MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c380da3b5e58ba5bb581c1018dfc9856fbc0fa60808ae283eab7ee07ebad186. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7c380da3b5e58ba5bb581c1018dfc9856fbc0fa60808ae283eab7ee07ebad186
SHA3-384 hash: e6da651fc83ed53eec8b66b743538efc8f0a4a3686be4dd3133067c8cb9bea71890e3a7aaea9d12ae4cf3e573359375c
SHA1 hash: d09bd31b49493bb64f895fa2a26738d215185bea
MD5 hash: 41598ac3d2b78ad325b2cfc975a2661c
humanhash: mountain-indigo-yankee-neptune
File name:payment confirmation.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'365'504 bytes
First seen:2022-08-14 18:19:25 UTC
Last seen:2022-08-14 18:31:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:ybi+I7LOPvHFFrYiDzMCtPQ4/8bggv6O4VyX07/R/6a3My:5TsPBe4/8b3v6OqyXs13x
Threatray 1'893 similar samples on MalwareBazaar
TLSH T19555F0AFBEAC6B5EDE500076F238567C76C51F576812820DB6DBFE0D547228C4826EC1
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e2ee8a8eb6d8ecf4 (56 x AgentTesla, 39 x RemcosRAT, 38 x GuLoader)
Reporter 0xToxin
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
392
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
payment confirmation.exe
Verdict:
Malicious activity
Analysis date:
2022-08-14 18:22:27 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/6e34baba-7f76-4171-8c3a-3c301805216c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/298510/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.23064.14119.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62f93cd6810e2831b74838d9/reports/23c84b42-dbee-4415-8ae2-ffe5ecd32c5c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/77f2b3f2-53c5-4829-8003-216d532aa98b
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1051204
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7c380da3b5e58ba5bb581c1018dfc9856fbc0fa60808ae283eab7ee07ebad186/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-08-14 13:33:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
27
AV detection:
27 of 41 (65.85%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pq4a3i5v4wf2lo2ydqibrx6jqvx3yd5gbaek4kb6vn7oa7v22gda._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
2582008cc5626a748f4926d0973f1b4ea0717e5167e1f79aa44dc0f188f46881
RemcosRAT
4fb64a4a1e0876e8cdd9afcd6c62c908f1b2441692dcd83c430b4606272689d9
RemcosRAT
58d167ac0455b7d024658ef55ce982f54ddfae649fde25813b4819928c6bf9ba
RemcosRAT
65cdfaf2f1780649028e28012f826da60bc9c2f2c36ea8239a2378a5abcf083f
RemcosRAT
6d16f6ecb3a446d0c6bfa0fc7a47dabac2e63cebfa426f4502a5bcecf378c645
RemcosRAT
8a791c71f76f530179c8e957f5b6235fb573a9ee35a1dabfca368e62f7bba29e
RemcosRAT
c30d279d37c323a04f669c9912768e2b9f512342bdd4001160c3d22182d7b2a8
RemcosRAT
c5fe9955259f76f4b03bd65fd5e146803690d8057d7ef474c3b1b8eec0b1b928
RemcosRAT
dfa6c38c1b3b33a94e1e884e47e0864808c8af196c260b6b8045cb4ed37d300e
RemcosRAT
+ 1'883 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/220814-wyrecsghfn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
dhforklifts.com:29087
Unpacked files
SH256 hash:
7bb938b6a9ae20c26e2ee85202f22db9e0bb175137fcb89fac0ae227e139aa43
MD5 hash:
da615a7e84cde1dd1b5b104312639862
SHA1 hash:
fabe10fd5184e0be34f600840f66526331f537a0
Link:
https://www.unpac.me/results/d6e8b744-44e6-4a05-b60c-461ba1ab2916/
SH256 hash:
030f79679040fbb3d7a89795450ef4bc26e4aebab2d59dba0c21acb68c79f389
MD5 hash:
ed3f04f0bdebb52354b221be354be4fe
SHA1 hash:
8f18c3bda3e0909c527e513b5c79453568c7afc1
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/d6e8b744-44e6-4a05-b60c-461ba1ab2916/
Parent samples :
b7deac676ee163bb88faedd6e4a460b1fd0a0154823a4dfcda9b4804e05a4ba8
42624f233b4710ff3fc425330fae107498102ce92fbe263c1cf5c011bd2c17fb
0a006a3d6a43bb926dfffe709735cbda30ec27412f2eb91c9cbcd5e40f6990d9
c5fe9955259f76f4b03bd65fd5e146803690d8057d7ef474c3b1b8eec0b1b928
7c380da3b5e58ba5bb581c1018dfc9856fbc0fa60808ae283eab7ee07ebad186
SH256 hash:
18eb60c0eb3e1c610526d9f4b42684ac36a2ebb521514a8770dca2f2afd7f471
MD5 hash:
7ca239778f9f46d28b08876564dba525
SHA1 hash:
973b0d0d98a83b7dfcf1bfce04a179b0f070b98c
Link:
https://www.unpac.me/results/d6e8b744-44e6-4a05-b60c-461ba1ab2916/
SH256 hash:
9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034
MD5 hash:
93c6391d23c1aa1ed66fb13f82f2ee31
SHA1 hash:
220098c3047c32b51ae13a5cc1e9beeef3da6e18
Link:
https://www.unpac.me/results/d6e8b744-44e6-4a05-b60c-461ba1ab2916/
SH256 hash:
612139c0dbf664270593395c24c2d64fd93d6fb926049ac812b25e7d179f2ae2
MD5 hash:
24e0d9cbbaf6e7ef0478a9e784ed03fe
SHA1 hash:
0180e63ed273f8123d03c8cf81c23df3cdd2c111
Link:
https://www.unpac.me/results/d6e8b744-44e6-4a05-b60c-461ba1ab2916/
SH256 hash:
7c380da3b5e58ba5bb581c1018dfc9856fbc0fa60808ae283eab7ee07ebad186
MD5 hash:
41598ac3d2b78ad325b2cfc975a2661c
SHA1 hash:
d09bd31b49493bb64f895fa2a26738d215185bea
Link:
https://www.unpac.me/results/d6e8b744-44e6-4a05-b60c-461ba1ab2916/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7c380da3b5e5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7c380da3b5e58ba5bb581c1018dfc9856fbc0fa60808ae283eab7ee07ebad186

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 7c380da3b5e58ba5bb581c1018dfc9856fbc0fa60808ae283eab7ee07ebad186

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/298510/

Comments