MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76c7a7aa1a228f348804b9c1f3d1bc51ee0e607158d942fce6d0a5894f23337b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 26 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 76c7a7aa1a228f348804b9c1f3d1bc51ee0e607158d942fce6d0a5894f23337b
SHA3-384 hash: 7b0084f2226af831bdd6bf0cf953404c75fd74e3ff257d370f89e2b6dad4f38ccdb92d868417e33596c84551f3948e35
SHA1 hash: e94d20e1b438fb07db77d5035eb2d2cbe0c7e8cb
MD5 hash: 82abd8653aad2784873c17cf10df7c7f
humanhash: enemy-eight-solar-emma
File name:Proforma_Invoice.pdf.7Z
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:955'355 bytes
First seen:2025-02-19 05:20:10 UTC
Last seen:Never
File type: 7z
MIME type:application/x-rar
ssdeep 24576:lvpxkCioQPrfa8pyTJrmbzcs8xL4Id5uhij33Z+8YK8w9VbY:lRxkzRjfaUyVrmb4sML3iITZ+VSY
TLSH T1D3153342045A14365162B2AAB9C37DD44130607EF486D23BFBD1D24EADE7D6EF2C7AD0
TrID 58.3% (.RAR) RAR compressed archive (v-4.x) (7000/1)
41.6% (.RAR) RAR compressed archive (gen) (5000/1)
Magika rar
Reporter MAM
Tags:7z RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
ID ID
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Proforma_Invoice.pdf.exe
File size:1'067'008 bytes
SHA256 hash: 0ac64e3c4051edae7fb30c1381b4406e4e79663e313b4dc0b6af84a460e011b0
MD5 hash: c3da3f84e4d3801154ea982208645272
MIME type:application/x-dosexec
Signature RemcosRAT
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28929.RarHeur.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67b56b4ba0fd713c335bac5a
Tags:
agenttesla underscore infosteal spam
Result
Verdict:
Malicious
File Type:
PE File
Link:
https://app.docguard.net/76c7a7aa1a228f348804b9c1f3d1bc51ee0e607158d942fce6d0a5894f23337b/results/dashboard
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade obfuscated obfuscated packed packed packer_detected remcos
Link:
https://www.filescan.io/uploads/67b56a155c9e85f7896890e2/reports/534600e1-f206-47a7-bc05-8b5b9006b178/overview
Verdict:
Malicious
Labled as:
HIDDENEXT/Worm.Generic
Link:
https://www.hybrid-analysis.com/sample/76c7a7aa1a228f348804b9c1f3d1bc51ee0e607158d942fce6d0a5894f23337b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/76c7a7aa1a228f348804b9c1f3d1bc51ee0e607158d942fce6d0a5894f23337b/
Threat name:
ByteCode-MSIL.Worm.Zmutzy
Create hunting rule
Status:
Malicious
First seen:
2025-02-19 05:21:21 UTC
File Type:
Binary (Archive)
Extracted files:
31
AV detection:
15 of 37 (40.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o3d2pkq2ekhtjcaexha7hun4khxa4ydrldmuf7hg2csystzdgn5q._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:remcos botnet:feb 19 collection discovery execution keylogger persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/250219-gbttmsylfs/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Checks computer location settings
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
AgentTesla
Agenttesla family
Remcos
Remcos family
Malware Config
C2 Extraction:
austin99.duckdns.org:9373
103.186.117.61:9373
sales778.bounceme.net:9373
https://api.telegram.org/bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/76c7a7aa1a228f348804b9c1f3d1bc51ee0e607158d942fce6d0a5894f23337b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_RAR_with_PDF_Script_Obfuscation
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects RAR file with suspicious .pdf extension prefix to trick users
Reference:Internal Research
Rule name:SUSP_RAR_with_PDF_Script_Obfuscation_RID34A4
Create hunting rule
Author:Florian Roth
Description:Detects RAR file with suspicious .pdf extension prefix to trick users
Reference:Internal Research
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.
Rule name:win_remcos_rat_unpacked
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:win_remcos_w0
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:yarahub_win_remcos_rat_unpacked_aug_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

7z 76c7a7aa1a228f348804b9c1f3d1bc51ee0e607158d942fce6d0a5894f23337b

(this sample)

RemcosRAT

Executable exe 0ac64e3c4051edae7fb30c1381b4406e4e79663e313b4dc0b6af84a460e011b0

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 0ac64e3c4051edae7fb30c1381b4406e4e79663e313b4dc0b6af84a460e011b0
  
Dropping
MD5 c3da3f84e4d3801154ea982208645272

Comments