MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4400353ebbbd72f1a260b3021c48fa67439ec6accd01ecd27ada202052f27391. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4400353ebbbd72f1a260b3021c48fa67439ec6accd01ecd27ada202052f27391
SHA3-384 hash: 0cea3f9acc9489d34d48cfe78f13f106acb1a9087b73fdbc0034d8dee971b46224982d56cc2464bd70814d5a924584e0
SHA1 hash: f1f8fe7f3f3f880adba739ea2fe5ef7725c29e8a
MD5 hash: 826572294dd7857d627783220e0fefa6
humanhash: skylark-robert-finch-twelve
File name:RFQ BRAS BASE 7683465 2023.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:920'576 bytes
First seen:2023-06-27 10:15:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:vHFNm3V5CJ7Ys5SdQUg+z6BimmTlJ0stgF:vHFc5CJ7Ys5SdQUg+z6BoLhgF
Threatray 2'129 similar samples on MalwareBazaar
TLSH T1C815BC3D18BE2A37C175EAA9CFE49463F500D53F39229936A4D797914706EA324C323E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter cocaman
Tags:exe RemcosRAT RFQ

Intelligence

File Origin
# of uploads :
1
# of downloads :
299
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ BRAS BASE 7683465 2023.exe
Verdict:
Malicious activity
Analysis date:
2023-06-27 10:17:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/532e8a3e-bbf8-4329-9caa-4e0d77b55e3b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/403184/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2137.31257.26606.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a process with a hidden window
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed remcos
Link:
https://www.filescan.io/uploads/649ab6e40b141afbe5e12cdc/reports/ac823caa-0415-4821-8945-9c9668012bc3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/4400353ebbbd72f1a260b3021c48fa67439ec6accd01ecd27ada202052f27391
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f65f3eb5-7ece-4e7c-b7a2-184f669d34a0
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1261983
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Delayed program exit found
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 895013 Sample: RFQ_BRAS_BASE_7683465_2023.exe Startdate: 27/06/2023 Architecture: WINDOWS Score: 100 108 www.google.com 2->108 126 Multi AV Scanner detection for domain / URL 2->126 128 Found malware configuration 2->128 130 Malicious sample detected (through community Yara rule) 2->130 132 11 other signatures 2->132 12 RFQ_BRAS_BASE_7683465_2023.exe 7 2->12         started        16 VKXoBkboe.exe 3 2->16         started        18 remcos.exe 2->18         started        20 remcos.exe 2->20         started        signatures3 process4 file5 98 C:\Users\user\AppData\Roaming\VKXoBkboe.exe, PE32 12->98 dropped 100 C:\Users\user\AppData\Local\...\tmpC2CF.tmp, XML 12->100 dropped 102 C:\...\RFQ_BRAS_BASE_7683465_2023.exe.log, ASCII 12->102 dropped 148 Contains functionality to bypass UAC (CMSTPLUA) 12->148 150 Contains functionalty to change the wallpaper 12->150 152 Contains functionality to steal Chrome passwords or cookies 12->152 156 5 other signatures 12->156 22 RFQ_BRAS_BASE_7683465_2023.exe 2 4 12->22         started        26 powershell.exe 21 12->26         started        28 powershell.exe 21 12->28         started        40 3 other processes 12->40 154 Multi AV Scanner detection for dropped file 16->154 30 schtasks.exe 18->30         started        32 remcos.exe 18->32         started        34 remcos.exe 18->34         started        36 schtasks.exe 20->36         started        38 remcos.exe 20->38         started        signatures6 process7 file8 94 C:\ProgramData\Remcos\remcos.exe, PE32 22->94 dropped 96 C:\ProgramData\...\remcos.exe:Zone.Identifier, ASCII 22->96 dropped 134 Creates autostart registry keys with suspicious names 22->134 42 remcos.exe 5 22->42         started        45 conhost.exe 26->45         started        47 conhost.exe 28->47         started        49 conhost.exe 30->49         started        51 conhost.exe 36->51         started        53 conhost.exe 40->53         started        signatures9 process10 signatures11 142 Multi AV Scanner detection for dropped file 42->142 144 Machine Learning detection for dropped file 42->144 146 Adds a directory exclusion to Windows Defender 42->146 55 remcos.exe 42->55         started        59 powershell.exe 42->59         started        61 powershell.exe 42->61         started        63 schtasks.exe 42->63         started        process12 dnsIp13 110 212.193.30.230, 49702, 49703, 49705 SPD-NETTR Russian Federation 55->110 112 geoplugin.net 178.237.33.50, 49704, 80 ATOM86-ASATOM86NL Netherlands 55->112 136 Writes to foreign memory regions 55->136 138 Maps a DLL or memory area into another process 55->138 140 Installs a global keyboard hook 55->140 65 remcos.exe 55->65         started        68 remcos.exe 55->68         started        70 remcos.exe 55->70         started        78 19 other processes 55->78 72 conhost.exe 59->72         started        74 conhost.exe 61->74         started        76 conhost.exe 63->76         started        signatures14 process15 signatures16 120 Tries to steal Instant Messenger accounts or passwords 65->120 122 Tries to steal Mail credentials (via file / registry access) 65->122 124 Tries to harvest and steal browser information (history, passwords, etc) 78->124 80 chrome.exe 78->80         started        83 chrome.exe 78->83         started        85 chrome.exe 78->85         started        process17 dnsIp18 104 192.168.2.1 unknown unknown 80->104 106 239.255.255.250 unknown Reserved 80->106 87 chrome.exe 80->87         started        90 chrome.exe 83->90         started        92 chrome.exe 85->92         started        process19 dnsIp20 114 microsoftmscompoc.tt.omtrdc.net 87->114 116 part-0032.t-0009.t-msedge.net 13.107.246.60, 443, 49721, 49722 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 87->116 118 12 other IPs or domains 87->118
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4400353ebbbd72f1a260b3021c48fa67439ec6accd01ecd27ada202052f27391/
Threat name:
ByteCode-MSIL.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2023-06-27 08:54:33 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iqadkpv3xvzpditawmbbysh2m5bz5rvmzua6zut23iqcauxsooiq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
18b6a73808a0524c95b724475d46aca3e42874de551a0fcf7c8d56aff23f105b
RemcosRAT
3100c2815280c4d4ccb7719c8a2f2cc150c80d53c3675a5070b9499028dafacc
RemcosRAT
6e3cf5c7cccc4369fbed86c4de5bb59d7bb40c1ced10cab8b0bc733299d45ea1
RemcosRAT
9e6406269fe3e1f7a309e3ee01e4770d6f5c7abd2dead9afc7eddfedcdb04295
RemcosRAT
a0dc108bb4d6bc2c36acf6f8ad2333cffdff1e2276ddd55eb8225edb6e8c0cd7
RemcosRAT
ca19795538ded5ca26ae167d5417cc200d51ff7738e36695fbb05b305dbc15b6
RemcosRAT
f2b2a8bc43696328f9650d218fe0e57e7c55c0e4799a1f28721b85e37e85eaf4
RemcosRAT
f814529a6f2e2a29f76d24db2fa858674a3088d6593b0cf4bf75eef4eb4dfe03
RemcosRAT
+ 2'119 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost brand:microsoft collection persistence phishing rat spyware stealer
Link:
https://tria.ge/reports/230627-masg3sdf92/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Detected potential entity reuse from brand microsoft.
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
212.193.30.230:6873
Unpacked files
SH256 hash:
86758c509ba4f1f07f9776a68e02963fb035f332048bd88aa0992ad81ad58495
MD5 hash:
507ceb4fa37e93c81d5ac85771974f25
SHA1 hash:
892e33b9eb3c8b6f17d3a4b984a5507c52f5174e
Link:
https://www.unpac.me/results/fb7fb241-4f86-4360-9d21-f63954575666/
SH256 hash:
3b335a6f367a240b9cda09f4325612f43bcb7c0a3f0dcc4f3b1a282e3a92b973
MD5 hash:
0f44a972d09d9bfcd801c84ae1f031ab
SHA1 hash:
6efc438e4614623573d221a34c348ffd35dfd8e2
Link:
https://www.unpac.me/results/fb7fb241-4f86-4360-9d21-f63954575666/
SH256 hash:
02f9be55e8af8b511b4978acceb5046218b43cce9c9eb57d3217fb8452793626
MD5 hash:
b53e41875f6a40e179c77f090b912842
SHA1 hash:
6802e4119aabb79a32049b3f6a695b9a5319c523
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/fb7fb241-4f86-4360-9d21-f63954575666/
Parent samples :
3100c2815280c4d4ccb7719c8a2f2cc150c80d53c3675a5070b9499028dafacc
4400353ebbbd72f1a260b3021c48fa67439ec6accd01ecd27ada202052f27391
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/fb7fb241-4f86-4360-9d21-f63954575666/
SH256 hash:
86758c509ba4f1f07f9776a68e02963fb035f332048bd88aa0992ad81ad58495
MD5 hash:
507ceb4fa37e93c81d5ac85771974f25
SHA1 hash:
892e33b9eb3c8b6f17d3a4b984a5507c52f5174e
Link:
https://www.unpac.me/results/fb7fb241-4f86-4360-9d21-f63954575666/
SH256 hash:
3b335a6f367a240b9cda09f4325612f43bcb7c0a3f0dcc4f3b1a282e3a92b973
MD5 hash:
0f44a972d09d9bfcd801c84ae1f031ab
SHA1 hash:
6efc438e4614623573d221a34c348ffd35dfd8e2
Link:
https://www.unpac.me/results/fb7fb241-4f86-4360-9d21-f63954575666/
SH256 hash:
02f9be55e8af8b511b4978acceb5046218b43cce9c9eb57d3217fb8452793626
MD5 hash:
b53e41875f6a40e179c77f090b912842
SHA1 hash:
6802e4119aabb79a32049b3f6a695b9a5319c523
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/fb7fb241-4f86-4360-9d21-f63954575666/
Parent samples :
3100c2815280c4d4ccb7719c8a2f2cc150c80d53c3675a5070b9499028dafacc
4400353ebbbd72f1a260b3021c48fa67439ec6accd01ecd27ada202052f27391
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/fb7fb241-4f86-4360-9d21-f63954575666/
SH256 hash:
86758c509ba4f1f07f9776a68e02963fb035f332048bd88aa0992ad81ad58495
MD5 hash:
507ceb4fa37e93c81d5ac85771974f25
SHA1 hash:
892e33b9eb3c8b6f17d3a4b984a5507c52f5174e
Link:
https://www.unpac.me/results/fb7fb241-4f86-4360-9d21-f63954575666/
SH256 hash:
3b335a6f367a240b9cda09f4325612f43bcb7c0a3f0dcc4f3b1a282e3a92b973
MD5 hash:
0f44a972d09d9bfcd801c84ae1f031ab
SHA1 hash:
6efc438e4614623573d221a34c348ffd35dfd8e2
Link:
https://www.unpac.me/results/fb7fb241-4f86-4360-9d21-f63954575666/
SH256 hash:
02f9be55e8af8b511b4978acceb5046218b43cce9c9eb57d3217fb8452793626
MD5 hash:
b53e41875f6a40e179c77f090b912842
SHA1 hash:
6802e4119aabb79a32049b3f6a695b9a5319c523
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/fb7fb241-4f86-4360-9d21-f63954575666/
Parent samples :
3100c2815280c4d4ccb7719c8a2f2cc150c80d53c3675a5070b9499028dafacc
4400353ebbbd72f1a260b3021c48fa67439ec6accd01ecd27ada202052f27391
SH256 hash:
86758c509ba4f1f07f9776a68e02963fb035f332048bd88aa0992ad81ad58495
MD5 hash:
507ceb4fa37e93c81d5ac85771974f25
SHA1 hash:
892e33b9eb3c8b6f17d3a4b984a5507c52f5174e
Link:
https://www.unpac.me/results/fb7fb241-4f86-4360-9d21-f63954575666/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/fb7fb241-4f86-4360-9d21-f63954575666/
SH256 hash:
3b335a6f367a240b9cda09f4325612f43bcb7c0a3f0dcc4f3b1a282e3a92b973
MD5 hash:
0f44a972d09d9bfcd801c84ae1f031ab
SHA1 hash:
6efc438e4614623573d221a34c348ffd35dfd8e2
Link:
https://www.unpac.me/results/fb7fb241-4f86-4360-9d21-f63954575666/
SH256 hash:
02f9be55e8af8b511b4978acceb5046218b43cce9c9eb57d3217fb8452793626
MD5 hash:
b53e41875f6a40e179c77f090b912842
SHA1 hash:
6802e4119aabb79a32049b3f6a695b9a5319c523
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/fb7fb241-4f86-4360-9d21-f63954575666/
Parent samples :
3100c2815280c4d4ccb7719c8a2f2cc150c80d53c3675a5070b9499028dafacc
4400353ebbbd72f1a260b3021c48fa67439ec6accd01ecd27ada202052f27391
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/fb7fb241-4f86-4360-9d21-f63954575666/
SH256 hash:
4400353ebbbd72f1a260b3021c48fa67439ec6accd01ecd27ada202052f27391
MD5 hash:
826572294dd7857d627783220e0fefa6
SHA1 hash:
f1f8fe7f3f3f880adba739ea2fe5ef7725c29e8a
Link:
https://www.unpac.me/results/fb7fb241-4f86-4360-9d21-f63954575666/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4400353ebbbd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4400353ebbbd72f1a260b3021c48fa67439ec6accd01ecd27ada202052f27391

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

r00 3cf13bb5ddbc61a5057d476f9ce1c27265a56f46e1e89f5ada07ac39ce19916d

RemcosRAT

Executable exe 4400353ebbbd72f1a260b3021c48fa67439ec6accd01ecd27ada202052f27391

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 3cf13bb5ddbc61a5057d476f9ce1c27265a56f46e1e89f5ada07ac39ce19916d
Cape
Cape
https://www.capesandbox.com/analysis/403184/
  
Dropped by
MD5 612a753fda401029ddca1989452bd74a

Comments