MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73a8f239da349dabeba46f143311e8f5874589917a88e3f6cd64767c56dde3a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 73a8f239da349dabeba46f143311e8f5874589917a88e3f6cd64767c56dde3a2
SHA3-384 hash: 2ce16654cce1ea17d82b94b3d0915fda59260f3e8ca25e1b89ca35e2213fb6f714d95909f3b667ab3e5b913a819d79dd
SHA1 hash: cdade74f634157acab79058948bc292fa0d740e4
MD5 hash: 0f3e70bc8340ada66a0870f1ec4ff08a
humanhash: six-asparagus-eleven-jersey
File name:PO_YG E&C_CorporationS_54378927ZZ.Z.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:147'456 bytes
First seen:2023-10-17 06:47:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 3072:wM/+etaii7bRb6MXRr/RcSWlJV0v850eE7e1:9/+etzifJHRr5ctOSE7e
Threatray 2'850 similar samples on MalwareBazaar
TLSH T156E3C517BEDA9EB1D2895B3AC7D711000774E5A2B257EF1A758E13DB18433BAEC4120B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter lowmal3
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
328
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
PO_YG E&C_CorporationS_54378927ZZ.Z.exe
Verdict:
Malicious activity
Analysis date:
2023-10-17 08:06:46 UTC
Tags:
rat remcos remote stealer
Link:
https://app.any.run/tasks/0d4e6e59-5956-43eb-b973-b6d2aea374e8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/455193/
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.21215.24045.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a file in the %AppData% directory
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Sending an HTTP GET request
Reading critical registry keys
Creating a file in the %temp% directory
Сreating synchronization primitives
DNS request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm control lolbin masquerade packed remcos
Link:
https://www.filescan.io/uploads/652e2e255da218a42f52217a/reports/7f2cacdb-8d6c-44b3-b3da-96531d458cc2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/73a8f239da349dabeba46f143311e8f5874589917a88e3f6cd64767c56dde3a2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/846f13fb-95d6-4065-89b8-a6da9aca7608
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1327063
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected Costura Assembly Loader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1327063 Sample: PO_YG_E&C_CorporationS_5437... Startdate: 17/10/2023 Architecture: WINDOWS Score: 100 46 grantadistciaret.com 2->46 48 www.mediafire.com 2->48 50 2 other IPs or domains 2->50 60 Multi AV Scanner detection for domain / URL 2->60 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 12 other signatures 2->66 8 PO_YG_E&C_CorporationS_54378927ZZ.Z.exe 16 5 2->8         started        13 Jaalvwwbqpp.exe 14 5 2->13         started        15 Jaalvwwbqpp.exe 2->15         started        17 SkypeApp.exe 2->17         started        signatures3 process4 dnsIp5 56 download2392.mediafire.com 199.91.155.133, 443, 49704, 49709 MEDIAFIREUS United States 8->56 58 www.mediafire.com 104.16.113.74, 443, 49703, 49708 CLOUDFLARENETUS United States 8->58 44 C:\Users\user\AppData\...\Jaalvwwbqpp.exe, PE32 8->44 dropped 76 Tries to steal Mail credentials (via file registry) 8->76 78 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->78 80 Contains functionality to modify clipboard data 8->80 19 PO_YG_E&C_CorporationS_54378927ZZ.Z.exe 3 13 8->19         started        23 PO_YG_E&C_CorporationS_54378927ZZ.Z.exe 8->23         started        25 PO_YG_E&C_CorporationS_54378927ZZ.Z.exe 8->25         started        33 2 other processes 8->33 82 Antivirus detection for dropped file 13->82 84 Multi AV Scanner detection for dropped file 13->84 86 Contains functionality to bypass UAC (CMSTPLUA) 13->86 88 6 other signatures 13->88 27 Jaalvwwbqpp.exe 13->27         started        29 Jaalvwwbqpp.exe 15->29         started        31 Jaalvwwbqpp.exe 15->31         started        file6 signatures7 process8 dnsIp9 52 grantadistciaret.com 46.183.221.100, 3212, 49705, 49706 DATACLUBLV Latvia 19->52 54 geoplugin.net 178.237.33.50, 49707, 80 ATOM86-ASATOM86NL Netherlands 19->54 74 Maps a DLL or memory area into another process 19->74 35 PO_YG_E&C_CorporationS_54378927ZZ.Z.exe 1 19->35         started        38 PO_YG_E&C_CorporationS_54378927ZZ.Z.exe 1 19->38         started        40 PO_YG_E&C_CorporationS_54378927ZZ.Z.exe 14 19->40         started        42 2 other processes 19->42 signatures10 process11 signatures12 68 Tries to steal Instant Messenger accounts or passwords 35->68 70 Tries to harvest and steal browser information (history, passwords, etc) 35->70 72 Tries to steal Mail credentials (via file / registry access) 38->72
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/73a8f239da349dabeba46f143311e8f5874589917a88e3f6cd64767c56dde3a2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/73a8f239da349dabeba46f143311e8f5874589917a88e3f6cd64767c56dde3a2/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-10-17 00:05:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
14 of 35 (40.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ooupeoo2gso2x25en4kdgepi6wdulcmrpkeoh5wnmr3hyvw54ora._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1665cb982b396c386411c79a5a363f5b88760626ced863e02c43c2e5ebb28b30
RemcosRAT
1ce13b1a107d66487c04da7180452270eebd76b7f0bcd1df37512fd1306d6656
RemcosRAT
44f16731945747ba1d56147e3845765d533e81d95b002509182b7db53a71a673
RemcosRAT
483d7f7379d43c9fb3effb226cb58a443f48105bda3a9a6310a76729d7c1b3bd
RemcosRAT
4f4a8ff83672c8134227742b12e228e512d32e3c3dabb8e96bdc6b28628d3d26
RemcosRAT
887171e762ec83f7c3f9d12c11742c7e05e9382db50a9fe3268d266215708bf4
RemcosRAT
a5ae5581ef52c1f1b96a34149317c0ed9bfb65ad38a844eb493cb10bb6b93794
RemcosRAT
b09ad34d756d9477b24bca1cb4dfcc95e21aa67f72817560dba0d9042255bdca
RemcosRAT
d1e1c9332fa8a6bd045fd4ccfa11055a4e17d1cad72239aab2400870191c4185
RemcosRAT
d31044022de445b61ba735083a47c5fd1f4d5c8dfcf544da489572ce3fafdc79
RemcosRAT
+ 2'840 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:aaaaa collection persistence rat spyware stealer
Link:
https://tria.ge/reports/231017-hkrw3sbf25/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Reads user/profile data of web browsers
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
grantadistciaret.com:3212
Unpacked files
SH256 hash:
73a8f239da349dabeba46f143311e8f5874589917a88e3f6cd64767c56dde3a2
MD5 hash:
0f3e70bc8340ada66a0870f1ec4ff08a
SHA1 hash:
cdade74f634157acab79058948bc292fa0d740e4
Link:
https://www.unpac.me/results/ca22d62d-5c07-4175-a119-5dceff87d69b/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/73a8f239da34/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/73a8f239da349dabeba46f143311e8f5874589917a88e3f6cd64767c56dde3a2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 73a8f239da349dabeba46f143311e8f5874589917a88e3f6cd64767c56dde3a2

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/455193/

Comments