MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b923765825c934c252ec1734636bd366b1b3e739716ad3ae31f29f13a0b6864. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b923765825c934c252ec1734636bd366b1b3e739716ad3ae31f29f13a0b6864
SHA3-384 hash: e25350855a212eaa0726e64105536271e0c745e09bec6020d92eed091309621c44f6fa200925237c3a160e79aba2bccc
SHA1 hash: f4556d2b773b9160cdcb337c29c9a9a7587e6dc6
MD5 hash: 6563c4e9c1ca7b46c1c137c3d03c0c21
humanhash: mike-fanta-comet-bluebird
File name:6563c4e9c1ca7b46c1c137c3d03c0c21
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'883'648 bytes
First seen:2023-04-25 08:09:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:SB1XDfA0AE5oX7ZPrdx0yuNyj9h+7t0ASQeBrEZKZvzkhDzMdHLK04nLJT6X3fdJ:SBwmohdiyurt+7ZvzOWK/F+Fs
Threatray 1'853 similar samples on MalwareBazaar
TLSH T10495E133365DBFEDDB694D74E4BA02200F609EF35194C058B8C89ADE186A66CDDA1CF1
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon e2ee8a8eb6d8ecf4 (56 x AgentTesla, 39 x RemcosRAT, 38 x GuLoader)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
269
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
QUOTATION#7386A-041912024_Products.doc
Verdict:
Malicious activity
Analysis date:
2023-04-24 08:52:05 UTC
Tags:
exploit cve-2017-11882 loader remcos
Link:
https://app.any.run/tasks/6f2e6567-3d9e-44c5-8506-357c908caf1a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/384746/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.66613317.13456.27523.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
Launching cmd.exe command interpreter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64478add809528e43aab5113/reports/f5b6e18e-35f8-4a4e-9b82-70124303a0f3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/4b923765825c934c252ec1734636bd366b1b3e739716ad3ae31f29f13a0b6864
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/21946956-d3d0-4e87-84f1-3cbe9fe1c8e9
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1220563
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates multiple autostart registry keys
Delayed program exit found
Disables UAC (registry)
Encrypted powershell cmdline option found
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 853512 Sample: 7wvYhnSKIH.exe Startdate: 25/04/2023 Architecture: WINDOWS Score: 100 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Antivirus / Scanner detection for submitted sample 2->57 59 5 other signatures 2->59 8 7wvYhnSKIH.exe 4 8 2->8         started        12 Rglwhox.exe 2->12         started        14 Explorers.exe 2->14         started        16 3 other processes 2->16 process3 file4 45 C:\Users\user\AppData\Roaming\...\Rglwhox.exe, PE32 8->45 dropped 47 C:\Users\user\...\Rglwhox.exe:Zone.Identifier, ASCII 8->47 dropped 49 C:\Users\user\AppData\...\7wvYhnSKIH.exe.log, ASCII 8->49 dropped 65 Contains functionality to bypass UAC (CMSTPLUA) 8->65 67 Encrypted powershell cmdline option found 8->67 69 Creates multiple autostart registry keys 8->69 77 5 other signatures 8->77 18 7wvYhnSKIH.exe 2 4 8->18         started        22 AcroRd32.exe 37 8->22         started        24 powershell.exe 16 8->24         started        71 Antivirus detection for dropped file 12->71 73 Multi AV Scanner detection for dropped file 12->73 75 Machine Learning detection for dropped file 12->75 signatures5 process6 file7 41 C:\Users\user\AppData\...xplorers.exe, PE32 18->41 dropped 43 C:\Users\...xplorers.exe:Zone.Identifier, ASCII 18->43 dropped 61 Creates multiple autostart registry keys 18->61 26 Explorers.exe 2 18->26         started        29 cmd.exe 1 18->29         started        31 RdrCEF.exe 58 22->31         started        34 conhost.exe 24->34         started        signatures8 process9 dnsIp10 79 Antivirus detection for dropped file 26->79 81 Multi AV Scanner detection for dropped file 26->81 83 Machine Learning detection for dropped file 26->83 36 reg.exe 1 29->36         started        39 conhost.exe 29->39         started        51 192.168.2.1 unknown unknown 31->51 signatures11 process12 signatures13 63 Disables UAC (registry) 36->63
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4b923765825c934c252ec1734636bd366b1b3e739716ad3ae31f29f13a0b6864/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-04-24 13:09:34 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jojdozmclsjuyjjoyfzumnv5gzvrwptts4lk2oxdd4u7coqlnbsa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
2010a7e1a136a9881ba4db4beb99088ea77ea2997d36e6d1d16fc696b34fda8b
RemcosRAT
2e4c6cc30705e1398ea19d064bd7cfba58448798a81f3c89b86fa66750904a7b
RemcosRAT
3c2ffc42864aba9e07bb8cd494141ea7125a2d24a8717f0cf0a33da8020dbdfb
RemcosRAT
3d1a75579ef0717708782f63318b36e8dc0356fc477370ad9c69feac793a6a95
RemcosRAT
50ca98ba2d54858b97cbbfff758edf7f81a29a8a4884a4319ae994cb8a434de3
RemcosRAT
52062e748f2857bf6bc3161cdfade85ec042d45093673514ca1787f7216a70f3
RemcosRAT
aa2caafd9a1d53df2112c9081fb5686e04283be0da13d94bacdfc8c9addf0c34
RemcosRAT
c9ec59e23695adca831f06aca398c511cac81f2fd65c7353f14b4725791ab80a
RemcosRAT
cadf95355bd6ea18fdd3555ea3f85d102f40b3df0dc36b332f9ad8b505105f6e
RemcosRAT
+ 1'843 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:quote evasion persistence rat trojan
Link:
https://tria.ge/reports/230425-j2pzgshc86/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Remcos
UAC bypass
Malware Config
C2 Extraction:
172.93.164.93:2404
Unpacked files
SH256 hash:
6329f603452b54ce9ecc0c1daec09353e686860b6e862bea5d556da00651a1d6
MD5 hash:
5e139c3d3872a1d4d2515b50c4475a79
SHA1 hash:
1fae57e9c5d19c7b80890d2a69541d22ad6f8128
Link:
https://www.unpac.me/results/43fc8a60-0c46-4319-a614-c5d81ad70d49/
SH256 hash:
b434ce77558eb4b03b952d31f2640daa5c1c9f142cd0e4a71c3adb879e0166f5
MD5 hash:
08e44f4e61cbe241249cb595cb3b7d46
SHA1 hash:
7732e68212a8fe20e22a8d8784f2479bf500e462
Link:
https://www.unpac.me/results/43fc8a60-0c46-4319-a614-c5d81ad70d49/
SH256 hash:
ff8c24bce1eb009f0d5c47a09b96caf02726c285cea0d635082ad4da27e63d1b
MD5 hash:
9d6ec6072ee1814a4a01d1eb3fb67ba1
SHA1 hash:
d0b416de1c900b6bcb35dc182b2e8744f16c3289
Link:
https://www.unpac.me/results/43fc8a60-0c46-4319-a614-c5d81ad70d49/
SH256 hash:
53f0b11cf5ddbce41ba1088778ee9fd368e44e100a79cb5e538743055ff96e37
MD5 hash:
c299c6652b27b302561c497a256fe365
SHA1 hash:
49d70019e29da428340b56457f3135ed1e6d94e7
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/43fc8a60-0c46-4319-a614-c5d81ad70d49/
SH256 hash:
4b923765825c934c252ec1734636bd366b1b3e739716ad3ae31f29f13a0b6864
MD5 hash:
6563c4e9c1ca7b46c1c137c3d03c0c21
SHA1 hash:
f4556d2b773b9160cdcb337c29c9a9a7587e6dc6
Link:
https://www.unpac.me/results/43fc8a60-0c46-4319-a614-c5d81ad70d49/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4b923765825c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4b923765825c934c252ec1734636bd366b1b3e739716ad3ae31f29f13a0b6864

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 4b923765825c934c252ec1734636bd366b1b3e739716ad3ae31f29f13a0b6864

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/384746/
  
URLhaus
https://urlhaus.abuse.ch/url/2617588/

Comments


Avatar
zbet commented on 2023-04-25 08:09:53 UTC

url : hxxp://208.67.105.179/quoteezx.exe