MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 535250e39240c6587646ad1876e2ed517e86f90d18099dab5e667cae2ef507e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 535250e39240c6587646ad1876e2ed517e86f90d18099dab5e667cae2ef507e2
SHA3-384 hash: 059f6bceb3372d32354ee12bfd63550310ac970a2342977358131f01cdd1dc906777f4144de1af8ef6356344d976ce4f
SHA1 hash: c6470f3e621475e38d684e865ca1816aa9eaa3b6
MD5 hash: 3c91e574cadbea2f15e0a2f499909289
humanhash: zebra-pasta-comet-steak
File name:Quotation Of Medical Disposables For Turkish Hospital.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'081'344 bytes
First seen:2022-09-29 10:00:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:7Au2iNnKdGOE3f/0Cfgk0bkWXM8+zPg1j/iC82DoU1StpLIVFDdSlrtjs3dXfXu:D18dK3fHgeekIrlp9SBtKXv
Threatray 3'016 similar samples on MalwareBazaar
TLSH T1263501270BEA4B0BD015B67884D1D2F2E7AADC11F177C7876BCA9C2FF086665C660352
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
296
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/314698/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PackedNET.389.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63356ca5d089a0c15dd2b63c/reports/9d3ec34c-9571-4a19-b846-a233c94c3819/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3ae23099-b910-4460-b952-e5fcb681c1fb
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1079921
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 712476 Sample: Quotation Of Medical Dispos... Startdate: 29/09/2022 Architecture: WINDOWS Score: 80 19 Malicious sample detected (through community Yara rule) 2->19 21 Yara detected AntiVM3 2->21 23 Yara detected Remcos RAT 2->23 25 4 other signatures 2->25 6 Quotation Of Medical Disposables For Turkish Hospital.exe 3 2->6         started        process3 file4 17 Quotation Of Medic...sh Hospital.exe.log, ASCII 6->17 dropped 9 vbc.exe 6->9         started        11 vbc.exe 6->11         started        13 vbc.exe 6->13         started        15 2 other processes 6->15 process5
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/535250e39240c6587646ad1876e2ed517e86f90d18099dab5e667cae2ef507e2/
Threat name:
ByteCode-MSIL.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2022-09-29 10:00:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
20 of 26 (76.92%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=knjfby4siddfq5sgvumhnyxnkf7in6indaez3k26mz6k4lxva7ra._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
4bd1f385e71c2b0c8bb27ce271cfd26c696e3049e3e92cd150ba62666bc6221f
RemcosRAT
592f15fec50eda79baadcb6bc5c4cb79de60e5bb285f20fb8e8927477495f065
RemcosRAT
7f89f38c1c2a3e42e7fe2d1c286816361fe77aa49d1d474de200df6eb2dbda81
RemcosRAT
7fe73c463ac777aa61709aa357a27b09d8faae7833219399c3a92c6f692c11f4
RemcosRAT
9432004daa7e7748848e802b7a769efe47f147d54fcad12471d03d261c3bc5c0
RemcosRAT
9d724226a2a3c8676d4a58b64b636d9dcc178c1d40fcf321309afa14505cf285
RemcosRAT
e1eb708f47303b831f6eb0ddc846e21782e8f727dcb0088fcb997c3bf0d4dbd3
RemcosRAT
+ 3'006 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost ewa cartoon rat
Link:
https://tria.ge/reports/220929-l1m5lsadc9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Remcos
Malware Config
C2 Extraction:
164.68.105.38:1960
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f62075d2-3431-4279-9d48-6ea450ba37b1
Unpacked files
SH256 hash:
4c565f789e34d0cf9d6cb7361ad45a5a2ffa01f664dcd49a1da2e25be36f5682
MD5 hash:
ba07eb52ad32844e2a34c9a30e92d4f9
SHA1 hash:
e87c52e3fd76d2120f671c8f3163255fbeec564f
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/a5ef40ac-ee02-41c2-b2ae-dc4358a875f7/
Parent samples :
32cc036ec39f8778c6920c98f1e8c5adb49419c51f8e828df32f9d6ff98c483b
15194ffa05cc42d107aa2dd6e87f93a2377182044d9f525df362f12ace6fd72f
535250e39240c6587646ad1876e2ed517e86f90d18099dab5e667cae2ef507e2
70d6e951bd55244ca98fe522042be5209783c38dbe261d9f4c577da2cc6939cd
d7af53e976dcd39bc14d8e6c594c32bd33b7567b24148c924b4314b5c6327907
56bc72f3b4276309ba8b16991e1534895eb11195fe2fdb4ae9d9afb8aafe43db
8e143cf495b03daa40f3e69a8df37ef5298a75ebc25620557065975a5cdd35c1
SH256 hash:
3071a65bddefa23b2d5fa495b5fb273dc758b2e169d7bea905394835ee6e3e00
MD5 hash:
eedc458d345dbe5d75b2d9b39b6bc57b
SHA1 hash:
9aa707d968bc136dd7531374d28094e9da29ce41
Link:
https://www.unpac.me/results/a5ef40ac-ee02-41c2-b2ae-dc4358a875f7/
SH256 hash:
2470b39032f6182252039c88199016566b0de30c6aa02163a143427afedd12af
MD5 hash:
c3a1924684ca30ed22234ce1d9111dfc
SHA1 hash:
7347706241422758c06440fd6044ae4e042b456b
Link:
https://www.unpac.me/results/a5ef40ac-ee02-41c2-b2ae-dc4358a875f7/
SH256 hash:
58079c3006bbda4fe6d113fdcd8e6184daeae6dc9a201e1621c78974f25d1c10
MD5 hash:
a098a8d7f11536ec9e6738306943a744
SHA1 hash:
25b7b19b26ac1974273368dc1489f8aa4a91fe8a
Link:
https://www.unpac.me/results/a5ef40ac-ee02-41c2-b2ae-dc4358a875f7/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/a5ef40ac-ee02-41c2-b2ae-dc4358a875f7/
SH256 hash:
535250e39240c6587646ad1876e2ed517e86f90d18099dab5e667cae2ef507e2
MD5 hash:
3c91e574cadbea2f15e0a2f499909289
SHA1 hash:
c6470f3e621475e38d684e865ca1816aa9eaa3b6
Link:
https://www.unpac.me/results/a5ef40ac-ee02-41c2-b2ae-dc4358a875f7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/535250e39240/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/535250e39240c6587646ad1876e2ed517e86f90d18099dab5e667cae2ef507e2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:pe_imphash
Create hunting rule
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 535250e39240c6587646ad1876e2ed517e86f90d18099dab5e667cae2ef507e2

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/314698/

Comments