MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8167261af1cde7e03bd2ddf43ebde21bda4af66216d2c4ee9ca1c967e580f7a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 16

Intelligence 16 IOCs YARA 10 File information Comments

SHA256 hash:	8167261af1cde7e03bd2ddf43ebde21bda4af66216d2c4ee9ca1c967e580f7a5
SHA3-384 hash:	b8d84aacaa1cd08c6f49d0f087a277265029f46e51aed55d30386956ff405047b37799b8f887f4e19073c06141252ddf
SHA1 hash:	f3be1a22d87dced78fe2e54e534784a5ef6843de
MD5 hash:	c56567facccf39a8ecf48f58d99ee961
humanhash:	triple-robert-vegan-one
File name:	SEPA 2023-08-07 PDF_033293211002839277.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	488'575 bytes
First seen:	2023-08-15 12:16:35 UTC
Last seen:	2023-08-15 12:16:55 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 429 x GuLoader)
ssdeep	12288:PY789UN5s/W38XzJ7hCgW7nTgkX3R/gkKODJCqH:PY78Ke/W34YgenEkX3KNuDH
Threatray	2'449 similar samples on MalwareBazaar
TLSH	T157A4233BA8F4C987ED724B319671DB352FA5A04B18B8436B07106B9C7E1E550DB0F2A7
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	cocaman
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

279

Origin country :

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

SEPA 2023-08-07 PDF_033293211002839277.exe

Verdict:

Malicious activity

Analysis date:

2023-08-15 12:18:13 UTC

Tags:

rat remcos remote

Link:

https://app.any.run/tasks/5387efca-2055-4ab2-b43d-be8053a92c17

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/442768/

Detection(s):

Sanesecurity.Malware.28885.BadCo.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a file

Creating a file in the %AppData% subdirectories

Unauthorized injection to a recently created process

Restart of the analyzed sample

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Sending a TCP request to an infection source

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/102877/overview

Behaviour

MalwareBazaar

Gathering data

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/8167261af1cde7e03bd2ddf43ebde21bda4af66216d2c4ee9ca1c967e580f7a5

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/89821d53-5be1-4e3e-b66d-5c7b7d5a755a

Result

Threat name:

Remcos

Detection:

malicious

Classification:

rans.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1291385

Signature

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to bypass UAC (CMSTPLUA)

Contains functionality to modify clipboard data

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/8167261af1cde7e03bd2ddf43ebde21bda4af66216d2c4ee9ca1c967e580f7a5/

Threat name:

Win32.Trojan.Nemesis

Status:

Malicious

First seen:

2023-08-07 09:46:23 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 24 (95.83%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qftsmgxrzxt6ao6s3x2d5ppcdpnev5tcc3jmj3u4uhewpzma66sq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

37f3dc0db96f235594f3e2153e851add6103e86a79b81722a130c592d1981f0a

RemcosRAT

3da90b636e39cd1f67e3542c60d813c6ff8152f7f740b3ef4ef086ef120836df

RemcosRAT

69cb61375bae8db7278ca4adee488faea6723d8052270908010541c4850e8dcb

RemcosRAT

882a895b320ba323dccd33d6d82e02b4506b7386a91c63c0c505345796352d67

RemcosRAT

979b67124f30f347688897010f34abf0467a67516ba011c9601cf06a14be0432

RemcosRAT

b41e4528449d3fa1730eca98df0dc9fd9e3683ccfaedf1d72ee2af2899f18db8

RemcosRAT

ce068c31fc36142145899195cf4dcb87d3dce15616bf9f60428f931d355c86d2

RemcosRAT

+ 2'439 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost persistence rat

Link:

https://tria.ge/reports/230815-pf2daace8s/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Loads dropped DLL

Remcos

Malware Config

C2 Extraction:

64.112.85.218:4888

Unpacked files

SH256 hash:

ede6e01cf799d6b96b8e57c0804c91ed11e46e56d4b3ade8f5d7727fc5286edf

MD5 hash:

b0e9caea8fd19f84db5a9e8479a080a7

SHA1 hash:

57d3720db7fa56bca29a200b8156cb2e064170ea

Link:

https://www.unpac.me/results/0a7ed759-9297-4ab7-a199-cd2b3a8db474/

SH256 hash:

04adf7cc43ba331ca5f202b718fefbc16cbcccdee11c1830087b8115ae429eb4

MD5 hash:

07d1ba5604b10a849c185fa855c923da

SHA1 hash:

4dfecf14ddb1f0896b47b168273f8a37396b5051

Detections:

Remcos

win_remcos_auto

Link:

https://www.unpac.me/results/0a7ed759-9297-4ab7-a199-cd2b3a8db474/

Parent samples :

356397e5a8cede8dc9420b6f76ed565748382705ed55888b0a85a48e94ec2bc4
37f3dc0db96f235594f3e2153e851add6103e86a79b81722a130c592d1981f0a
17927cf92cf25c048021f9517386f9a69936c8c03ac8afb18eac18e512e662a2
593cf342a669fcb1bff594bd8ce85fc112bc19d42f7fcb0932c9ac5cdf70d0d9
8167261af1cde7e03bd2ddf43ebde21bda4af66216d2c4ee9ca1c967e580f7a5

SH256 hash:

8167261af1cde7e03bd2ddf43ebde21bda4af66216d2c4ee9ca1c967e580f7a5

MD5 hash:

c56567facccf39a8ecf48f58d99ee961

SHA1 hash:

f3be1a22d87dced78fe2e54e534784a5ef6843de

Link:

https://www.unpac.me/results/0a7ed759-9297-4ab7-a199-cd2b3a8db474/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8167261af1cd/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	iexplorer_remcos Create hunting rule
Author:	iam-py-test
Description:	Detect iexplorer being taken over by Remcos

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM Create hunting rule
Author:	ditekSHen
Description:	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Windows_Trojan_Remcos_b296e965 Create hunting rule
Author:	Elastic Security

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip af551138bc3952708e41adf9d4ec58556eb243e02730d720b893246bdb857234

RemcosRAT

exe 8167261af1cde7e03bd2ddf43ebde21bda4af66216d2c4ee9ca1c967e580f7a5

(this sample)

Delivery method

Other

Dropped by

SHA256 af551138bc3952708e41adf9d4ec58556eb243e02730d720b893246bdb857234

Cape

https://www.capesandbox.com/analysis/442768/

Dropped by

MD5 db11d7c5b08a08730892d9a8ea567147

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample