MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6333f3de90012f2acd3436fbd0bc2672a989238ccd7ea97a948c2f07f6397a9e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6333f3de90012f2acd3436fbd0bc2672a989238ccd7ea97a948c2f07f6397a9e
SHA3-384 hash: fd9132ad437cd9e5e905b085652e6243d454fc54f5eb6e3a0fe7cd2888dddb2cc0a45644049976c2e1df18a7893ed5fa
SHA1 hash: 1800d5a8ea57f08d11a4194804cf11eecc9c347d
MD5 hash: f9929a7948c397de3713793d8bf24848
humanhash: utah-aspen-violet-bulldog
File name:9876545678900876.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'080'832 bytes
First seen:2023-07-24 06:07:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'746 x AgentTesla, 19'627 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:TFuVmW+WUrqHvpmaRlknX0Cyp/sotXogaY/IvddpR:Tam2eqHgpXB4EotXoe/I
Threatray 714 similar samples on MalwareBazaar
TLSH T13135239433B99D13E1F4BEF04AA4960113B252416123E7CDCDFA71C52E96781BE62BE3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon d455a86d496832b0 (15 x AgentTesla, 10 x Formbook, 8 x Loki)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
288
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
9876545678900876.exe
Verdict:
Malicious activity
Analysis date:
2023-07-24 06:21:53 UTC
Tags:
rat remcos keylogger stealer
Link:
https://app.any.run/tasks/ac3be076-63bd-4d51-80dc-861be14246fa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/430573/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.37323.10848.7411.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Setting a keyboard event handler
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/6333f3de90012f2acd3436fbd0bc2672a989238ccd7ea97a948c2f07f6397a9e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0f85bc36-3a7b-4923-a8cc-2dc3478c169d
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1278020
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Contains functionality to modify clipboard data
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1278020 Sample: 9876545678900876.exe Startdate: 24/07/2023 Architecture: WINDOWS Score: 100 60 Snort IDS alert for network traffic 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Sigma detected: Scheduled temp file as task from temp location 2->64 66 7 other signatures 2->66 7 9876545678900876.exe 7 2->7         started        11 SithdIbqmj.exe 5 2->11         started        process3 file4 44 C:\Users\user\AppData\...\SithdIbqmj.exe, PE32 7->44 dropped 46 C:\Users\...\SithdIbqmj.exe:Zone.Identifier, ASCII 7->46 dropped 48 C:\Users\user\AppData\Local\...\tmpB37A.tmp, XML 7->48 dropped 50 C:\Users\user\...\9876545678900876.exe.log, ASCII 7->50 dropped 68 Uses schtasks.exe or at.exe to add and modify task schedules 7->68 70 Contains functionality to modify clipboard data 7->70 72 Adds a directory exclusion to Windows Defender 7->72 13 9876545678900876.exe 3 15 7->13         started        18 powershell.exe 19 7->18         started        20 schtasks.exe 1 7->20         started        74 Multi AV Scanner detection for dropped file 11->74 76 Machine Learning detection for dropped file 11->76 78 Injects a PE file into a foreign processes 11->78 22 schtasks.exe 11->22         started        24 SithdIbqmj.exe 11->24         started        26 SithdIbqmj.exe 11->26         started        signatures5 process6 dnsIp7 56 208.67.107.123, 49698, 49699, 8780 GRAYSON-COLLIN-COMMUNICATIONSUS United States 13->56 58 geoplugin.net 178.237.33.50, 49700, 80 ATOM86-ASATOM86NL Netherlands 13->58 52 C:\ProgramData\remcos\logs.dat, data 13->52 dropped 86 Maps a DLL or memory area into another process 13->86 88 Installs a global keyboard hook 13->88 28 9876545678900876.exe 13->28         started        31 9876545678900876.exe 13->31         started        33 9876545678900876.exe 13->33         started        41 28 other processes 13->41 35 conhost.exe 18->35         started        37 conhost.exe 20->37         started        39 conhost.exe 22->39         started        file8 signatures9 process10 dnsIp11 80 Tries to steal Instant Messenger accounts or passwords 28->80 82 Tries to steal Mail credentials (via file / registry access) 28->82 54 192.168.2.1 unknown unknown 41->54 84 Tries to harvest and steal browser information (history, passwords, etc) 41->84 signatures12
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6333f3de90012f2acd3436fbd0bc2672a989238ccd7ea97a948c2f07f6397a9e/
Threat name:
ByteCode-MSIL.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-07-24 03:51:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mmz7hxuqaexsvtjug355bpbgokuysi4mzv7ks6uurqxqp5rzpkpa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0f611b87697a816d5b37f745fa94c89315327ba3458c190fe41efd891ccd5196
RemcosRAT
1297278ef746096841eeadfbd09a124e044a52bee1be093b4484f95af475c2b3
RemcosRAT
1da52d43ea75756d8e52c5056eea7c60a75308145df8afe479799ec30bdb12ea
RemcosRAT
4b66b1c337c83ccb79e4862a7a32421fd75a565a59fee1f830d4aae55b64af9a
RemcosRAT
4eaf10beee3ffe3dff4d6bd78c7a8f04c7a1b067c1f7cb6d414a53d56b1dee8e
RemcosRAT
7e9ed4d997f5a2c2d35cb8c49f66625eb37d3711906dc39dfc6e34319ad3a2cc
RemcosRAT
979b67124f30f347688897010f34abf0467a67516ba011c9601cf06a14be0432
RemcosRAT
9dcfe4a742d054e152e5e8b1f7c2c88aa5efa7896a5e072ca6af8f723d9c1509
RemcosRAT
a54c57d081e28c09d26a5ef8d3b471af22e6b4ab2f65b1a89bb2a79c23872135
RemcosRAT
+ 704 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost collection rat spyware stealer
Link:
https://tria.ge/reports/230724-gwhl4sad59/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Checks computer location settings
Reads user/profile data of web browsers
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
208.67.107.123:8780
Unpacked files
SH256 hash:
4cb6c20c572b107b30d5a14ea8f7781610643b802b10979763272ae1fdd5dbf6
MD5 hash:
c4e04853e933c0b2f6c872b7ac8fe509
SHA1 hash:
f846b7746c1ecd6ae5c41b324c5acb10a3d99f30
Link:
https://www.unpac.me/results/7f34fe07-7a23-4f93-8fe8-1a864e0970ec/
SH256 hash:
7c743d979549f931d7101d1a14c14841ff47c848a3f30e31882d0d958bf5f941
MD5 hash:
508ba12479b3d78edb93f63b40ab3b7f
SHA1 hash:
d72b842c46546e4e494c9338b530e305dae1d5d2
Link:
https://www.unpac.me/results/7f34fe07-7a23-4f93-8fe8-1a864e0970ec/
SH256 hash:
18a764a658698346f73603f1b9aa2b3e8ae8b6e805411de4d3114197a9d66d4f
MD5 hash:
0fc5515b734519a56de48fb492f17296
SHA1 hash:
36614c65f21184a6bb8b26b4c3139eb9bc734912
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/7f34fe07-7a23-4f93-8fe8-1a864e0970ec/
SH256 hash:
e6f6d4537b5a06dcaa639efb0f59ad138130ef4c513244de3546a5738c0ebed3
MD5 hash:
04c1c72fcdab1c3639a9bedb97400004
SHA1 hash:
0e02ae80df4243f81292cbfbed7037f171aaf544
Link:
https://www.unpac.me/results/7f34fe07-7a23-4f93-8fe8-1a864e0970ec/
SH256 hash:
6333f3de90012f2acd3436fbd0bc2672a989238ccd7ea97a948c2f07f6397a9e
MD5 hash:
f9929a7948c397de3713793d8bf24848
SHA1 hash:
1800d5a8ea57f08d11a4194804cf11eecc9c347d
Link:
https://www.unpac.me/results/7f34fe07-7a23-4f93-8fe8-1a864e0970ec/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6333f3de9001/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6333f3de90012f2acd3436fbd0bc2672a989238ccd7ea97a948c2f07f6397a9e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 6333f3de90012f2acd3436fbd0bc2672a989238ccd7ea97a948c2f07f6397a9e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/430573/

Comments