MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e46e79b7c70b354e95c89e0b014f41833d10e3c3d4bbdac4ef0244cfc76fcb7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e46e79b7c70b354e95c89e0b014f41833d10e3c3d4bbdac4ef0244cfc76fcb7
SHA3-384 hash: e1828480575654bfebaeab0a95ea3cfe25a63b3d9fd0c60ea72f12a0c6f1accfbd51baaa2c1772c99d62268d869fd811
SHA1 hash: d2dcb0751f231d02711b915fdd16174339d54afe
MD5 hash: 965741687d98a7f1a8acd45d38c6d0b0
humanhash: violet-mountain-quiet-blossom
File name:NEW ORDER NUMBER 00442211 pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:333'971 bytes
First seen:2023-12-14 14:51:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:KBlL/X+nKG53dTxjApwxFMwa5Hny3G4y+KJQbdPiUdZGf16FfbrW/8yCN1yin:wRwDPTO8GYG4VSKgkZG9m3stORn
Threatray 3'212 similar samples on MalwareBazaar
TLSH T16264121E66D785B3D5634FF069748B27E7B2F74802B1288BEBA0DE2B6C14BC58815643
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter James_inthe_box
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
471
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/467485/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.6180.4643.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Setting a keyboard event handler
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control installer lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/657b16963636548f374fbe5e/reports/3cd530a5-3ec5-4d33-8b9d-a519de0efb34/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/3e46e79b7c70b354e95c89e0b014f41833d10e3c3d4bbdac4ef0244cfc76fcb7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9f019fa1-55ec-422b-93df-3673260b61fe
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1362202
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1362202 Sample: NEW_ORDER_NUMBER_00442211_pdf.exe Startdate: 14/12/2023 Architecture: WINDOWS Score: 100 35 geoplugin.net 2->35 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for URL or domain 2->53 55 7 other signatures 2->55 8 NEW_ORDER_NUMBER_00442211_pdf.exe 17 2->8         started        11 clhqa.exe 2->11         started        14 clhqa.exe 2->14         started        signatures3 process4 file5 31 C:\Users\user\AppData\Local\...\ubjmgth.exe, PE32 8->31 dropped 16 ubjmgth.exe 1 2 8->16         started        59 Multi AV Scanner detection for dropped file 11->59 61 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 11->61 63 Maps a DLL or memory area into another process 11->63 20 clhqa.exe 11->20         started        22 clhqa.exe 14->22         started        signatures6 process7 file8 29 C:\Users\user\AppData\Roaming\...\clhqa.exe, PE32 16->29 dropped 41 Multi AV Scanner detection for dropped file 16->41 43 Contains functionality to bypass UAC (CMSTPLUA) 16->43 45 Contains functionalty to change the wallpaper 16->45 47 7 other signatures 16->47 24 ubjmgth.exe 3 16 16->24         started        signatures9 process10 dnsIp11 37 109.248.151.76, 1974, 49708 DATACLUBLV Russian Federation 24->37 39 geoplugin.net 178.237.33.50, 49709, 80 ATOM86-ASATOM86NL Netherlands 24->39 33 C:\ProgramData\remcos\logs.dat, data 24->33 dropped 57 Installs a global keyboard hook 24->57 file12 signatures13
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3e46e79b7c70b354e95c89e0b014f41833d10e3c3d4bbdac4ef0244cfc76fcb7
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3e46e79b7c70b354e95c89e0b014f41833d10e3c3d4bbdac4ef0244cfc76fcb7/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-12-14 05:34:38 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hzdopg34oczvj2k4rhqlafhudaz5cdr4hvf33lco6asez7dw7s3q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
071c44bd1144e0a1f0cf5f61bc8336b774dc3ffce0d358d32d809b8e468a78e3
RemcosRAT
47429e294cd3e52f3b4984f1343428df1c0f66c8addf008ca8f65b8d260355e2
RemcosRAT
530899098de9bc4a8be22abaffba4a79fd215d0cd06337bb872421dffe6598ad
RemcosRAT
e50cea800aec48d33066a55cbac3c887380c2e6688df2b4fc0647c7e3e62cc02
RemcosRAT
+ 3'202 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat upx
Link:
https://tria.ge/reports/231214-r8qhlaedfn/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
UPX packed file
Remcos
Malware Config
C2 Extraction:
109.248.151.76:1974
Unpacked files
SH256 hash:
0287784e110cc82c5d6c8ab90be996a425491128f0982787145162cae0962809
MD5 hash:
d859197bd11671e0ac4abf8e72909674
SHA1 hash:
cfd57553b0f9f6a0cf7309245395cbfdbdfe7fc0
Link:
https://www.unpac.me/results/abd4bcfb-2a41-4095-911c-c7be666fd976/
SH256 hash:
3e46e79b7c70b354e95c89e0b014f41833d10e3c3d4bbdac4ef0244cfc76fcb7
MD5 hash:
965741687d98a7f1a8acd45d38c6d0b0
SHA1 hash:
d2dcb0751f231d02711b915fdd16174339d54afe
Link:
https://www.unpac.me/results/abd4bcfb-2a41-4095-911c-c7be666fd976/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3e46e79b7c70/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3e46e79b7c70b354e95c89e0b014f41833d10e3c3d4bbdac4ef0244cfc76fcb7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/467485/

Comments