MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f355da803f4fbc034f8b14b4a4c68a5139fb1a2a3f7094ca03d7957e2134ad6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7f355da803f4fbc034f8b14b4a4c68a5139fb1a2a3f7094ca03d7957e2134ad6
SHA3-384 hash: 73219ab57612d39a644db396b3f93e021378a5eaa4cccbaa48987acfe29f21953c94203d52cde89bb87205216bec2a33
SHA1 hash: f6f1d02d064ddcb0ca080e9be2b5b7911d66bcbc
MD5 hash: b7026cc0d7406330a8d11d65a77a0fa2
humanhash: kitten-yellow-missouri-thirteen
File name:TENDER_WHO 01204-2023.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:219'712 bytes
First seen:2023-04-12 12:45:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fd61eafe142870d6d0380163804a642 (39 x GuLoader, 6 x RemcosRAT, 4 x AgentTesla)
ssdeep 6144:faCoWjGfQqHMgzkEu3XZecoGKuz403lzIe6LeH/7:faC5ItzgXIcoGnz/lzgYD
Threatray 1'891 similar samples on MalwareBazaar
TLSH T15D240183A7ECD462F92B09B0D9079BF5C97CAD80DBA5E94727103EAD3D30B42693524D
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RAT RemcosRAT signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2023-02-18T09:18:54Z
Valid to:2026-02-17T09:18:54Z
Serial number: 030b6c482c33a24109e3182d23bd8a9086238ea6
Thumbprint Algorithm:SHA256
Thumbprint: e041ca16f486287b0e17a0880b8b40a411ae637721575e228dc150c1247b3d61
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
266
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TENDER_WHO 01204-2023.exe
Verdict:
Malicious activity
Analysis date:
2023-04-12 12:50:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c7243627-ac49-4d9e-bba1-7f36797b2029

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/381779/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.23151.27264.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Searching for the window
Creating a file
Delayed reading of the file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6436a80b4d0bed4c583dc83c/reports/ba5f5504-c82a-4b9d-9113-6d38aecbdd8d/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/7f355da803f4fbc034f8b14b4a4c68a5139fb1a2a3f7094ca03d7957e2134ad6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3ebf1c1c-9e6b-4776-8e6e-3fb9a4c4e573
Result
Threat name:
Remcos, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1212540
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to modify clipboard data
Detected unpacking (changes PE section rights)
Installs a global keyboard hook
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Tries to detect Any.run
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Yara detected GuLoader
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 845456 Sample: TENDER_WHO_01204-2023.exe Startdate: 12/04/2023 Architecture: WINDOWS Score: 100 31 googlehosted.l.googleusercontent.com 2->31 33 geoplugin.net 2->33 35 2 other IPs or domains 2->35 51 Antivirus detection for URL or domain 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 Yara detected GuLoader 2->55 57 4 other signatures 2->57 8 TENDER_WHO_01204-2023.exe 31 2->8         started        signatures3 process4 file5 27 C:\Users\user\AppData\Local\...\System.dll, PE32 8->27 dropped 59 Detected unpacking (changes PE section rights) 8->59 61 Contains functionality to modify clipboard data 8->61 63 Tries to detect Any.run 8->63 12 TENDER_WHO_01204-2023.exe 3 16 8->12         started        signatures6 process7 dnsIp8 39 45.137.22.116, 2404, 49840, 49842 ROOTLAYERNETNL Netherlands 12->39 41 drive.google.com 142.250.185.238, 443, 49838 GOOGLEUS United States 12->41 43 2 other IPs or domains 12->43 29 C:\ProgramData\remcos\logs.dat, data 12->29 dropped 65 Tries to detect Any.run 12->65 67 Maps a DLL or memory area into another process 12->67 69 Installs a global keyboard hook 12->69 17 TENDER_WHO_01204-2023.exe 1 12->17         started        20 TENDER_WHO_01204-2023.exe 1 12->20         started        22 TENDER_WHO_01204-2023.exe 1 12->22         started        24 27 other processes 12->24 file9 signatures10 process11 dnsIp12 45 Tries to steal Instant Messenger accounts or passwords 17->45 47 Tries to steal Mail credentials (via file / registry access) 17->47 37 192.168.11.1 unknown unknown 24->37 49 Tries to harvest and steal browser information (history, passwords, etc) 24->49 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7f355da803f4fbc034f8b14b4a4c68a5139fb1a2a3f7094ca03d7957e2134ad6/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p42v3kad6t54anhywffuutdiuujz7mncup3qstfahv4vpyqtjlla._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
02dc4c2aca6b32a790ff9fddb92b22ed74bab685160bd6374931a2e9edd63f0a
RemcosRAT
198c4b09ed4b8a46cfca9fd672797c0bb6f6d9a84016fd4f699ec65be9b9de3d
RemcosRAT
229803d2640463de8048f78dab377fe80cffd8f46b075eacb276358b1a78cd15
RemcosRAT
3547af76cc6e0a31226c990caa5620f64cfdc6d0d32243f709d532ee7e48d877
RemcosRAT
3e95a3d6fa66dde612e6c43e15acd6e7b825ddb520ea562ad8f256190f2d21b8
RemcosRAT
4d8274e888e5e74818b1f5b13ceb2a11ce585e97b53faf26b690f35a4a446b2d
RemcosRAT
6803fa63c9748b167d2d49005fe625eb30333c9dae3ecd0f040cbb5f8bd71068
RemcosRAT
d784bc304f14031f5a73fcabfcab0b95bdf49e1a0e7a067082aace9bad73b49e
RemcosRAT
ecfd8eaed01a5714355b6b8a09f47e35c1a81691ecd1d9f3e757010ed09d2d12
RemcosRAT
+ 1'881 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost collection rat spyware stealer
Link:
https://tria.ge/reports/230412-pzmdgacc87/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Loads dropped DLL
Reads user/profile data of web browsers
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
45.137.22.116:2404
Unpacked files
SH256 hash:
852047023ba0cae91c7a43365878613cfb4e64e36ff98c460e113d5088d68ef5
MD5 hash:
be2621a78a13a56cf09e00dd98488360
SHA1 hash:
75f0539dc6af200a07cdb056cddddec595c6cfd2
Link:
https://www.unpac.me/results/2cd33555-f74a-4d23-9c13-2bf329e8ca0b/
SH256 hash:
7f355da803f4fbc034f8b14b4a4c68a5139fb1a2a3f7094ca03d7957e2134ad6
MD5 hash:
b7026cc0d7406330a8d11d65a77a0fa2
SHA1 hash:
f6f1d02d064ddcb0ca080e9be2b5b7911d66bcbc
Link:
https://www.unpac.me/results/2cd33555-f74a-4d23-9c13-2bf329e8ca0b/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7f355da803f4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/7f355da803f4fbc034f8b14b4a4c68a5139fb1a2a3f7094ca03d7957e2134ad6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 7f355da803f4fbc034f8b14b4a4c68a5139fb1a2a3f7094ca03d7957e2134ad6

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/381779/

Comments