MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 733ec6405b43d9ac4a266a3bfae9df34185cbd8147819f17851dd9d13c3b733b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	733ec6405b43d9ac4a266a3bfae9df34185cbd8147819f17851dd9d13c3b733b
SHA3-384 hash:	5bcf1cf9c1d1e32b42ab0eae21ca5b3afba9472223f19f9c3e676730a46269ff663342b7af1bfb3d71a14dc9071ebd9c
SHA1 hash:	1c109ebd2a1dee61ac72583c28bbe0231f6e8055
MD5 hash:	9436aeff0f0a51a1599f4f7478a38253
humanhash:	oranges-sierra-early-three
File name:	PAYMENT COPY.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	912'896 bytes
First seen:	2022-10-25 11:52:04 UTC
Last seen:	2022-10-27 15:22:34 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'746 x AgentTesla, 19'624 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:Tnh7qEv9rGKJfZ/kfDCXzuTiiRL7ST4VLl3xqElt5aQJBmx2:cEZGM/qTiiRLOILF5akmx2
Threatray	2'647 similar samples on MalwareBazaar
TLSH	T198150260DAEFCCAFC476113C2030460149779F8A9A03F7D9659D7C3DAC39703AAA597A
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	b0cf4a4c4c4ccfb0 (31 x Formbook, 20 x RemcosRAT, 18 x AgentTesla)
Reporter	cocaman
Tags:	exe payment RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

249

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

PAYMENT COPY.exe

Verdict:

Malicious activity

Analysis date:

2022-10-25 11:52:48 UTC

Tags:

rat remcos keylogger

Link:

https://app.any.run/tasks/c8d411df-c1ee-4e78-9f2e-780f9b251a0a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/323997/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.45756.18488.23616.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/567fb0c8-3d58-4816-a9b3-0acc9d1f6e34

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1097512

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/733ec6405b43d9ac4a266a3bfae9df34185cbd8147819f17851dd9d13c3b733b/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-10-25 03:20:50 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=om7mmqc3ipm2ysrgni57v2o7gqmfzpmbi6az6f4fdxm5cpb3om5q._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

2f883759c2fd1aefb2578344f0ed2de3540ed71bb325ad6f20d58540cc10f79d

RemcosRAT

3309420da4cc8e91be71bd96a482fd2b544e2b1dd0d5a8e075b3cfe9bac1957f

RemcosRAT

4f95967b9b1f5532cb570bb1f762328d07ea16c20b6fcf1c4cfde82d06906630

RemcosRAT

825624416b00297bbc9a9544a99b2f5d32093307933009625d386b88c413405c

RemcosRAT

881c36d477296d428586f4dbb755fe83e9f4a2555d5f7f3cb463c63703c101f7

RemcosRAT

b7cc11f42808bc13ea70def8382654e7c9294eb30c42ed29d5eb9f2d7bbf9514

RemcosRAT

e68ebc948356b0560fee06f52939504005fd848a93ccc41b4840c1db318a5409

RemcosRAT

edd76f4398cd937c508d229a8482add54c2ec8efe84a6881af90bbd40d8b8601

RemcosRAT

+ 2'637 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost rat

Link:

https://tria.ge/reports/221025-n2axsacfap/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Remcos

Malware Config

C2 Extraction:

51.75.209.245:2404

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/ae281be1-c87f-4bab-9d3f-bdb805142b72

Unpacked files

SH256 hash:

1459ade80dd19b04b8d0037ce88f8f020b6c9d730e39fca181465355562f4b15

MD5 hash:

2c8b1b939947b35d647eb87373316fcb

SHA1 hash:

ec7b924e02076e3f6f1ba70d6990f7946c661d27

Detections:

Remcos

win_remcos_auto

Link:

https://www.unpac.me/results/95c9a635-3648-4eae-9c17-605b7b6c73e9/

Parent samples :

e68ebc948356b0560fee06f52939504005fd848a93ccc41b4840c1db318a5409
733ec6405b43d9ac4a266a3bfae9df34185cbd8147819f17851dd9d13c3b733b
b9a0c1222bea7c7a90eb111e5101dd2ca3355966af79dbd7a490498a8f3d6a58
bdb57463a45449889f971cc8f16abf66f695b00dabf917280ec6e7389916a0a2
f5758ccee5820f19251721999da1f927572f00bc472113638f2fb134d6599b68
8f6954e1834b49a24b8e937ff093f1e534f89691ce805ce2f14553315a18e651
8f2f7e3c4fdafd040879abd0e8fc0bcd7c4055217a4fac63e348ff391da62878
238e7b87bd6d152fce3ae3dbe8ea4a9f3b56c883944cb93695c58fdc20aad6e8
dfca7ce647ee8994cba9317516ce7f58b2b175f815fd5336dbfed34ccad5c4de
6af23878112166b4f2b99b4a7af53cf8c71ee4d0e27eead7eba335832e9449b4
d299c8e1864ae2089e28301ed127b86d92c3aeac935f35822479a018b025da59
f7ac248e39e55ccbf0b79fbfd3bbad23f00dd3e595d6f58166a70dfd82adb951
734e077ffd2beb5e2808ce5bf2d27f03757257d133794acad69bf80bee2e7348
c1cc5ad08f2796e777ab3006a88c3cfa5dc84b0d0bc5f95cb72cb73436220b4c
83d297c0de9846ebf9db06df45c0b09dd2751bbb2e487d9d6df1128a29da6d47
ff4eaf31a3a0f4f99fd9c71caa01388cd50a9917fc16625d549c470cf23cd68f
fff14d27cfcfd3a46729a41bd6dcbb09e667f894e2c85b4e7eb5098faccfa6ab
9bbad0b231f56f22855746de8883bb11d5cfc3b0888760ab47620d0538af8962
123b988cf46a721c113799db30e360848a05941032871f87d1ea6a12bd8e7f0f
f306fefee8114c023ad5056b16a490a82466e8bbf50296f2ecdac6a75123bd2d
fdc9196c194b31f7b221c487affe3d815775a436b1c26133fa6b1e8a9c252a51
4713512f84ba1fbb43666e1e0c5ef8f02d681c0fef3c469a13759d51018d1f0f
aa512df0ca1a0462046446c14ca5aaaa5255dc12b6aa06ea7662aff9d1b2eb41
a6655fefe6b0b32d5c94627d3b83a0d446fa329b162ac7f8409a1b8827b63abc
679f0dec60e8ac08f75b8e2731c1689544b9ae1d08a26e9c6607a7bad3941ebb
a84ffc6423f9efc057fcffadbf537056debc6b79d3d81a7dc4b16bd61a87b6ba
7001538a3316bf0f86e9730d0a38992357f4669d3a4a85e77f1ec42293499ff5
c8ce7d7a1b3511466f838f2b09f1a644ac2ceaa09f508a81a601cc5c576e18d4
df5e690e3853c11de2a42d9a958ed8ca923c704b3ccf320c3c6c154377b3bd38
5251517c9a5cc925e00988f3d9aa30706271cfd0bd6d33d3794e03a92b13b946
8758be9f226102217b3f28ffc1d6093dac1c9d5e8b3de32d85d150204169c10d
f34b65f828707e189c6197c3605e4b25bcd493e93bdb498bc91eeee6ac349d0b
da6d125701d41e2b9d6d9931b4747bbf6b3b4a6c0ca26311c7983fad94e22ef5
98479f2d5e3f5147ddd504bcc7bd1a2b0a3b06ff5525f313a55ce81efc67fc28

SH256 hash:

de2f4dbead413a40687c9090ae8d9df17c1dfaa1c38d92c40c1496bbc0d2aaf9

MD5 hash:

e50dd2b01813b0b2ca54ca4e897be4c6

SHA1 hash:

535f1d363b240776f0a205b99425043299487640

Detections:

win_remcos_auto

Link:

https://www.unpac.me/results/95c9a635-3648-4eae-9c17-605b7b6c73e9/

SH256 hash:

248a7c4997aacb14ca032daf9668636839f921d0a3403f09a3b0ccfdc948cbf1

MD5 hash:

a7952169b04a2c6a39661aad59e79dcf

SHA1 hash:

88722f1a32c913307c0c6385b04478a79fabd12b

Link:

https://www.unpac.me/results/95c9a635-3648-4eae-9c17-605b7b6c73e9/

SH256 hash:

eb06f7d46c499e2bbfa1730f3d5d91c20253457ca342c7b36940cf45c767d455

MD5 hash:

fcee51327f3e8df098f8d70c36eb0d13

SHA1 hash:

67fc0e28a337521e8f3504cf4818962b9742a2af

Link:

https://www.unpac.me/results/95c9a635-3648-4eae-9c17-605b7b6c73e9/

SH256 hash:

cfc16a2dbb933b1b85807d48966e9301b9fc34f4c44e7357713ca88b54bf4ab4

MD5 hash:

aabd0bdc81026ade6c57383f21d5c227

SHA1 hash:

4b26936bb8c03be6d7963184215a5ab594ecb765

Link:

https://www.unpac.me/results/95c9a635-3648-4eae-9c17-605b7b6c73e9/

SH256 hash:

733ec6405b43d9ac4a266a3bfae9df34185cbd8147819f17851dd9d13c3b733b

MD5 hash:

9436aeff0f0a51a1599f4f7478a38253

SHA1 hash:

1c109ebd2a1dee61ac72583c28bbe0231f6e8055

Link:

https://www.unpac.me/results/95c9a635-3648-4eae-9c17-605b7b6c73e9/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/733ec6405b43d9ac4a266a3bfae9df34185cbd8147819f17851dd9d13c3b733b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.