MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61ab894e68dcc97a0625f69f6f70305a57d653f9cad34b9ed2c3d206b9a345c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 61ab894e68dcc97a0625f69f6f70305a57d653f9cad34b9ed2c3d206b9a345c3
SHA3-384 hash: 53a9b85763acf19a0bd0522af34e54bc8c812760879d4025504814c6d41f6f04e34edb574cef4536653e65ff1ff872f7
SHA1 hash: 703d9908a0b2784ba6e8875bfb010d52e19b4ef0
MD5 hash: e05fb8774765ed36cf42c340e52e23da
humanhash: artist-enemy-uniform-happy
File name:Invoice_891979.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'079'808 bytes
First seen:2023-12-13 11:25:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:UJJAAZhc5ff9bNSNLvn6x1ohhERWY+YQnIHNc:qnZSF8NbONRN+YQ
TLSH T13535D003B77249A2D7865736D6A746440372F5EA52DBD70F72CB263B210B3ABDE91203
TrID 59.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.6% (.SCR) Windows screen saver (13097/50/3)
8.5% (.EXE) Win64 Executable (generic) (10523/12/4)
5.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
317
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Invoice_891979.exe
Verdict:
Malicious activity
Analysis date:
2023-12-13 11:27:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0aaf55fb-b9eb-4d0b-aef4-84584c7a37d3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/467137/
Detection(s):
Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Win.Trojan.EmbeddedReversedDLL-9940922-0
Create hunting rule

Win.Trojan.Generic-10014419-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% directory
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Setting a keyboard event handler
DNS request
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/657994cd855eb2633d6873e9/reports/a1b6640b-f8fb-41bc-949f-fa8a5a028628/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/61ab894e68dcc97a0625f69f6f70305a57d653f9cad34b9ed2c3d206b9a345c3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2a50a59f-0a48-4197-9697-316da963acaf
Result
Threat name:
Remcos, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1361313
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Encrypted powershell cmdline option found
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Potential dropper URLs found in powershell memory
Sigma detected: Remcos
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1361313 Sample: Invoice_891979.exe Startdate: 13/12/2023 Architecture: WINDOWS Score: 100 57 jburg.net 2->57 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Antivirus detection for URL or domain 2->65 67 10 other signatures 2->67 10 Cayuyaag.exe 2 2->10         started        13 Invoice_891979.exe 1 4 2->13         started        16 Cayuyaag.exe 2->16         started        signatures3 process4 file5 75 Antivirus detection for dropped file 10->75 77 Contains functionality to bypass UAC (CMSTPLUA) 10->77 79 Contains functionalty to change the wallpaper 10->79 87 6 other signatures 10->87 18 cmd.exe 1 10->18         started        55 C:\Users\user\AppData\Roaming\Cayuyaag.exe, PE32 13->55 dropped 81 Encrypted powershell cmdline option found 13->81 83 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 13->83 85 Injects a PE file into a foreign processes 13->85 20 Invoice_891979.exe 3 3 13->20         started        25 powershell.exe 22 13->25         started        27 cmd.exe 16->27         started        signatures6 process7 dnsIp8 29 Cayuyaag.exe 3 18->29         started        32 conhost.exe 18->32         started        59 jburg.net 194.147.140.225, 3363, 49704, 49705 PTPEU unknown 20->59 53 C:\ProgramData\remcos\logs.dat, data 20->53 dropped 69 Installs a global keyboard hook 20->69 71 Potential dropper URLs found in powershell memory 25->71 34 conhost.exe 25->34         started        36 Cayuyaag.exe 27->36         started        38 conhost.exe 27->38         started        file9 signatures10 process11 signatures12 89 Encrypted powershell cmdline option found 29->89 91 Injects a PE file into a foreign processes 29->91 40 powershell.exe 29->40         started        43 Cayuyaag.exe 29->43         started        45 powershell.exe 36->45         started        47 Cayuyaag.exe 36->47         started        process13 signatures14 73 Potential dropper URLs found in powershell memory 40->73 49 conhost.exe 40->49         started        51 conhost.exe 45->51         started        process15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/61ab894e68dcc97a0625f69f6f70305a57d653f9cad34b9ed2c3d206b9a345c3
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/61ab894e68dcc97a0625f69f6f70305a57d653f9cad34b9ed2c3d206b9a345c3/
Threat name:
ByteCode-MSIL.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-12-13 11:26:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mgvystti3texubrf62pw64bqljl5mu7zzljuxhwsypjanondixbq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:remcos family:zgrat botnet:remotehost persistence rat
Link:
https://tria.ge/reports/231213-njvjgabher/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Detect ZGRat V1
Remcos
ZGRat
Malware Config
C2 Extraction:
jburg.net:3363
Unpacked files
SH256 hash:
01ea3ba2cfab16f565174c6f892eae4021cee22fc8218391e83eae2f41b731bc
MD5 hash:
1ba7b815e014d9d480d5940f6632a2d0
SHA1 hash:
88e091653873d08d5f6e56395bf52e722a9a6275
Link:
https://www.unpac.me/results/f1d8abc6-2ae6-4cdb-b0e1-22acb217dfd7/
SH256 hash:
0bd5a61562eea2c90da5c448aa28668a5a3cdabe6738a12d13392630f8a1f3c8
MD5 hash:
3445d7df0f0a403cc6ca769b73b9f62c
SHA1 hash:
6769ab78606f0cb27d15ad17f19dbfbbdb11ca71
Link:
https://www.unpac.me/results/f1d8abc6-2ae6-4cdb-b0e1-22acb217dfd7/
SH256 hash:
ad510654fe1f786cfe3626e4c4c437217f538ad717a29156c386cdee34ab8ad4
MD5 hash:
0398f0a158a1c90a1cbe52ebdea123a7
SHA1 hash:
3bde7b83c1c9804543340e449454b87e699ddff2
Detections:
Remcos
Create hunting rule
win_remcos_w0
Create hunting rule
win_remcos_auto
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
win_remcos_rat_unpacked
Create hunting rule
Link:
https://www.unpac.me/results/f1d8abc6-2ae6-4cdb-b0e1-22acb217dfd7/
Parent samples :
61ab894e68dcc97a0625f69f6f70305a57d653f9cad34b9ed2c3d206b9a345c3
689ef1d29c263f78c9626e00500983e2589d28068a72fadba9a4b04b7eafbcaf
SH256 hash:
1e9296353ca67050868598df849e6e2fb0312cb937c6648e6e2526ad2c3f185d
MD5 hash:
d8b03a2f0d7f951805444c7389f8f99a
SHA1 hash:
343919f797424ff7a2a27f03ac4a4259e8803e9e
Link:
https://www.unpac.me/results/f1d8abc6-2ae6-4cdb-b0e1-22acb217dfd7/
SH256 hash:
61ab894e68dcc97a0625f69f6f70305a57d653f9cad34b9ed2c3d206b9a345c3
MD5 hash:
e05fb8774765ed36cf42c340e52e23da
SHA1 hash:
703d9908a0b2784ba6e8875bfb010d52e19b4ef0
Detections:
Typical_Malware_String_Transforms
Create hunting rule
Link:
https://www.unpac.me/results/f1d8abc6-2ae6-4cdb-b0e1-22acb217dfd7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/61ab894e68dc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/61ab894e68dcc97a0625f69f6f70305a57d653f9cad34b9ed2c3d206b9a345c3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.
Rule name:win_remcos_w0
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:yarahub_win_remcos_rat_unpacked_aug_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 61ab894e68dcc97a0625f69f6f70305a57d653f9cad34b9ed2c3d206b9a345c3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/467137/

Comments