MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5191e0986f9d1886402809cdee8aa3b8f50bac0c36813efc602e3d5e59b9d1ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	5191e0986f9d1886402809cdee8aa3b8f50bac0c36813efc602e3d5e59b9d1ec
SHA3-384 hash:	8bd95dbc8d6117160e154b8fb19dd7bcfb7306d5f833afe29231e8d40fbd92f3172d92e1cc18f3dfa69adca2e99ca2b1
SHA1 hash:	f11fad1f929f29cf6765da9a51804b0b8eb7d110
MD5 hash:	f052f944719885f1dff915a64e88ca10
humanhash:	steak-stairway-comet-virginia
File name:	Proforma Invoice No.0976.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	952'832 bytes
First seen:	2021-08-23 13:53:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:hj6kgpmkIBtdhjOq1KatgGDrIK1QUi8WY/XW:EkrkIJhjDN3DrIK1QUkY
Threatray	454 similar samples on MalwareBazaar
TLSH	T13C1512093659FB8FC72FCE7B98652D209BE1E9361353D342AC8325D8289D795CB102B7
Reporter	Anonymous
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

129

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Proforma Invoice No.0976.exe

Verdict:

Malicious activity

Analysis date:

2021-08-23 14:04:53 UTC

Tags:

rat remcos keylogger

Link:

https://app.any.run/tasks/94b58600-b1fb-4895-abfa-0c35a9a3841d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/181510/

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Creating a window

Sending a UDP request

Launching a process

Creating a process with a hidden window

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3c4b5c9a-322c-4662-8aa7-4b85e84390dd

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/837567

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Detected Remcos RAT

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Sigma detected: Suspicious Process Start Without DLL

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/5191e0986f9d1886402809cdee8aa3b8f50bac0c36813efc602e3d5e59b9d1ec/

Threat name:

ByteCode-MSIL.Trojan.Woreflint

Status:

Malicious

First seen:

2021-08-23 13:54:14 UTC

AV detection:

17 of 43 (39.53%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kgi6bgdptumimqbibhg65cvdxd2qxlamg2at57dafy6v4wnz2hwa._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

62960caf3d007638be89631e502733f30c42a9ba0269e8c00457c9dec10e9136

RemcosRAT

730cad1b268ed70bf04cd6b94439813a6483b69732420a6748a868376c08bea2

RemcosRAT

b2beeab94f7cbc38143e2a050c263476419bb48d2ec37470df5b1ee0da812f50

RemcosRAT

d4d30acde6fa4db431b90817911b44d21c65fc1fa72744625bccafe3899869bc

RemcosRAT

d660500c553676fcad1d6b2847022578ed20676190b5ed5687cd15d19e98e862

RemcosRAT

d7511047d6d0127108e1cf026c3a8c7d5dbb860d62722371d4c3f65c3c1dc920

RemcosRAT

d9040bf8ad755cd41dc6266c0e0049f4bac0eaa23f18a26931357fe21c719701

RemcosRAT

ded1412f9509d9fbc0c48687c3611d6cd8356ff0f00a9a2c5836890a5df03925

RemcosRAT

e391c863171dbe0a79e9ee01b3f221603e1dddb3938c3215980cd5b991578f4e

RemcosRAT

+ 444 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:august$$$ rat

Link:

https://tria.ge/reports/210823-7862461rk6/

Behaviour

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Remcos

Malware Config

C2 Extraction:

mgc0147.hopto.org:2930

Unpacked files

SH256 hash:

6912e4bedd1288f116e968f0a79d9797f6d6bd24d45a5f10c52e20f9d33b8c61

MD5 hash:

03bde4a82ad64c0f314985232fbca3fa

SHA1 hash:

e8d0b6339e94192eaaca32c812f914e60576dca6

Link:

https://www.unpac.me/results/c30cc5e4-d259-4832-9269-a21cf9973dad/

SH256 hash:

9ba14d10021b7a59f91c64591ab4af9cd794050286ff1ae0008f6e3c4a15cbc3

MD5 hash:

819bf69c4e51a000cb141c376c5e7fa4

SHA1 hash:

d1db9d800bbe166766785cf02f22f06f568bf2e8

Detections:

win_remcos_g0

Link:

https://www.unpac.me/results/c30cc5e4-d259-4832-9269-a21cf9973dad/

SH256 hash:

1b0dcf8bc4d113c9814bd781c8eae5e60b9708c35637d238bf1cfcfb3424055c

MD5 hash:

6cf766ede5cfa9f4fb52112015d8db8b

SHA1 hash:

0adc1251ef1edd1c0cf151de1269413bda370492

Link:

https://www.unpac.me/results/c30cc5e4-d259-4832-9269-a21cf9973dad/

SH256 hash:

5191e0986f9d1886402809cdee8aa3b8f50bac0c36813efc602e3d5e59b9d1ec

MD5 hash:

f052f944719885f1dff915a64e88ca10

SHA1 hash:

f11fad1f929f29cf6765da9a51804b0b8eb7d110

Link:

https://www.unpac.me/results/c30cc5e4-d259-4832-9269-a21cf9973dad/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/5191e0986f9d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5191e0986f9d1886402809cdee8aa3b8f50bac0c36813efc602e3d5e59b9d1ec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Distributed via e-mail link

Cape

https://www.capesandbox.com/analysis/181510/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample