MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85d90e46a94421f0ea8dde00324393637a1a935adc6b1c4ce41a270833f0a1c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85d90e46a94421f0ea8dde00324393637a1a935adc6b1c4ce41a270833f0a1c5
SHA3-384 hash: 09975d5acf53f0aa1fd7d703bd0b6ac5084d24cf52dfa88baaa25a17e2c6d63654bb37afc1680cabdaa45eaf8ead623f
SHA1 hash: 552973fcde14ac378097f41ecd9bbd36a87385fb
MD5 hash: 173ed42eb4d31faf7b7ac6b735a67d03
humanhash: cola-east-foxtrot-lamp
File name:85d90e46a94421f0ea8dde00324393637a1a935adc6b1c4ce41a270833f0a1c5
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'158'144 bytes
First seen:2023-07-06 11:41:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:iQZSKA3ECq9qJUSi89QOgY+qGl5xO+UwRFF7b:iv1UC5yLYp+Z5xNRF
Threatray 2'234 similar samples on MalwareBazaar
TLSH T18935F19C766075DFC817C972CAA41C20EA20A877530BD347A49726AD9E1E6EBCF141F3
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon eccc8c94d4d8e8f4 (21 x Formbook, 15 x AgentTesla, 5 x Loki)
Reporter adrian__luca
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
282
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
LISTED PTODUCTS NEEDED.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-06-14 09:49:29 UTC
Tags:
keylogger remcos
Link:
https://app.any.run/tasks/4ee6f45c-dcf5-4d3b-8924-c71c5c608e53

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/409158/
Detection(s):
SecuriteInfo.com.Generic.Dacic.0CE7CBD7.A.22EE83A3.13841.29106.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64a6a88a8583eaadb34f1555/reports/57bf781f-46ca-49ea-a01f-eeda2f65552f/overview
Verdict:
Malicious
Labled as:
Dacic.0CE7CBD7.A.Generic
Link:
https://www.hybrid-analysis.com/sample/85d90e46a94421f0ea8dde00324393637a1a935adc6b1c4ce41a270833f0a1c5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6ded1d85-f174-49ad-842a-466b757485ad
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1268076
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1268076 Sample: IzH6oEG6qN.exe Startdate: 06/07/2023 Architecture: WINDOWS Score: 100 124 Found malware configuration 2->124 126 Malicious sample detected (through community Yara rule) 2->126 128 Antivirus detection for URL or domain 2->128 130 7 other signatures 2->130 11 IzH6oEG6qN.exe 7 2->11         started        16 nPgZqijnrj.exe 5 2->16         started        process3 dnsIp4 122 192.168.2.1 unknown unknown 11->122 104 C:\Users\user\AppData\...\nPgZqijnrj.exe, PE32 11->104 dropped 106 C:\Users\...\nPgZqijnrj.exe:Zone.Identifier, ASCII 11->106 dropped 108 C:\Users\user\AppData\Local\...\tmp6401.tmp, XML 11->108 dropped 110 C:\Users\user\AppData\...\IzH6oEG6qN.exe.log, ASCII 11->110 dropped 138 Detected unpacking (changes PE section rights) 11->138 140 Detected unpacking (overwrites its own PE header) 11->140 142 Uses schtasks.exe or at.exe to add and modify task schedules 11->142 144 Adds a directory exclusion to Windows Defender 11->144 18 IzH6oEG6qN.exe 2 3 11->18         started        21 powershell.exe 19 11->21         started        23 powershell.exe 21 11->23         started        29 2 other processes 11->29 146 Multi AV Scanner detection for dropped file 16->146 148 Machine Learning detection for dropped file 16->148 150 Injects a PE file into a foreign processes 16->150 25 schtasks.exe 16->25         started        27 nPgZqijnrj.exe 16->27         started        file5 signatures6 process7 file8 100 C:\Users\user\AppData\...\mysoftware.exe, PE32 18->100 dropped 102 C:\Users\...\mysoftware.exe:Zone.Identifier, ASCII 18->102 dropped 31 mysoftware.exe 18->31         started        34 conhost.exe 21->34         started        36 conhost.exe 23->36         started        38 conhost.exe 25->38         started        40 conhost.exe 29->40         started        process9 signatures10 152 Multi AV Scanner detection for dropped file 31->152 154 Machine Learning detection for dropped file 31->154 156 Adds a directory exclusion to Windows Defender 31->156 158 Injects a PE file into a foreign processes 31->158 42 mysoftware.exe 31->42         started        46 powershell.exe 31->46         started        48 powershell.exe 31->48         started        50 schtasks.exe 31->50         started        process11 dnsIp12 120 85.217.144.119, 4031 WS171-ASRU Bulgaria 42->120 132 Writes to foreign memory regions 42->132 134 Maps a DLL or memory area into another process 42->134 136 Installs a global keyboard hook 42->136 52 svchost.exe 42->52         started        54 svchost.exe 42->54         started        56 svchost.exe 42->56         started        64 2 other processes 42->64 58 conhost.exe 46->58         started        60 conhost.exe 48->60         started        62 conhost.exe 50->62         started        signatures13 process14 process15 66 chrome.exe 52->66         started        69 chrome.exe 54->69         started        71 chrome.exe 54->71         started        73 chrome.exe 56->73         started        75 chrome.exe 56->75         started        77 chrome.exe 64->77         started        79 chrome.exe 64->79         started        81 chrome.exe 64->81         started        dnsIp16 112 239.255.255.250 unknown Reserved 66->112 83 chrome.exe 66->83         started        86 chrome.exe 69->86         started        88 chrome.exe 71->88         started        90 chrome.exe 73->90         started        92 chrome.exe 75->92         started        94 chrome.exe 77->94         started        96 chrome.exe 79->96         started        98 chrome.exe 81->98         started        process17 dnsIp18 114 part-0032.t-0009.t-msedge.net 13.107.246.60, 443, 49709, 49710 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 83->114 116 www.google.com 172.217.168.68, 443, 49701, 49946 GOOGLEUS United States 83->116 118 13 other IPs or domains 83->118
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/85d90e46a94421f0ea8dde00324393637a1a935adc6b1c4ce41a270833f0a1c5/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-06-09 16:05:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qxmq4rvjiqq7b2un3yadeq4tmn5bve223rvrytheditqqm7quhcq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
18cd3063dcc655b5b9bffc3692d2e2fbc7199ee08e9c6ab01a1d7a6d6b9cc10e
RemcosRAT
2e5b8a1ed53e25c5ddd9b7cd97b86627baf197a7e3893909bcf33360beda2f71
RemcosRAT
35bac7b8798c166302e93664c027dc312d0f956e4b9091c8b6c43ea7afbf4977
RemcosRAT
4fbb3bf81fa5622f4640afa65fcaa18cbf88da23e6018bda7d068408e9409c8a
RemcosRAT
6f1139be8e2ae99d7398944c54189176b51dee180a655c35d2bd109a9c35d76c
RemcosRAT
98e8a76487a5811e1dd8574c08a8b66dc39506044045fc8c994e5d0e533a663c
RemcosRAT
9f1ee6916ffb1de887fd7f8e9a6c6a23cf588d6498db31e35182bfd5f94fd62a
RemcosRAT
b795277d105f23e54cff675b26437ccfa26dd597aa6475978e472843cf994e5c
RemcosRAT
d930e3006b889c13cdebe9004c021ed18ebe31f1504ffce27f10277e439329e0
RemcosRAT
f0b85c3d890019c1d88274fb49f4caa52d696917a418ffee89324ad40d0076c9
RemcosRAT
+ 2'224 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:esista brand:microsoft persistence phishing rat
Link:
https://tria.ge/reports/230706-ntz7psad79/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Detected potential entity reuse from brand microsoft.
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
85.217.144.119:4031
Unpacked files
SH256 hash:
c440617e04a50ced73c8ab992cbe8d8954a3e41f21f046ee9d1f2a41ea9b416d
MD5 hash:
9390df6c9a6111978dee5414bc42eda6
SHA1 hash:
d3cb1c366b9e466afa93eb369838a04d30777795
Link:
https://www.unpac.me/results/37d84452-2619-478e-b615-5a7d009c2f79/
SH256 hash:
46cc6920ff9b43649ae1b864a0fc605a9f509a5ed2e4f38fd20f80dc9e519499
MD5 hash:
23787da479de19bb5f22948fff0c7363
SHA1 hash:
c7a87d712e71cee7b62ba27f3366674888a2d2c1
Link:
https://www.unpac.me/results/37d84452-2619-478e-b615-5a7d009c2f79/
SH256 hash:
c8e6e8783aec59436e2d8886939e50a1984003a6000c92e751552ee05f194451
MD5 hash:
71263a25a5fc13a9ba8b47e2b96bafe9
SHA1 hash:
c598d7550a1fda67997e9997c49491697d384062
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/37d84452-2619-478e-b615-5a7d009c2f79/
Parent samples :
35bac7b8798c166302e93664c027dc312d0f956e4b9091c8b6c43ea7afbf4977
85d90e46a94421f0ea8dde00324393637a1a935adc6b1c4ce41a270833f0a1c5
SH256 hash:
7bb011f14fde40f1c8bfd084f090de4601bfd6b66c6aca9f1bba4f99ee5593fd
MD5 hash:
5dc973b914276bed3361625e3d234b73
SHA1 hash:
67d571f4d79194ecc5224cc60bd39a665b38fde3
Link:
https://www.unpac.me/results/37d84452-2619-478e-b615-5a7d009c2f79/
SH256 hash:
496038b8d5e45efdc41c66a727757e7e28a2341aebf354f15f7acf53c1b7b8ec
MD5 hash:
90cc679a754e42a706353945e85af22d
SHA1 hash:
4a2b6b4f0e55a5f23a691510918bd58b314a8836
Link:
https://www.unpac.me/results/37d84452-2619-478e-b615-5a7d009c2f79/
SH256 hash:
c440617e04a50ced73c8ab992cbe8d8954a3e41f21f046ee9d1f2a41ea9b416d
MD5 hash:
9390df6c9a6111978dee5414bc42eda6
SHA1 hash:
d3cb1c366b9e466afa93eb369838a04d30777795
Link:
https://www.unpac.me/results/37d84452-2619-478e-b615-5a7d009c2f79/
SH256 hash:
46cc6920ff9b43649ae1b864a0fc605a9f509a5ed2e4f38fd20f80dc9e519499
MD5 hash:
23787da479de19bb5f22948fff0c7363
SHA1 hash:
c7a87d712e71cee7b62ba27f3366674888a2d2c1
Link:
https://www.unpac.me/results/37d84452-2619-478e-b615-5a7d009c2f79/
SH256 hash:
c8e6e8783aec59436e2d8886939e50a1984003a6000c92e751552ee05f194451
MD5 hash:
71263a25a5fc13a9ba8b47e2b96bafe9
SHA1 hash:
c598d7550a1fda67997e9997c49491697d384062
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/37d84452-2619-478e-b615-5a7d009c2f79/
Parent samples :
35bac7b8798c166302e93664c027dc312d0f956e4b9091c8b6c43ea7afbf4977
85d90e46a94421f0ea8dde00324393637a1a935adc6b1c4ce41a270833f0a1c5
SH256 hash:
7bb011f14fde40f1c8bfd084f090de4601bfd6b66c6aca9f1bba4f99ee5593fd
MD5 hash:
5dc973b914276bed3361625e3d234b73
SHA1 hash:
67d571f4d79194ecc5224cc60bd39a665b38fde3
Link:
https://www.unpac.me/results/37d84452-2619-478e-b615-5a7d009c2f79/
SH256 hash:
496038b8d5e45efdc41c66a727757e7e28a2341aebf354f15f7acf53c1b7b8ec
MD5 hash:
90cc679a754e42a706353945e85af22d
SHA1 hash:
4a2b6b4f0e55a5f23a691510918bd58b314a8836
Link:
https://www.unpac.me/results/37d84452-2619-478e-b615-5a7d009c2f79/
SH256 hash:
c440617e04a50ced73c8ab992cbe8d8954a3e41f21f046ee9d1f2a41ea9b416d
MD5 hash:
9390df6c9a6111978dee5414bc42eda6
SHA1 hash:
d3cb1c366b9e466afa93eb369838a04d30777795
Link:
https://www.unpac.me/results/37d84452-2619-478e-b615-5a7d009c2f79/
SH256 hash:
46cc6920ff9b43649ae1b864a0fc605a9f509a5ed2e4f38fd20f80dc9e519499
MD5 hash:
23787da479de19bb5f22948fff0c7363
SHA1 hash:
c7a87d712e71cee7b62ba27f3366674888a2d2c1
Link:
https://www.unpac.me/results/37d84452-2619-478e-b615-5a7d009c2f79/
SH256 hash:
c8e6e8783aec59436e2d8886939e50a1984003a6000c92e751552ee05f194451
MD5 hash:
71263a25a5fc13a9ba8b47e2b96bafe9
SHA1 hash:
c598d7550a1fda67997e9997c49491697d384062
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/37d84452-2619-478e-b615-5a7d009c2f79/
Parent samples :
35bac7b8798c166302e93664c027dc312d0f956e4b9091c8b6c43ea7afbf4977
85d90e46a94421f0ea8dde00324393637a1a935adc6b1c4ce41a270833f0a1c5
SH256 hash:
7bb011f14fde40f1c8bfd084f090de4601bfd6b66c6aca9f1bba4f99ee5593fd
MD5 hash:
5dc973b914276bed3361625e3d234b73
SHA1 hash:
67d571f4d79194ecc5224cc60bd39a665b38fde3
Link:
https://www.unpac.me/results/37d84452-2619-478e-b615-5a7d009c2f79/
SH256 hash:
496038b8d5e45efdc41c66a727757e7e28a2341aebf354f15f7acf53c1b7b8ec
MD5 hash:
90cc679a754e42a706353945e85af22d
SHA1 hash:
4a2b6b4f0e55a5f23a691510918bd58b314a8836
Link:
https://www.unpac.me/results/37d84452-2619-478e-b615-5a7d009c2f79/
SH256 hash:
c440617e04a50ced73c8ab992cbe8d8954a3e41f21f046ee9d1f2a41ea9b416d
MD5 hash:
9390df6c9a6111978dee5414bc42eda6
SHA1 hash:
d3cb1c366b9e466afa93eb369838a04d30777795
Link:
https://www.unpac.me/results/37d84452-2619-478e-b615-5a7d009c2f79/
SH256 hash:
46cc6920ff9b43649ae1b864a0fc605a9f509a5ed2e4f38fd20f80dc9e519499
MD5 hash:
23787da479de19bb5f22948fff0c7363
SHA1 hash:
c7a87d712e71cee7b62ba27f3366674888a2d2c1
Link:
https://www.unpac.me/results/37d84452-2619-478e-b615-5a7d009c2f79/
SH256 hash:
c8e6e8783aec59436e2d8886939e50a1984003a6000c92e751552ee05f194451
MD5 hash:
71263a25a5fc13a9ba8b47e2b96bafe9
SHA1 hash:
c598d7550a1fda67997e9997c49491697d384062
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/37d84452-2619-478e-b615-5a7d009c2f79/
Parent samples :
35bac7b8798c166302e93664c027dc312d0f956e4b9091c8b6c43ea7afbf4977
85d90e46a94421f0ea8dde00324393637a1a935adc6b1c4ce41a270833f0a1c5
SH256 hash:
7bb011f14fde40f1c8bfd084f090de4601bfd6b66c6aca9f1bba4f99ee5593fd
MD5 hash:
5dc973b914276bed3361625e3d234b73
SHA1 hash:
67d571f4d79194ecc5224cc60bd39a665b38fde3
Link:
https://www.unpac.me/results/37d84452-2619-478e-b615-5a7d009c2f79/
SH256 hash:
496038b8d5e45efdc41c66a727757e7e28a2341aebf354f15f7acf53c1b7b8ec
MD5 hash:
90cc679a754e42a706353945e85af22d
SHA1 hash:
4a2b6b4f0e55a5f23a691510918bd58b314a8836
Link:
https://www.unpac.me/results/37d84452-2619-478e-b615-5a7d009c2f79/
SH256 hash:
85d90e46a94421f0ea8dde00324393637a1a935adc6b1c4ce41a270833f0a1c5
MD5 hash:
173ed42eb4d31faf7b7ac6b735a67d03
SHA1 hash:
552973fcde14ac378097f41ecd9bbd36a87385fb
Link:
https://www.unpac.me/results/37d84452-2619-478e-b615-5a7d009c2f79/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/85d90e46a944/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/85d90e46a94421f0ea8dde00324393637a1a935adc6b1c4ce41a270833f0a1c5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/409158/

Comments