MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76bf90f97131f4b187fbdfce5a1f02224e30a752782cbcd7f9a5d90a043de128. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 76bf90f97131f4b187fbdfce5a1f02224e30a752782cbcd7f9a5d90a043de128
SHA3-384 hash: bf12c8866865ea9ff81c4155465fe29d9183e83bdb64cd0eee5a0d382de7586b12521b435a06cb22db475c5aa29ae6df
SHA1 hash: 1b4388149ef56e5745a6b99a04292c44b5101bac
MD5 hash: d699d94f66fcc19dbafe4926418ec68f
humanhash: orange-arizona-purple-magazine
File name:Shipping_Documents.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:453'950 bytes
First seen:2022-10-24 07:53:48 UTC
Last seen:2022-10-24 19:30:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 29b61e5a552b3a9bc00953de1c93be41 (174 x Formbook, 82 x AgentTesla, 81 x Loki)
ssdeep 12288:bQM4t4KPGPIG8YsbWeGKRqmDjOBAMSn5YxeT:bKUF3s6enqsjOBiea
Threatray 2'061 similar samples on MalwareBazaar
TLSH T13AA423AAA1B188FAC1D50FF045A727E2A9F1D6055133724B67416F7FA2353C3AE23790
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter GovCERT_CH
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Shipping_Documents.exe
Verdict:
Malicious activity
Analysis date:
2022-10-24 07:56:25 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/fd030c75-2d6b-43c3-8082-4ab5a517f32c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/323288/
Detection(s):
SecuriteInfo.com.Dropped.Trojan.GenericKD.63069731.12006.6816.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Searching for the window
Сreating synchronization primitives
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c9e5698b-24b1-424e-b5cb-88724b3803bc
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1096288
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Executable has a suspicious name (potential lure to open the executable)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 728927 Sample: Shipping_Documents.exe Startdate: 24/10/2022 Architecture: WINDOWS Score: 100 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 Yara detected Remcos RAT 2->52 54 4 other signatures 2->54 7 Shipping_Documents.exe 18 2->7         started        10 lqtjpa.exe 1 2->10         started        13 lqtjpa.exe 1 2->13         started        process3 file4 32 C:\Users\user\AppData\Local\...\loyxsna.exe, PE32 7->32 dropped 15 loyxsna.exe 1 3 7->15         started        56 Contains functionalty to change the wallpaper 10->56 58 Machine Learning detection for dropped file 10->58 60 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 10->60 64 3 other signatures 10->64 19 conhost.exe 10->19         started        21 lqtjpa.exe 10->21         started        62 Maps a DLL or memory area into another process 13->62 23 conhost.exe 13->23         started        25 lqtjpa.exe 13->25         started        signatures5 process6 file7 34 C:\Users\user\AppData\Roaming\...\lqtjpa.exe, PE32 15->34 dropped 40 Multi AV Scanner detection for dropped file 15->40 42 Contains functionalty to change the wallpaper 15->42 44 Machine Learning detection for dropped file 15->44 46 5 other signatures 15->46 27 loyxsna.exe 2 14 15->27         started        30 conhost.exe 15->30         started        signatures8 process9 dnsIp10 36 41.216.183.226, 41900, 49697 AS40676US South Africa 27->36 38 geoplugin.net 178.237.33.50, 49698, 80 ATOM86-ASATOM86NL Netherlands 27->38
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/76bf90f97131f4b187fbdfce5a1f02224e30a752782cbcd7f9a5d90a043de128/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-10-23 23:54:39 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=o27zb6lrgh2ldb7337hfuhycejhdbj2spawlzv7zuxmqubb54eua._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
2f53875cb56cc1a1f69655fcfca71ac0f952b8d582bda33e101d8b262e38d0f9
RemcosRAT
31edb5c9a0590d100f941cfcb0c142abf141fba4a90c6bddb6c7fc59b4475f28
RemcosRAT
39c927965e14fb38c14b82c66c398f9cac1343d450db26e43c763b08a764b04b
RemcosRAT
8c2653e4d9998668579383d87f291afe6ba5740ec3bc6d8f44618c0f9af77189
RemcosRAT
8e7d1931cfe215a12acad3beb975cd78099a295a721069b35c05b469e2f703f9
RemcosRAT
9d724226a2a3c8676d4a58b64b636d9dcc178c1d40fcf321309afa14505cf285
RemcosRAT
b45dbf75dd0de5a62cb362bcc26b59cdd6a7adae8a74c71c30e7db9c36b20265
RemcosRAT
e7a7431b7c5f7d73f80f8474e5d62a3620a639c762ea78b0266ff867c048a153
RemcosRAT
+ 2'051 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehoststar persistence rat
Link:
https://tria.ge/reports/221024-jrjdysfcf7/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
41.216.183.226:41900
Unpacked files
SH256 hash:
b004491771d05dc604c8f1a7b169673e9b7a7f33c4833bcfa50c5e76b8c9a1d8
MD5 hash:
b30ad3ec69c35a44bd720e88e07e283e
SHA1 hash:
52a834e399eb4fcac0a4bc0b1f53634da776aecf
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/f19661c3-d4ad-46ee-b825-3b35aea51777/
Parent samples :
8573105c4b67affc024eec0b64c4f4c2f2e7f52d31b5eec059d6d8dc6f0a3743
0de500897b8ed984575c14906255f694bee3fdade7cc369f7c0a51185ec61ba0
76bf90f97131f4b187fbdfce5a1f02224e30a752782cbcd7f9a5d90a043de128
dae79c591e41fac5133e80652d94e8c1cc42e62381a38f2dc11c42360547afe7
f6d04e26f4e1ccafc73107d102606ed5e528fcb2e6451f568241b840152454ee
ac2022d039991daaa6b3f05a7d2324b55247446b4f0b20f0feb36d22fd21d428
522de9141cf7d1449c48f439b23bbc53be3de244e1baf817759b64eedfe5ae00
f9dbb342e635717b55ef19c20e7943858acf892e6040a9a4f3609eaa41981bc9
284749a242c7dcee6d5f8d71bb4de12ccbc7f7acc24a8fb795859b0393f23577
SH256 hash:
abb6fd680ff7c23f50f888a12bbdf58ed26e39a3ff923758f0491f34ef5f7645
MD5 hash:
b5581667eb2581f7f318e8713df495f8
SHA1 hash:
54952ce2aa06b497e1732977f2ea9325c2a00fe5
Link:
https://www.unpac.me/results/f19661c3-d4ad-46ee-b825-3b35aea51777/
SH256 hash:
76bf90f97131f4b187fbdfce5a1f02224e30a752782cbcd7f9a5d90a043de128
MD5 hash:
d699d94f66fcc19dbafe4926418ec68f
SHA1 hash:
1b4388149ef56e5745a6b99a04292c44b5101bac
Link:
https://www.unpac.me/results/f19661c3-d4ad-46ee-b825-3b35aea51777/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/76bf90f97131/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.99
Link:
https://yomi.yoroi.company/submissions/76bf90f97131f4b187fbdfce5a1f02224e30a752782cbcd7f9a5d90a043de128

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 76bf90f97131f4b187fbdfce5a1f02224e30a752782cbcd7f9a5d90a043de128

(this sample)

  
Dropped by
RemcosRAT
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/323288/

Comments