MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c81d05dd82233e0278c83ca0b1a3b3ad9f0fa4b8b56bef98bba964752369754. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7c81d05dd82233e0278c83ca0b1a3b3ad9f0fa4b8b56bef98bba964752369754
SHA3-384 hash: a51efa148c45e546f1bdfee9af8c236e70685b34f55af9288570490464703510a11b150ce3c46890d3fcd0335ad4134a
SHA1 hash: 0ab9dec647eea4c11be01d3a681fc68831a97084
MD5 hash: 97a4612d1b6aa2af0e448fadc551b536
humanhash: happy-west-alanine-five
File name:OTP Bank - fizetési bizonylat 20231221.pdf(61KB).com
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:548'728 bytes
First seen:2023-12-21 17:22:16 UTC
Last seen:2023-12-21 19:19:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b1a57b635b23ffd553b3fd1e0960b2bd (39 x Formbook, 29 x Loki, 27 x AgentTesla)
ssdeep 12288:RTqTV5wkZc4xmOUqWDXqGq1oeT5IUUJb5EeSQDRJ5:RTqTPwkZT8Dc7F4G14V
Threatray 599 similar samples on MalwareBazaar
TLSH T19BC4232B3154C9BFC1621E34D9E34ED1F7F36646E2A1E166A3103F4724246EBA2BD5B0
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter smica83
Tags:exe HUN otpbank RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
313
Origin country :
HU HU
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.FileRepMalware.31697.608.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/7c81d05dd82233e0278c83ca0b1a3b3ad9f0fa4b8b56bef98bba964752369754
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/91c258d6-9f16-4c18-a0b3-b8d530bf45f7
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1365715
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to inject code into remote processes
Contains functionality to modify clipboard data
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1365715 Sample: OTP_Bank_-_fizet#U00e9si_bi... Startdate: 21/12/2023 Architecture: WINDOWS Score: 100 49 igw.myfirewall.org 2->49 51 geoplugin.net 2->51 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus detection for URL or domain 2->69 71 7 other signatures 2->71 9 OTP_Bank_-_fizet#U00e9si_bizonylat_20231221.pdf(61KB).com.exe 18 2->9         started        12 hdmvrbw.exe 1 2->12         started        15 hdmvrbw.exe 1 2->15         started        signatures3 process4 file5 45 C:\Users\user\AppData\...\qsgvgjevac.exe, PE32 9->45 dropped 17 qsgvgjevac.exe 1 3 9->17         started        79 Antivirus detection for dropped file 12->79 81 Multi AV Scanner detection for dropped file 12->81 83 Contains functionality to bypass UAC (CMSTPLUA) 12->83 87 8 other signatures 12->87 21 conhost.exe 12->21         started        23 hdmvrbw.exe 12->23         started        85 Maps a DLL or memory area into another process 15->85 25 conhost.exe 15->25         started        27 hdmvrbw.exe 15->27         started        signatures6 process7 file8 43 C:\Users\user\AppData\Roaming\...\hdmvrbw.exe, PE32 17->43 dropped 57 Antivirus detection for dropped file 17->57 59 Multi AV Scanner detection for dropped file 17->59 61 Contains functionality to bypass UAC (CMSTPLUA) 17->61 63 12 other signatures 17->63 29 qsgvgjevac.exe 3 16 17->29         started        34 conhost.exe 17->34         started        signatures9 process10 dnsIp11 53 igw.myfirewall.org 91.92.252.201, 2404, 49708, 49709 THEZONEBG Bulgaria 29->53 55 geoplugin.net 178.237.33.50, 49710, 80 ATOM86-ASATOM86NL Netherlands 29->55 47 C:\ProgramData\outlook\logs.dat, data 29->47 dropped 89 Maps a DLL or memory area into another process 29->89 91 Installs a global keyboard hook 29->91 36 qsgvgjevac.exe 1 29->36         started        39 qsgvgjevac.exe 1 29->39         started        41 qsgvgjevac.exe 2 29->41         started        file12 signatures13 process14 signatures15 73 Tries to steal Instant Messenger accounts or passwords 36->73 75 Tries to steal Mail credentials (via file / registry access) 36->75 77 Tries to harvest and steal browser information (history, passwords, etc) 39->77
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7c81d05dd82233e0278c83ca0b1a3b3ad9f0fa4b8b56bef98bba964752369754
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7c81d05dd82233e0278c83ca0b1a3b3ad9f0fa4b8b56bef98bba964752369754/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2023-12-21 11:31:09 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
17 of 37 (45.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=psa5axoyeiz6aj4mqpfawgr3hlm7b6slrnll56mlxkleourws5ka._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
280945c850b2ee81256b36dacdec35b2bbc147c3cba57b344cd50bf464d74f97
RemcosRAT
3da90b636e39cd1f67e3542c60d813c6ff8152f7f740b3ef4ef086ef120836df
RemcosRAT
6234e49bf7956d3dcceda1ef8e631c3794df29a6a29afa2e2a1dfa18abbd1153
RemcosRAT
69cb61375bae8db7278ca4adee488faea6723d8052270908010541c4850e8dcb
RemcosRAT
7b6963634e8575acfde4ae2b6ae7e94d4c3236fdc82c703babd5859e83e9b38e
RemcosRAT
7c81d05dd82233e0278c83ca0b1a3b3ad9f0fa4b8b56bef98bba964752369754
RemcosRAT
a54c57d081e28c09d26a5ef8d3b471af22e6b4ab2f65b1a89bb2a79c23872135
RemcosRAT
f1373d2222e6c4e03e857f401e582261f0530520e8fe2d6a325743ef73ee9a26
RemcosRAT
+ 589 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:fresh collection persistence rat spyware stealer
Link:
https://tria.ge/reports/231221-vx44dsbcej/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
igw.myfirewall.org:2404
Unpacked files
SH256 hash:
a2eb878fc34e3c6cfa3ba3bd04e2df74841d1f8a4109395b0f49b86aae3b90a5
MD5 hash:
7e688e73711a856ed5b7fa3463170440
SHA1 hash:
ce2638d8d774a672161f4492dcbbd233f89911ad
Detections:
Remcos
Create hunting rule
win_remcos_w0
Create hunting rule
win_remcos_auto
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
win_remcos_rat_unpacked
Create hunting rule
Link:
https://www.unpac.me/results/e8811eac-336e-442a-8318-1b9bdc30ac68/
Parent samples :
d40601f00896725d783baf1670fb0e8b855149b9d4871d22bb4ddfd88b07a68f
6234e49bf7956d3dcceda1ef8e631c3794df29a6a29afa2e2a1dfa18abbd1153
7c81d05dd82233e0278c83ca0b1a3b3ad9f0fa4b8b56bef98bba964752369754
SH256 hash:
cf2042657edebd876a4a001b712f39666d1c49bbe91def521717d96e3241e968
MD5 hash:
cd846954cefd210241c1d2336417a6ca
SHA1 hash:
3ed7b73bc6ddc67d3a2ed2af49df24db26e3e3d4
Link:
https://www.unpac.me/results/e8811eac-336e-442a-8318-1b9bdc30ac68/
SH256 hash:
7c81d05dd82233e0278c83ca0b1a3b3ad9f0fa4b8b56bef98bba964752369754
MD5 hash:
97a4612d1b6aa2af0e448fadc551b536
SHA1 hash:
0ab9dec647eea4c11be01d3a681fc68831a97084
Link:
https://www.unpac.me/results/e8811eac-336e-442a-8318-1b9bdc30ac68/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7c81d05dd822/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7c81d05dd82233e0278c83ca0b1a3b3ad9f0fa4b8b56bef98bba964752369754

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments