.net 178.237.33.50, 49722, 80 ATOM86-ASATOM86NL Netherlands 39->79 101 Writes to foreign memory regions 39->101 103 Maps a DLL or memory area into another process 39->103 105 Installs a global keyboard hook 39->105 47 svchost.exe 39->47         started        49 svchost.exe 39->49         started        51 conhost.exe 43->51         started        signatures12 process13 process14 53 chrome.exe 47->53         started        56 chrome.exe 49->56         started        58 chrome.exe 49->58         started        dnsIp15 73 192.168.2.1 unknown unknown 53->73 75 239.255.255.250 unknown Reserved 53->75 60 chrome.exe 53->60         started        63 chrome.exe 56->63         started        65 chrome.exe 58->65         started        process16 dnsIp17 81 microsoftmscompoc.tt.omtrdc.net 60->81 83 mdec.nelreports.net 60->83 85 13 other IPs or domains 60->85
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/35bac7b8798c166302e93664c027dc312d0f956e4b9091c8b6c43ea7afbf4977/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-24 12:41:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
21 of 36 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gw5mpodzrqlggaxjgzsmaj64gewq7flojoijdsfwyq7kpl57jf3q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0aefad4e27d919ecb1cf49ac9fd7064fb6501f9043be4eba99910be475a29bbd
RemcosRAT
4b923765825c934c252ec1734636bd366b1b3e739716ad3ae31f29f13a0b6864
RemcosRAT
5458794f2a5d1f35a638a4278fba37217461303123c22054e45bc536e254c4a2
RemcosRAT
6bd0c6927f47f86fd07cdd93c42582d6657f751d5abe87fb171d0df6758463f5
RemcosRAT
9f9472ff68d38143574eebb20c6c45ad9e1ef8905c8a2fbf6bf5ff8ab30ec2f0
RemcosRAT
a91b5b3e7fecc3165c0fe4ef988a41b6b99a825a1a40b22fde67ffae6e81db22
RemcosRAT
affea1453f9f47d6001811fd802e604e46fe94ecdb32da84ca21a3ed5db9b308
RemcosRAT
b795277d105f23e54cff675b26437ccfa26dd597aa6475978e472843cf994e5c
RemcosRAT
edd0bc79de9c5ecb3d4903d20259b356171aa41af2df2a43aad0bf36bda95c7b
RemcosRAT
fc5e7fc7fa6726c617fe423091e586193e356903db0ee9c6e0b464fcd29da37a
RemcosRAT
+ 1'937 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:esista brand:microsoft persistence phishing rat
Link:
https://tria.ge/reports/230524-shv6tsda76/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Detected potential entity reuse from brand microsoft.
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Remcos
Malware Config
C2 Extraction:
85.217.144.119:4031
Unpacked files
SH256 hash:
c8e6e8783aec59436e2d8886939e50a1984003a6000c92e751552ee05f194451
MD5 hash:
71263a25a5fc13a9ba8b47e2b96bafe9
SHA1 hash:
c598d7550a1fda67997e9997c49491697d384062
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/03b6fe39-d9f4-42f1-8160-4b0b8a9660d4/
Parent samples :
35bac7b8798c166302e93664c027dc312d0f956e4b9091c8b6c43ea7afbf4977
85d90e46a94421f0ea8dde00324393637a1a935adc6b1c4ce41a270833f0a1c5
SH256 hash:
8798c9dbee8a90e33b39f05501db2d97dadf1d2dc529a866852d35bb7ad3e7c9
MD5 hash:
e9daeb88d5acf5fe86eafd134a93b165
SHA1 hash:
c3704c703f8223a351880f8965a658d3bc359fdc
Link:
https://www.unpac.me/results/03b6fe39-d9f4-42f1-8160-4b0b8a9660d4/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/03b6fe39-d9f4-42f1-8160-4b0b8a9660d4/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
4ec36cbaeae9054e580f77a1d293ce60f6c8c0f35c2f08c12e4d5e0f05e0cee3
MD5 hash:
3089306079ff6ea5e2d0df6c0bb82a3e
SHA1 hash:
754841ed873d126ec0a6fc90bfa8621dd18c7445
Link:
https://www.unpac.me/results/03b6fe39-d9f4-42f1-8160-4b0b8a9660d4/
SH256 hash:
a518e0fddabae1e59f933566cb54e592331404d5362976f3ef81a1432dac4ffb
MD5 hash:
de906fce89f615f303ddfb80c1b37b35
SHA1 hash:
3568e3f9f0731da9a3294f4f8de61f95dc3eec31
Link:
https://www.unpac.me/results/03b6fe39-d9f4-42f1-8160-4b0b8a9660d4/
SH256 hash:
35bac7b8798c166302e93664c027dc312d0f956e4b9091c8b6c43ea7afbf4977
MD5 hash:
84d034b010bac73cd55bfb6a7f14dede
SHA1 hash:
1cc2efd766b673566961e397ec1088f988c7f762
Link:
https://www.unpac.me/results/03b6fe39-d9f4-42f1-8160-4b0b8a9660d4/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/35bac7b8798c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/35bac7b8798c166302e93664c027dc312d0f956e4b9091c8b6c43ea7afbf4977

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 35bac7b8798c166302e93664c027dc312d0f956e4b9091c8b6c43ea7afbf4977

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/391192/

Comments