MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 490f282d4fd00248b4f2c3ee4b5586d7af9b8cef6702f035abfee65482289d99. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 490f282d4fd00248b4f2c3ee4b5586d7af9b8cef6702f035abfee65482289d99
SHA3-384 hash: a488602dc08be43ad83cf1d26205f890e79481a975561e8a00aa593ceef388747102c799488dcee8e26466632125bf13
SHA1 hash: f59fdf850bdfd1a83f81b451d7ce7e7d8a17a976
MD5 hash: 909588e87fae1849fbe46e446776ed1a
humanhash: music-ceiling-winter-floor
File name:RFQ 80380 N 2023 JANUARY 04606.gz.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:884'736 bytes
First seen:2023-01-23 10:18:26 UTC
Last seen:2023-01-23 10:30:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'614 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:GmVXplzJdNDxd0kPPwa2lLtgAl2BoKruMwD+:d9plzJPDxd0kPPwRlqAl2BohMwi
Threatray 4'653 similar samples on MalwareBazaar
TLSH T12715225236A8FB49CC7847F88C3C058C57F57C8A5972D39E0EE3A0DD9A72F914A06627
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 2810f07110796900 (11 x AgentTesla, 2 x Formbook, 2 x SnakeKeylogger)
Reporter cocaman
Tags:exe RemcosRAT RFQ

Intelligence

File Origin
# of uploads :
3
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
RFQ 80380 N 2023 JANUARY 04606.gz.exe
Verdict:
Malicious activity
Analysis date:
2023-01-23 10:20:55 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/66a94d6a-af33-40d7-89bc-8a34d92120e5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/355840/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.9937.25981.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Running batch commands
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63ce5f1a528134caf0431483/reports/b792c77b-e35f-4aa9-8045-7b58f579b759/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3b92c1ad-fe4c-47d1-9dc1-05fbc1379aa0
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1156868
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 789600 Sample: RFQ 80380 N 2023 JANUARY 04... Startdate: 23/01/2023 Architecture: WINDOWS Score: 100 87 Malicious sample detected (through community Yara rule) 2->87 89 Antivirus detection for URL or domain 2->89 91 Antivirus detection for dropped file 2->91 93 15 other signatures 2->93 11 RFQ 80380 N 2023 JANUARY 04606.gz.exe 7 2->11         started        15 gwUgywwXAo.exe 3 2->15         started        17 remcos.exe 2->17         started        19 2 other processes 2->19 process3 file4 77 C:\Users\user\AppData\...\gwUgywwXAo.exe, PE32 11->77 dropped 79 C:\Users\...\gwUgywwXAo.exe:Zone.Identifier, ASCII 11->79 dropped 81 C:\Users\user\AppData\Local\...\tmp54A1.tmp, XML 11->81 dropped 83 RFQ 80380 N 2023 J...RY 04606.gz.exe.log, ASCII 11->83 dropped 101 Adds a directory exclusion to Windows Defender 11->101 21 RFQ 80380 N 2023 JANUARY 04606.gz.exe 5 5 11->21         started        24 powershell.exe 19 11->24         started        26 schtasks.exe 1 11->26         started        103 Multi AV Scanner detection for dropped file 15->103 105 Machine Learning detection for dropped file 15->105 107 Injects a PE file into a foreign processes 17->107 28 schtasks.exe 17->28         started        30 remcos.exe 17->30         started        32 schtasks.exe 19->32         started        34 schtasks.exe 19->34         started        36 remcos.exe 19->36         started        38 2 other processes 19->38 signatures5 process6 file7 71 C:\ProgramData\Remcos\remcos.exe, PE32 21->71 dropped 73 C:\Users\user\AppData\...\wcomslsyxzvseil.vbs, data 21->73 dropped 75 C:\ProgramData\...\remcos.exe:Zone.Identifier, ASCII 21->75 dropped 40 wscript.exe 1 21->40         started        42 conhost.exe 24->42         started        44 conhost.exe 26->44         started        46 conhost.exe 28->46         started        48 conhost.exe 32->48         started        50 conhost.exe 34->50         started        process8 process9 52 cmd.exe 1 40->52         started        process10 54 remcos.exe 5 52->54         started        57 conhost.exe 52->57         started        signatures11 95 Multi AV Scanner detection for dropped file 54->95 97 Machine Learning detection for dropped file 54->97 99 Adds a directory exclusion to Windows Defender 54->99 59 remcos.exe 54->59         started        63 powershell.exe 54->63         started        65 schtasks.exe 54->65         started        process12 dnsIp13 85 45.139.105.174, 6320 CMCSUS Italy 59->85 109 Installs a global keyboard hook 59->109 67 conhost.exe 63->67         started        69 conhost.exe 65->69         started        signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/490f282d4fd00248b4f2c3ee4b5586d7af9b8cef6702f035abfee65482289d99/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-01-23 08:15:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
16 of 25 (64.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jehsqlkp2abernhsypxewvmg26xzxdhpm4bpannl73tfjaritwmq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
18a39f6193c69dae7ea38aa9dd25fddabdb651c4276e242d0b585bd13c49c3a9
RemcosRAT
2bff54b9373397bb78dc3dd57f37b85affb564edec73fbb265e9a14d313a2a1d
RemcosRAT
3ac0ff1d6a7bcbcd3feb5fd5f978b98845ac587b4b7e7be2233849295491e777
RemcosRAT
5f61b50531659487b56d97323a53c7c58445a62fb9f47489cd07b38feb3d4527
RemcosRAT
a2cbf70ab3ebedd2c768816596fade8e94d1dd0d6025001ac59a71860e45b808
RemcosRAT
cb7ffda616dbfb59cec05339b9bee2e7ecae48595545ee4e63d93e9751feb594
RemcosRAT
e611419a4b0f0fb37a0c6ec8e6bd88c5314eb889f525ecf875eea8b6338a8f2c
RemcosRAT
+ 4'643 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat
Link:
https://tria.ge/reports/230123-mch2esch37/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
45.139.105.174:6320
Unpacked files
SH256 hash:
12886f539b920934ab9b12645e99dea9c4d64ac80b1dbefba57447ef7982f102
MD5 hash:
400e0f5dad0abca25a4a87e1f98494a0
SHA1 hash:
cff72a8f614a2cbc7c2056bc0c88eb1f2b877cd6
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/f3b2ffb2-01e6-482e-b5c9-cc20444b3e8e/
SH256 hash:
49a17d05d6b0b49f9d3494661739b5737d2c9ef6fb7da5eb2de7fa2bfc435a20
MD5 hash:
1cc20b863c3b960aa4df71b1fdd0f1a2
SHA1 hash:
c47996dbc1af9d57c3982b178a0e1de552d817d1
Link:
https://www.unpac.me/results/f3b2ffb2-01e6-482e-b5c9-cc20444b3e8e/
SH256 hash:
210732a62fcf35e846f3b1315154472ad8fdb603711aef37011f63a0858753d2
MD5 hash:
2159fb971d7ca19ffd8d58610a582a7b
SHA1 hash:
4587b2879862a8223971247a2e9c628eaaff4c4f
Link:
https://www.unpac.me/results/f3b2ffb2-01e6-482e-b5c9-cc20444b3e8e/
SH256 hash:
ff1b42ea7d56a37eae801adbddb7116f52a4664c0b41302736f522852edc2747
MD5 hash:
89ac57478044c57c7195943116a521e0
SHA1 hash:
1ff2bafeed795423e3538d810bda8e1e3fcdcfa5
Link:
https://www.unpac.me/results/f3b2ffb2-01e6-482e-b5c9-cc20444b3e8e/
SH256 hash:
20eda0a9b642a495ee216f13d2c37603ef860ff1aa1b8c89b2aa630a17574f71
MD5 hash:
d2dcd2d712c1f3c871e39fc27f889546
SHA1 hash:
167502f0388eb8c9525a048282600fa83d7254ad
Link:
https://www.unpac.me/results/f3b2ffb2-01e6-482e-b5c9-cc20444b3e8e/
SH256 hash:
490f282d4fd00248b4f2c3ee4b5586d7af9b8cef6702f035abfee65482289d99
MD5 hash:
909588e87fae1849fbe46e446776ed1a
SHA1 hash:
f59fdf850bdfd1a83f81b451d7ce7e7d8a17a976
Link:
https://www.unpac.me/results/f3b2ffb2-01e6-482e-b5c9-cc20444b3e8e/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/490f282d4fd0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/490f282d4fd00248b4f2c3ee4b5586d7af9b8cef6702f035abfee65482289d99

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

gz 273f0b59464f9a1ece08ee3bfc848bb6fed6eeb0fef90df2fecbbeda9ee61fcc

RemcosRAT

Executable exe 490f282d4fd00248b4f2c3ee4b5586d7af9b8cef6702f035abfee65482289d99

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 273f0b59464f9a1ece08ee3bfc848bb6fed6eeb0fef90df2fecbbeda9ee61fcc
Cape
Cape
https://www.capesandbox.com/analysis/355840/
  
Dropped by
MD5 45514763dea353212ffd2fdd2827471f

Comments