MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91755d1873b073b6799b3eb655e69847c08f4a932963a2dba60bb18296710a68. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 16

Intelligence 16 IOCs YARA 3 File information Comments

SHA256 hash:	91755d1873b073b6799b3eb655e69847c08f4a932963a2dba60bb18296710a68
SHA3-384 hash:	f88da4d34cd891bf670f1444cc370d275b95474c39c4b32c4580932b821c8ef2670deecb9c7307cef4a05e8526bc9c55
SHA1 hash:	4d872407e5faa0c9775e4e4eab0ffc0666737620
MD5 hash:	d869753a66ee591e671900d0f51dfd8e
humanhash:	oregon-apart-orange-bulldog
File name:	TNT Original Invoice.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'060'864 bytes
First seen:	2023-09-21 06:11:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	24576:8qEWG+5HGnqqzGPZ7foZhdEIwwxM1If+gXiVIfRw5:bvGEGdGhrtwk0HXrZw5
Threatray	2'598 similar samples on MalwareBazaar
TLSH	T138350275EAAECDAAD83D243C6020559009B2DFC70703F7C8645EBC79DC35742AA949BB
TrID	66.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.5% (.EXE) Win64 Executable (generic) (10523/12/4) 5.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b0cf4a4c4c4ccfb0 (31 x Formbook, 20 x RemcosRAT, 18 x AgentTesla)
Reporter	abuse_ch
Tags:	exe RemcosRAT TNT

Intelligence

File Origin

# of uploads :

# of downloads :

279

Origin country :

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

TNT Original Invoice.exe

Verdict:

Malicious activity

Analysis date:

2023-09-21 06:21:40 UTC

Tags:

rat remcos remote keylogger

Link:

https://app.any.run/tasks/97b3f736-73e0-4df2-a171-b4a3609c45bd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/450250/

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

SecuriteInfo.com.Win32.PWSX-gen.13559.25497.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Creating a process with a hidden window

Launching a process

Restart of the analyzed sample

Adding an exclusion to Microsoft Defender

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

keylogger masquerade packed remcos

Link:

https://www.filescan.io/uploads/650bdeb3988a26b6d96f41f8/reports/cef58477-fc5a-44fc-ba0a-6f36f20fc2f8/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/91755d1873b073b6799b3eb655e69847c08f4a932963a2dba60bb18296710a68

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7f075b39-650c-4f61-9d6c-fec311865bc5

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1312036

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to bypass UAC (CMSTPLUA)

Contains functionality to modify clipboard data

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Sigma detected: Scheduled temp file as task from temp location

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/91755d1873b073b6799b3eb655e69847c08f4a932963a2dba60bb18296710a68/

Threat name:

ByteCode-MSIL.Spyware.Negasteal

Status:

Malicious

First seen:

2023-09-21 04:56:16 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 23 (82.61%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sf2v2gdtwbz3m6m3h23flzuyi7ai6sutffr2fw5gboyyfftrbjua._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

53c7d0ae5376a439f008355cdcdd56b12dcad13dab5887b91cfa3bf4236299e4

RemcosRAT

5d7c266d259671e981012277ca6b1096ba64700659a4bd21e89f9e85af3dd53a

RemcosRAT

5f273aebe2382d4bd8848327b27b769977665826be46a21766b77ca7f98f9b96

RemcosRAT

650f2f1215bca8640d5edd8d0a5067d40efd6d6272c55ddf1451e7c177fea406

RemcosRAT

ca3eaa04774a75d793a2e06e566457f10e464d92dd1f193413ad285981773a96

RemcosRAT

cbc31caf32b2849eb3d0b11dd39ed17b7ee4354725f1af91df412daf57104fd0

RemcosRAT

d2b96f81cdc50ac6f192eab0fb6ca508f011f5fd13e69c4d83396ff092cf7ac7

RemcosRAT

f735ffec33b8b8cb2a2d935a1600a6902b95508b5faf5c67f2612548e9773538

RemcosRAT

+ 2'588 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost rat

Link:

https://tria.ge/reports/230921-gx6qbsdg7w/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Remcos

Malware Config

C2 Extraction:

167.114.189.33:2404

Unpacked files

SH256 hash:

0c65cc63943ef047c4604d51017264cb699337750d110c3b9558c3b6d9b218d0

MD5 hash:

d3dbba0102a129dfd4009d5886d9f11b

SHA1 hash:

8e9a6b10047ba4e99e82a9b09bd79335830e74a6

Detections:

Remcos

win_remcos_auto

Link:

https://www.unpac.me/results/c1ca114a-aeff-4b60-9fd7-a0e447a2ccd0/

Parent samples :

8851e86e484da01c9cc4aafb401df05999ea4d61c128a236ef9d002a13aeda78
41e5e1da54fb730fb90a677edcc8a725d62cbddfdfb7e8d25aa4267de18f7118
4f827733e06b0ec1cb7edf3b3982487e6be429842e0cb09ff7900771ab58e8bb
455b4cd97ab95cd380baa5060f7cc787f917ddf1d03c873519b2394db4fe0302
0c65cc63943ef047c4604d51017264cb699337750d110c3b9558c3b6d9b218d0
ca3eaa04774a75d793a2e06e566457f10e464d92dd1f193413ad285981773a96
bd9df3adf1e6c84fcab2206d63d2f02e3f1ce1b715c09459d21ff47c09cac2f8
91755d1873b073b6799b3eb655e69847c08f4a932963a2dba60bb18296710a68
b2fc36f6f4e72e2700737425abab14e4d75a190195c7cd8397cb9ae9761ec34b
9103e2815438759a349705607f3be586c2129551e74cd2a875a04faab7ac43a9
f7838011d80f88b2b618bb27382f58ab8d96b9d6ead76c17ece8b19e2a7403a2
4ff54bc771dc97403996794c50ded1a97b000c3f6eeff64afe3d049735e6bcdc
8be324c37f356ce39300e054d452a5d5aa215449a25f431371aab8585d234d2b
e98b47568deded212c6c6aaf8157929f5db1254a49a5e47c84e36d4d954ff21f
f4c3fd0e00326b94391240d6f460ef2501f5985e6e09d3e2e4728441c91417e2
01d06c356ad0e65c56b677bb9b4ed5172f610fe92bb75612e19f2b36e342190f
1c6b0eb5c224c46a65fb5022852905a1293a148bd97bb81593b813e8ed814ba8
5d8702a242d06cfeb840c8a6fbf8d2bdd3f7e2c58f8c1cc0d74135cc9c1baeb4

SH256 hash:

a8a5fa695501c7d7e1c70dc9c7aa9dbaa98d03c4ded262947811cb883c3afe7d

MD5 hash:

200ab8e098a1e41ca357d3cdcfab4bdf

SHA1 hash:

dc2a6966c9b964286e41d8cc77d57bc5e41ed216

Link:

https://www.unpac.me/results/c1ca114a-aeff-4b60-9fd7-a0e447a2ccd0/

SH256 hash:

f18ede1829f6537e67a2f4e8cdcd767ee6b50b8dab392ecf26c75ac34e1494fb

MD5 hash:

65d61d54ea7665a497fed9699cc9e7e5

SHA1 hash:

8418bb9f902beac21267a1a60ac8431a4179defc

Link:

https://www.unpac.me/results/c1ca114a-aeff-4b60-9fd7-a0e447a2ccd0/

SH256 hash:

aa99a20bde7ebd15515eae3b9e0e2e506603b06fd907c427218b19b91026018e

MD5 hash:

facaa534d630e6350fb3c0ae828a2867

SHA1 hash:

813c3dd427125f5df740811fcc9e98c5ceec3895

Link:

https://www.unpac.me/results/c1ca114a-aeff-4b60-9fd7-a0e447a2ccd0/

SH256 hash:

7ec118e70613ce2d9aee29cda2918ca710dde346c68d4da75c2ea0402e6d4391

MD5 hash:

1622a62bf6805b2dca82a8632eceac71

SHA1 hash:

071b72a5a1231149dfe4b9fcfa3a6ee49265ab7c

Link:

https://www.unpac.me/results/c1ca114a-aeff-4b60-9fd7-a0e447a2ccd0/

SH256 hash:

91755d1873b073b6799b3eb655e69847c08f4a932963a2dba60bb18296710a68

MD5 hash:

d869753a66ee591e671900d0f51dfd8e

SHA1 hash:

4d872407e5faa0c9775e4e4eab0ffc0666737620

Link:

https://www.unpac.me/results/c1ca114a-aeff-4b60-9fd7-a0e447a2ccd0/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/91755d1873b0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/91755d1873b073b6799b3eb655e69847c08f4a932963a2dba60bb18296710a68

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

exe 91755d1873b073b6799b3eb655e69847c08f4a932963a2dba60bb18296710a68

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/450250/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample