MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ab2ca682019279e28525a8ff1a72e08badba1c0f3012f926bad1528b2b0944a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ab2ca682019279e28525a8ff1a72e08badba1c0f3012f926bad1528b2b0944a
SHA3-384 hash: 13d66d03594b9f01d45eb3bf91eeefcf0b465aa26f7702264f1dabae7ae516c3e1ff424d1cce941439e17eec2e3f03e1
SHA1 hash: 317e8357beebe4705c2cd3d85f8b73a2050d28eb
MD5 hash: bac3d11e83d62865599e01bcd60434ad
humanhash: oxygen-three-freddie-coffee
File name:ikmerozx.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'490'432 bytes
First seen:2022-09-08 14:19:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:KGkJTwaEbpIhYK3ftUjm+sg69/ecqcpuIXKD:eSyhYKlUJsR9/evcw
Threatray 1'787 similar samples on MalwareBazaar
TLSH T11F657D0735928C91C17652B891CDC5728BB68E45E23FD6877FC98CEBF582F6845C23A2
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13101/52/3)
8.6% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon ce9c9496e4949c9c (73 x AgentTesla, 51 x SnakeKeylogger, 30 x Formbook)
Reporter malwarelabnet
Tags:exe remcos RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
362
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Purchase Order FG-20220831.doc
Verdict:
Malicious activity
Analysis date:
2022-09-08 14:11:57 UTC
Tags:
exploit CVE-2017-11882 loader rat remcos keylogger
Link:
https://app.any.run/tasks/b564819f-de0b-4dcd-8147-2ac05f16e413

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308805/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.27742.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Running batch commands
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
lokibot packed
Link:
https://www.filescan.io/uploads/6319faa31d4a849311e174c3/reports/4c4ca38d-fedf-4dea-add0-8a90ce649cc6/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f7c39009-a3a8-4cdd-be9b-4de42af612d5
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1067219
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 699750 Sample: ikmerozx.exe Startdate: 08/09/2022 Architecture: WINDOWS Score: 100 83 Malicious sample detected (through community Yara rule) 2->83 85 Antivirus detection for URL or domain 2->85 87 Antivirus detection for dropped file 2->87 89 8 other signatures 2->89 13 ikmerozx.exe 3 2->13         started        17 sdfge.exe 2 2->17         started        19 sdfge.exe 2 2->19         started        process3 file4 67 C:\Users\user\AppData\...\ikmerozx.exe.log, ASCII 13->67 dropped 97 Injects a PE file into a foreign processes 13->97 21 ikmerozx.exe 4 4 13->21         started        24 chrome.exe 13->24         started        26 sdfge.exe 17->26         started        28 sdfge.exe 17->28         started        30 sdfge.exe 17->30         started        32 sdfge.exe 19->32         started        34 sdfge.exe 19->34         started        signatures5 process6 file7 61 C:\Users\user\AppData\Roaming\sdfge.exe, PE32 21->61 dropped 63 C:\Users\user\...\sdfge.exe:Zone.Identifier, ASCII 21->63 dropped 65 C:\Users\user\AppData\Local\...\install.vbs, data 21->65 dropped 36 wscript.exe 1 21->36         started        process8 process9 38 cmd.exe 1 36->38         started        process10 40 sdfge.exe 3 38->40         started        43 conhost.exe 38->43         started        signatures11 91 Multi AV Scanner detection for dropped file 40->91 93 Machine Learning detection for dropped file 40->93 95 Injects a PE file into a foreign processes 40->95 45 sdfge.exe 15 40->45         started        49 conhost.exe 43->49         started        process12 dnsIp13 79 76.8.53.133, 1198, 49692, 49696 QUONIXNETUS United States 45->79 81 geoplugin.net 178.237.33.50, 49695, 80 ATOM86-ASATOM86NL Netherlands 45->81 99 Writes to foreign memory regions 45->99 101 Maps a DLL or memory area into another process 45->101 103 Installs a global keyboard hook 45->103 51 svchost.exe 45->51         started        signatures14 process15 process16 53 chrome.exe 51->53         started        56 chrome.exe 51->56         started        dnsIp17 69 192.168.2.1 unknown unknown 53->69 71 239.255.255.250 unknown Reserved 53->71 58 chrome.exe 53->58         started        process18 dnsIp19 73 part-0032.t-0009.t-msedge.net 13.107.246.60, 443, 49709, 49710 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 58->73 75 www.google.com 142.250.203.100, 443, 49711, 49834 GOOGLEUS United States 58->75 77 7 other IPs or domains 58->77
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3ab2ca682019279e28525a8ff1a72e08badba1c0f3012f926bad1528b2b0944a/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-09-08 12:57:54 UTC
File Type:
PE (.Net Exe)
Extracted files:
37
AV detection:
21 of 39 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hkzmu2badetz4kcslkh7djzobc5nxioa6mas7etlvuksrmvqsrfa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0717daa265162ca602b432ef694dfc9d3fd6126854f80d4aab2175830a420781
RemcosRAT
1eb85ede00f809ba0f2ae9ea64c78615705f7314f31934887849c60f86b6505e
RemcosRAT
20d06c9366037f9c7d08d843ddcb74e264accf481dbefd7b1f77669abb4d9be9
RemcosRAT
21717cdfec5b3e14e7493537a9ca67045929faa591dc041350bc29070ca65681
RemcosRAT
2cf1525cdb58ec9e5d47e5c66619b9cf2966155ece68a66e9bf935369971ccdc
RemcosRAT
ae5e7a411b4e6dcc818f5f8ab9aa345b0203c834545e188f1518bdc3ba846235
RemcosRAT
b563d460e40277fd18dfa645f16081ed6328f519e218afc6570dafe951f5feea
RemcosRAT
cd5f1820af33d2e6f034ca088a5fd83592835c722aca63d9f4912ea2e7996d00
RemcosRAT
ec0a3b7d3636b52ae025418ec21669e06c30f58930f11303571a2af6993ef365
RemcosRAT
fe6a93368c9da83d864b3f37fba5c8c01302a3d909779cb3bd6dfaed8b430fb5
RemcosRAT
+ 1'777 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:peterobi2023 brand:microsoft collection persistence phishing rat spyware stealer
Link:
https://tria.ge/reports/220908-rne65aegc5/
Behaviour
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Detected potential entity reuse from brand microsoft.
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
76.8.53.133:1198
Unpacked files
SH256 hash:
8b533ffaed24e0351e489b14aaac6960b731db189ce7ed0c0c02d4a546af8e63
MD5 hash:
dbc7be56e6e32349315170599c8b333f
SHA1 hash:
d8e5840e3574b87d435e55a65ac648e040871aee
Link:
https://www.unpac.me/results/0131aacd-32bd-4d96-b619-c7bacecdd529/
SH256 hash:
9cc1c47cdaac06d3e07bde45c2f6ccaaa0d0287754919972aeffdf4664cb9eef
MD5 hash:
b096afbfec95f987408b1144abce2801
SHA1 hash:
cfaf6471a8b0a246a80dc3b7e172172c2d04d48f
Link:
https://www.unpac.me/results/0131aacd-32bd-4d96-b619-c7bacecdd529/
SH256 hash:
aeae4f30f6bac692a5864b35913b090499e3d512b77fe4edc0dfb0c7a4f391c8
MD5 hash:
1a433ddae1e8a4ef62ccafdcad8163dc
SHA1 hash:
cb03bdeb717aa00da44cd15e45b091ff8cc3fac5
Link:
https://www.unpac.me/results/0131aacd-32bd-4d96-b619-c7bacecdd529/
SH256 hash:
fbf0d947bf22491229799e2ddaca2484d24b1cd7e4be6945758a9a153cc98791
MD5 hash:
82602aed5a4328fd0f432ac95f05a500
SHA1 hash:
83c7d33c0d034ec89953986d191fe82e5f5ba297
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/0131aacd-32bd-4d96-b619-c7bacecdd529/
Parent samples :
91bbc8c0f7a6be5a881fab20f4cbdaf94bed915c0e28fd3f24dfa519ec801cec
3ab2ca682019279e28525a8ff1a72e08badba1c0f3012f926bad1528b2b0944a
4774065c2fb27747ef38643fdf9e301b9801250e8edc6518c06c589baffc52c9
b3dbe53fe29989df593f3777fe297e4840c2f004c1f069e77a8c0c79ba10698d
SH256 hash:
9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034
MD5 hash:
93c6391d23c1aa1ed66fb13f82f2ee31
SHA1 hash:
220098c3047c32b51ae13a5cc1e9beeef3da6e18
Link:
https://www.unpac.me/results/0131aacd-32bd-4d96-b619-c7bacecdd529/
SH256 hash:
3ab2ca682019279e28525a8ff1a72e08badba1c0f3012f926bad1528b2b0944a
MD5 hash:
bac3d11e83d62865599e01bcd60434ad
SHA1 hash:
317e8357beebe4705c2cd3d85f8b73a2050d28eb
Link:
https://www.unpac.me/results/0131aacd-32bd-4d96-b619-c7bacecdd529/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3ab2ca682019/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3ab2ca682019279e28525a8ff1a72e08badba1c0f3012f926bad1528b2b0944a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 3ab2ca682019279e28525a8ff1a72e08badba1c0f3012f926bad1528b2b0944a

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/308805/
  
URLhaus
https://urlhaus.abuse.ch/url/2260819/
  
Delivery method
Distributed via web download

Comments