MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ba0e0a20d46ffeda99975fbbb27d535a5cbc149b6b8ee30c66c690e1a71c627. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ba0e0a20d46ffeda99975fbbb27d535a5cbc149b6b8ee30c66c690e1a71c627
SHA3-384 hash: 652e589a3415edd15a793688221a609ba096f6475b02a89136741fc690fa72c2d9638519e360415d2da8eb34b9fe2e0e
SHA1 hash: e67ed5c52f8d7e58a72001235611c429d092d20b
MD5 hash: 03b611bd69f41900407eb6038ec6965f
humanhash: magnesium-seven-early-five
File name:hesaphareketi-01.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'348'608 bytes
First seen:2023-03-29 18:53:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:A712zVZ97eUzdxeJ2I8A7w4cURiCj3jfWK57hBSvHGm1zj:A7AR37Bzdxe1SCn557hcvN
TLSH T15C55CD5DE5C071FBC613477289E1E733A22FDEC216128ACCD9E82DE7B1FB608450A616
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe geo RemcosRAT TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
236
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
hesaphareketi-01.exe
Verdict:
Malicious activity
Analysis date:
2023-03-29 18:54:18 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/29137006-7f1e-4ab8-8817-93dd4c8a4ef8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/378543/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
86%
Tags:
packed
Link:
https://www.filescan.io/uploads/6424894c688c0e6397b38801/reports/5be5d10f-32c7-4d6a-b88a-59b646554315/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/3ba0e0a20d46ffeda99975fbbb27d535a5cbc149b6b8ee30c66c690e1a71c627
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d1d051bd-5e7f-4f04-a7bb-2f5082694027
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1204707
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 837625 Sample: hesaphareketi-01.exe Startdate: 29/03/2023 Architecture: WINDOWS Score: 100 91 mdec.nelreports.net 2->91 93 ennenbach.duckdns.org 2->93 111 Multi AV Scanner detection for domain / URL 2->111 113 Malicious sample detected (through community Yara rule) 2->113 115 Antivirus detection for URL or domain 2->115 117 9 other signatures 2->117 10 hesaphareketi-01.exe 7 2->10         started        14 okKsmTo.exe 4 2->14         started        signatures3 process4 file5 81 C:\Users\user\AppData\Roaming\okKsmTo.exe, PE32 10->81 dropped 83 C:\Users\user\...\okKsmTo.exe:Zone.Identifier, ASCII 10->83 dropped 85 C:\Users\user\AppData\Local\...\tmpB410.tmp, XML 10->85 dropped 87 C:\Users\user\...\hesaphareketi-01.exe.log, ASCII 10->87 dropped 119 Uses schtasks.exe or at.exe to add and modify task schedules 10->119 121 Adds a directory exclusion to Windows Defender 10->121 123 Injects a PE file into a foreign processes 10->123 16 hesaphareketi-01.exe 4 3 10->16         started        21 powershell.exe 21 10->21         started        23 schtasks.exe 1 10->23         started        125 Machine Learning detection for dropped file 14->125 25 schtasks.exe 14->25         started        signatures6 process7 dnsIp8 89 ennenbach.duckdns.org 193.42.33.155, 49704, 49705, 49706 EENET-ASEE Germany 16->89 79 C:\ProgramData\remcos\logs.dat, data 16->79 dropped 105 Writes to foreign memory regions 16->105 107 Maps a DLL or memory area into another process 16->107 109 Installs a global keyboard hook 16->109 27 svchost.exe 12 16->27         started        29 svchost.exe 16->29         started        31 svchost.exe 16->31         started        39 3 other processes 16->39 33 conhost.exe 21->33         started        35 conhost.exe 23->35         started        37 conhost.exe 25->37         started        file9 signatures10 process11 process12 41 chrome.exe 27->41         started        44 chrome.exe 27->44         started        46 chrome.exe 29->46         started        48 chrome.exe 29->48         started        50 chrome.exe 31->50         started        52 chrome.exe 31->52         started        54 chrome.exe 39->54         started        56 chrome.exe 39->56         started        58 2 other processes 39->58 dnsIp13 95 192.168.2.1 unknown unknown 41->95 97 239.255.255.250 unknown Reserved 41->97 60 chrome.exe 41->60         started        63 chrome.exe 44->63         started        75 2 other processes 46->75 65 chrome.exe 48->65         started        67 chrome.exe 50->67         started        69 chrome.exe 52->69         started        71 chrome.exe 54->71         started        73 chrome.exe 56->73         started        77 2 other processes 58->77 process14 dnsIp15 99 microsoftmscompoc.tt.omtrdc.net 60->99 101 part-0032.t-0009.fdv2-t-msedge.net 13.107.237.60, 443, 49724, 49725 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 60->101 103 17 other IPs or domains 60->103
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3ba0e0a20d46ffeda99975fbbb27d535a5cbc149b6b8ee30c66c690e1a71c627/
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2023-03-29 18:54:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hoqobiqni3763kmzox53wj6vgws4xqkjw24o4mggnruq4gtryytq._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/230329-xj87ashe38/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
ennenbach.duckdns.org:5800
Unpacked files
SH256 hash:
b4b190818a658f0b64f5aa6d39e901e9d731bf1f58fa072b4c73120a96489bdb
MD5 hash:
3c6f8b2e78f5ebf58c4f170b30c04607
SHA1 hash:
c0ee09a1a9d1c673ad7eadabab7de44ebe0ff765
Link:
https://www.unpac.me/results/4fb17fc9-7e9b-4507-b395-50ce1da1653c/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/4fb17fc9-7e9b-4507-b395-50ce1da1653c/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
b840ec703d61af64589ad19809d5f0d05cdeb243a6210664d513d3c14d282c0c
MD5 hash:
1e35f3f4986e171ead282cef608f402b
SHA1 hash:
774a74c5fd38ba49d1dff631bfd15a2063e4419b
Link:
https://www.unpac.me/results/4fb17fc9-7e9b-4507-b395-50ce1da1653c/
SH256 hash:
c61e8545db16fb762d4ce22f55d7b4b7ae544e9353499e0b7faddb79e0f8b28b
MD5 hash:
22b5558b087c651bd3355c24843882a4
SHA1 hash:
35580e33b3cf0c4b55c881c874c4bf4af0e8a11e
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/4fb17fc9-7e9b-4507-b395-50ce1da1653c/
Parent samples :
75b45c924b0796b2dd96b96e9602c6039b18e5be28c1d6f5dd9ebcfd0668fd64
3ba0e0a20d46ffeda99975fbbb27d535a5cbc149b6b8ee30c66c690e1a71c627
cbeb5d87de099ac454539a287b3c20c7cb4daee733800eb57ca7d589ccb406e9
SH256 hash:
2487f894323e1d6ea5b344be9ea5fdcf603012b0c0c916f2b9db140b7847848f
MD5 hash:
dda656bb0b0674106052f6626c7dfc93
SHA1 hash:
241caecaa377ab93f516b6ce2b213c63f17ec5cc
Link:
https://www.unpac.me/results/4fb17fc9-7e9b-4507-b395-50ce1da1653c/
SH256 hash:
3ba0e0a20d46ffeda99975fbbb27d535a5cbc149b6b8ee30c66c690e1a71c627
MD5 hash:
03b611bd69f41900407eb6038ec6965f
SHA1 hash:
e67ed5c52f8d7e58a72001235611c429d092d20b
Link:
https://www.unpac.me/results/4fb17fc9-7e9b-4507-b395-50ce1da1653c/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3ba0e0a20d46/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3ba0e0a20d46ffeda99975fbbb27d535a5cbc149b6b8ee30c66c690e1a71c627

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 3ba0e0a20d46ffeda99975fbbb27d535a5cbc149b6b8ee30c66c690e1a71c627

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/378543/

Comments