MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90ef44111017156274f220ddb1372dd3269bdf3e6c50a82fe94bfdb533186130. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90ef44111017156274f220ddb1372dd3269bdf3e6c50a82fe94bfdb533186130
SHA3-384 hash: f2cb7c7fd116a41230138b1374d20d8d33c026a02a9ebb8f4b261f8373cbddd72b7a4cc1dc775127c0e7f7d7568ceedb
SHA1 hash: 32b174392689fa0703101a15b2441cd2b0f2ac1a
MD5 hash: 4d9cb569deae054e224c9cca595d9b15
humanhash: harry-alaska-uniform-mockingbird
File name:INVOICE KFL031321126666.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:896'512 bytes
First seen:2022-05-30 03:37:05 UTC
Last seen:2022-05-30 04:45:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:V+IsWvG87QM5yfZr/x1ZCVstsIC7WAq00:VL8MaZN1A0CCAq0
Threatray 1'883 similar samples on MalwareBazaar
TLSH T152152315FBB52B0AFAEC3FB9A97085615376C339A817F7903EA134FC4E10750D52216A
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 00ccf096ccc0d400 (21 x FormBook, 18 x AgentTesla, 11 x SnakeKeylogger)
Reporter GovCERT_CH
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
256
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
INVOICE KFL031321126666.exe
Verdict:
Malicious activity
Analysis date:
2022-05-30 03:38:19 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/28e5adb2-e688-4001-8a9a-0cae0ee381ad

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/275303/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.13667.8562.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/62943be6054dcf0eca031664/reports/54e6baad-b098-465b-8734-2e0668179b8e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6ac46daf-6bec-4d3f-b125-ccd8b2fdf615
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1003367
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Found malware configuration
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 635863 Sample: INVOICE KFL031321126666.exe Startdate: 30/05/2022 Architecture: WINDOWS Score: 100 30 Found malware configuration 2->30 32 Malicious sample detected (through community Yara rule) 2->32 34 Antivirus detection for URL or domain 2->34 36 13 other signatures 2->36 7 INVOICE KFL031321126666.exe 7 2->7         started        process3 file4 22 C:\Users\user\AppData\...\lfYQwbtHIRH.exe, PE32 7->22 dropped 24 C:\Users\user\AppData\Local\...\tmp4DA3.tmp, XML 7->24 dropped 26 C:\Users\...\INVOICE KFL031321126666.exe.log, ASCII 7->26 dropped 38 Adds a directory exclusion to Windows Defender 7->38 11 INVOICE KFL031321126666.exe 2 7->11         started        14 powershell.exe 25 7->14         started        16 schtasks.exe 1 7->16         started        signatures5 process6 dnsIp7 28 206.123.140.83, 49742, 49743, 49744 M247GB United States 11->28 18 conhost.exe 14->18         started        20 conhost.exe 16->20         started        process8
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/90ef44111017156274f220ddb1372dd3269bdf3e6c50a82fe94bfdb533186130/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-30 01:29:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sdxuieiqc4kwe5hsedo3cnzn2mtjxxz6nrikql7jjp63kmyymeya._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0b8ce3d491814d2e36d1f10e2deafca89470c738f3aabd8c6a4757e75bef7c01
RemcosRAT
6c8dbcbc22eeb8b7eef89e5ea97813f2be9a6b5635c8e3f1f186a694aa6a0ac2
RemcosRAT
7d86068523fe035aec83fcb57be4edc0bdca3000fa6046fb66ef246b20e15601
RemcosRAT
95bf56d45ed29648838e732b3ab2ba8f968b53d9b9fd7f6155498c958f09bf14
RemcosRAT
9ea26ea3cf4034580c0c02f1ce4627887fd5a68e069a2c4189c8f253b5919842
RemcosRAT
b69f04883131047159a3f3f13a7943ffdf43c742bc2a8994f7ef1f1a42c16eee
RemcosRAT
b712c36526719c3be98efe901fdb86a7cc7c3a325167daaba4c4fd6a34c14d92
RemcosRAT
+ 1'873 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/220530-d62k7acfd5/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
206.123.140.83:5888
Unpacked files
SH256 hash:
840be1d54ac08fdec3556b93ff92af7e2f6d7c909a7606c59c5ac777670e2742
MD5 hash:
cc4a8210cb3e6146e928003944c15fbf
SHA1 hash:
e218e2b2a8c8e204c19d6cc6aec987b87544d566
Link:
https://www.unpac.me/results/a7d250b7-ee1c-44d2-a1ab-868a936b558d/
SH256 hash:
2e39686a0d6d350648e56f090fdbfbd587f5108f59117abdfb0ab72ea829bbce
MD5 hash:
96754c0fc2f993fc34a316cc61f3327e
SHA1 hash:
dcfe5044b6f64446eb75581b7efb2f493fcb41a4
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/a7d250b7-ee1c-44d2-a1ab-868a936b558d/
Parent samples :
0a7f119fdf79b8cc120a81521e6e3477ac4b7743fe96b5b4a91be6072c0c6782
fce87d9ca3e073fa6fbbdde7032b4fd4a161e430a774ec550155d9836ad99d10
0b8ce3d491814d2e36d1f10e2deafca89470c738f3aabd8c6a4757e75bef7c01
90ef44111017156274f220ddb1372dd3269bdf3e6c50a82fe94bfdb533186130
73ae45663ab13f813d5cbb751847c03c0dfd23cfa76df3c25e5aca2ff53b75dc
SH256 hash:
ae2204fb5dee97a19cabcf451b4ec698e44a6fb8f4cf22768dde83e4311ec085
MD5 hash:
af59ca542a1a30eb8a375fecefc6c58d
SHA1 hash:
462cf8e7f8e54200b8d830231de72a3872f66b49
Link:
https://www.unpac.me/results/a7d250b7-ee1c-44d2-a1ab-868a936b558d/
SH256 hash:
02ab0f2fe7d2f7e47f8b568e370531421cd2fb8e01076095ee6774a77614942b
MD5 hash:
665d50ca6fb04a918c2878e34cb69ba9
SHA1 hash:
058eb2a1ee330e66bbcb1312937cf8be804ccf46
Link:
https://www.unpac.me/results/a7d250b7-ee1c-44d2-a1ab-868a936b558d/
SH256 hash:
90ef44111017156274f220ddb1372dd3269bdf3e6c50a82fe94bfdb533186130
MD5 hash:
4d9cb569deae054e224c9cca595d9b15
SHA1 hash:
32b174392689fa0703101a15b2441cd2b0f2ac1a
Link:
https://www.unpac.me/results/a7d250b7-ee1c-44d2-a1ab-868a936b558d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/90ef44111017156274f220ddb1372dd3269bdf3e6c50a82fe94bfdb533186130

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 90ef44111017156274f220ddb1372dd3269bdf3e6c50a82fe94bfdb533186130

(this sample)

  
Dropped by
RemcosRAT
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/275303/

Comments