MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36f8e4eb768b6f4bcb732179cfb4d8795452c285d565e4fc4998455de0006f51. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36f8e4eb768b6f4bcb732179cfb4d8795452c285d565e4fc4998455de0006f51
SHA3-384 hash: 53d2c19bd5917607e6bb0bd9a8d8c045da636ab3686eb914929eae6b195a17188fe991a7067c1b9dc25375cf9fc33e02
SHA1 hash: d1fd7bfccbe9fec7bdaf032ffcb9899baacb7ce4
MD5 hash: 8aefdd630923829f049eff1bbb1aa807
humanhash: blue-edward-utah-blossom
File name:PO21019612.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:983'040 bytes
First seen:2023-08-02 08:44:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:Cw2qj4ss2NvJhmEjf42Dft3e4kcYF3TAGxZIHlYYRnLvh:AU4cNBO6fNe4EFDAGxZIFlhL
Threatray 2'395 similar samples on MalwareBazaar
TLSH T19325F13A2531CB88F14428310EEDD88FB6F5A57D53AA61FECCB903A344C53293959E76
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
290
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
PO21019612.exe
Verdict:
Malicious activity
Analysis date:
2023-08-02 08:46:32 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/fe0ff32d-b8da-4585-a6f4-238321ed2f8b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/439762/
Detection(s):
SecuriteInfo.com.Heur.MSIL.Androm.1.778.6533.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Setting a keyboard event handler
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Searching for synchronization primitives
Reading critical registry keys
Creating a file in the %temp% directory
Launching the default Windows debugger (dwwin.exe)
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo formbook packed remcos
Link:
https://www.filescan.io/uploads/64ca178f94fb102ea38bfb92/reports/de3347f3-d57f-4e33-9ce1-6d346d65266d/overview
Verdict:
Malicious
Labled as:
MSIL.Androm.Generic
Link:
https://www.hybrid-analysis.com/sample/36f8e4eb768b6f4bcb732179cfb4d8795452c285d565e4fc4998455de0006f51
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f0f4a30f-b8bb-46f5-a278-953787b1b561
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1284222
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Delayed program exit found
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Yara detected Costura Assembly Loader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1284222 Sample: PO21019612.exe Startdate: 02/08/2023 Architecture: WINDOWS Score: 100 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 Antivirus detection for URL or domain 2->73 75 11 other signatures 2->75 10 PO21019612.exe 1 5 2->10         started        14 Fngvzcxsegd.exe 5 2->14         started        16 remcos.exe 4 2->16         started        18 2 other processes 2->18 process3 file4 51 C:\Users\user\AppData\...\Fngvzcxsegd.exe, PE32 10->51 dropped 53 C:\Users\...\Fngvzcxsegd.exe:Zone.Identifier, ASCII 10->53 dropped 55 C:\Users\user\AppData\...\PO21019612.exe.log, ASCII 10->55 dropped 89 Contains functionality to bypass UAC (CMSTPLUA) 10->89 91 Creates multiple autostart registry keys 10->91 93 Contains functionality to steal Chrome passwords or cookies 10->93 103 3 other signatures 10->103 20 PO21019612.exe 1 4 10->20         started        95 Antivirus detection for dropped file 14->95 97 Multi AV Scanner detection for dropped file 14->97 99 Machine Learning detection for dropped file 14->99 24 Fngvzcxsegd.exe 14->24         started        101 Injects a PE file into a foreign processes 16->101 signatures5 process6 file7 47 C:\ProgramData\Remcos\remcos.exe, PE32 20->47 dropped 49 C:\ProgramData\...\remcos.exe:Zone.Identifier, ASCII 20->49 dropped 77 Creates autostart registry keys with suspicious names 20->77 79 Creates multiple autostart registry keys 20->79 26 remcos.exe 5 20->26         started        signatures8 process9 signatures10 81 Antivirus detection for dropped file 26->81 83 Multi AV Scanner detection for dropped file 26->83 85 Machine Learning detection for dropped file 26->85 87 Injects a PE file into a foreign processes 26->87 29 remcos.exe 3 16 26->29         started        process11 dnsIp12 59 212.193.30.230, 3330, 49707, 49708 SPD-NETTR Russian Federation 29->59 61 geoplugin.net 178.237.33.50, 49709, 80 ATOM86-ASATOM86NL Netherlands 29->61 105 Maps a DLL or memory area into another process 29->105 107 Installs a global keyboard hook 29->107 33 remcos.exe 29->33         started        36 remcos.exe 29->36         started        38 remcos.exe 29->38         started        40 23 other processes 29->40 signatures13 process14 dnsIp15 63 Tries to steal Instant Messenger accounts or passwords 33->63 65 Tries to steal Mail credentials (via file / registry access) 33->65 57 192.168.2.1 unknown unknown 40->57 67 Tries to harvest and steal browser information (history, passwords, etc) 40->67 43 WerFault.exe 40->43         started        45 WerFault.exe 40->45         started        signatures16 process17
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/36f8e4eb768b6f4bcb732179cfb4d8795452c285d565e4fc4998455de0006f51/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2023-08-02 08:45:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
21 of 23 (91.30%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=g34oj23wrnxuxs3tef447ngypfkffquf2vs6j7cjtbcv3yaan5iq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
347248cacef4596adbcddb5dbba62e050ddf223548834e8646bf43f96552a328
RemcosRAT
34bfed7f2450542d851b696685ed0a43438683a54f1756a947119d7258a4adb1
RemcosRAT
3da90b636e39cd1f67e3542c60d813c6ff8152f7f740b3ef4ef086ef120836df
RemcosRAT
4b66b1c337c83ccb79e4862a7a32421fd75a565a59fee1f830d4aae55b64af9a
RemcosRAT
5e95168687b15de3724b3c8240c0b40cdb61c75b440d11a7fa72c2b247c920ae
RemcosRAT
723a40b5d10baf215da246cb02dbb7b5eee5e2a53efe6eef08414094f3e12563
RemcosRAT
7795f522a55ae41cb43c380f7bb4150a2170b9fca1e8b98070ee32934f32fb1a
RemcosRAT
7d1cb09a0fb3d30d8b4503fac7cbd55b30446cc92911eae44132f9debfb39da5
RemcosRAT
a8ae7002d16df08878c864f8cd2f8722dfcb5950372f3b12c88f4e265f2eee40
RemcosRAT
cfc48dfa8aa74b169189104a5f606cb6738fac9828808dfb1e64cbbd3564f10d
RemcosRAT
+ 2'385 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat spyware stealer
Link:
https://tria.ge/reports/230802-knqjjaeg8w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
212.193.30.230:3330
Unpacked files
SH256 hash:
8597c6e3f04568e09ba8bb238ccaa4dc5630be2c89d81a20ad9a4a0f6136dda4
MD5 hash:
5e58316eef2f835eed5a62c59e73155d
SHA1 hash:
c998d18cede8b1d3528db6c70edee3d3868f9773
Link:
https://www.unpac.me/results/1b51c70a-9830-4b5d-8656-1296ad323baa/
SH256 hash:
3d9f5ea8ca556999596abb635130081f1d64c5706117ba6282f5860ddc072df2
MD5 hash:
6e54cd25231c296bf2f0f9ac8164b253
SHA1 hash:
7caff39d9cc3eaf343e135f599a9cde4dc749b0a
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/1b51c70a-9830-4b5d-8656-1296ad323baa/
Parent samples :
36f8e4eb768b6f4bcb732179cfb4d8795452c285d565e4fc4998455de0006f51
877371d8ae10433714781fc8187b21a9bd55e01738d1e701603118d1e2b89944
a5dfa6c8066bb006adb1490b52540bd2f049b3556c4c51eb59c4c9830c499286
e842b6dff73f8cc125170bafb505357263972cefc0d7187207295a207a6a3bdf
ba82a2d12cfee47fcfab1e288a80e1792e6a8e8260e7582b007221918aba0310
SH256 hash:
e0569faf0ecb3c4d225683d7c1e35dd78b75105c9ebb5e79c396287e54e779fe
MD5 hash:
43bd8c506efa39d3b7878128b267be20
SHA1 hash:
2cf67df67c77b7a2a4bdd2b932d5882eb3614a59
Link:
https://www.unpac.me/results/1b51c70a-9830-4b5d-8656-1296ad323baa/
SH256 hash:
6ff803b2af1f2488bc45e48337833b4e7d861800cf939268320c10a5dfb81185
MD5 hash:
3e215b026dc75bab9e583d2c7e110c8b
SHA1 hash:
170ac8a1b0770d49bcc8e46509c8b1c3fe9fc002
Link:
https://www.unpac.me/results/1b51c70a-9830-4b5d-8656-1296ad323baa/
SH256 hash:
36f8e4eb768b6f4bcb732179cfb4d8795452c285d565e4fc4998455de0006f51
MD5 hash:
8aefdd630923829f049eff1bbb1aa807
SHA1 hash:
d1fd7bfccbe9fec7bdaf032ffcb9899baacb7ce4
Link:
https://www.unpac.me/results/1b51c70a-9830-4b5d-8656-1296ad323baa/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/36f8e4eb768b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/36f8e4eb768b6f4bcb732179cfb4d8795452c285d565e4fc4998455de0006f51

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_imphash
Create hunting rule
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:TeslaCryptPackedMalware
Create hunting rule
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 36f8e4eb768b6f4bcb732179cfb4d8795452c285d565e4fc4998455de0006f51

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/439762/

Comments