MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91bbc8c0f7a6be5a881fab20f4cbdaf94bed915c0e28fd3f24dfa519ec801cec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 91bbc8c0f7a6be5a881fab20f4cbdaf94bed915c0e28fd3f24dfa519ec801cec
SHA3-384 hash: 25e690fe6a2118727a2cac6291835d9a4bb137f65d2794ed65524c11cb17a9e3bf018f609d5a6e4577426ad36ab8e833
SHA1 hash: ecb70019c807f95741855b7fecfb8d38fd8f2c19
MD5 hash: 94c505176de54f8014133b05bb1c876b
humanhash: nebraska-ack-mobile-tennessee
File name:94c505176de54f8014133b05bb1c876b
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'430'016 bytes
First seen:2022-09-06 15:50:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:JL4LJZWICKQiBCKe7XChkKSyDQe7XLciXyBdCbO4Eh5oJJw4:6LJIIB3yehRDbXvX9bO4Eh5oT
Threatray 2'087 similar samples on MalwareBazaar
TLSH T113658D0B21950954C87241FCA4CCC5774BAADE45E53BC949BFCA9CAFF1A2F2C42D27A1
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 10d2c4f0f2d2b030 (10 x Loki, 8 x AgentTesla, 7 x Formbook)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
286
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase Order FG-20220831 for Air & Sea Shipments FOB & CIF.doc
Verdict:
Malicious activity
Analysis date:
2022-09-06 10:55:27 UTC
Tags:
exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/12298688-033a-4407-8231-1c6dd51b4cb0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308248/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.4025.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Running batch commands
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63176c7e2021c816b88fed64/reports/61427d92-b09e-4e8e-bfc0-61a1eab391b8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/210a99f0-d903-484e-9eaa-6290b8bd5367
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1065807
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 698331 Sample: MTllgEHZWm.exe Startdate: 06/09/2022 Architecture: WINDOWS Score: 100 89 Malicious sample detected (through community Yara rule) 2->89 91 Antivirus detection for URL or domain 2->91 93 Antivirus detection for dropped file 2->93 95 7 other signatures 2->95 13 MTllgEHZWm.exe 3 2->13         started        17 sdfge.exe 2 2->17         started        19 sdfge.exe 2->19         started        process3 file4 69 C:\Users\user\AppData\...\MTllgEHZWm.exe.log, ASCII 13->69 dropped 103 Injects a PE file into a foreign processes 13->103 21 MTllgEHZWm.exe 4 4 13->21         started        24 sdfge.exe 17->24         started        26 sdfge.exe 19->26         started        signatures5 process6 file7 63 C:\Users\user\AppData\Roaming\sdfge.exe, PE32 21->63 dropped 65 C:\Users\user\...\sdfge.exe:Zone.Identifier, ASCII 21->65 dropped 67 C:\Users\user\AppData\Local\...\install.vbs, data 21->67 dropped 28 wscript.exe 1 21->28         started        process8 process9 30 cmd.exe 1 28->30         started        process10 32 sdfge.exe 3 30->32         started        35 conhost.exe 30->35         started        signatures11 85 Machine Learning detection for dropped file 32->85 87 Injects a PE file into a foreign processes 32->87 37 sdfge.exe 4 15 32->37         started        process12 dnsIp13 71 76.8.53.133, 1198, 49719 QUONIXNETUS United States 37->71 73 geoplugin.net 178.237.33.50, 49720, 80 ATOM86-ASATOM86NL Netherlands 37->73 97 Writes to foreign memory regions 37->97 99 Maps a DLL or memory area into another process 37->99 101 Installs a global keyboard hook 37->101 41 svchost.exe 37->41         started        43 svchost.exe 37->43         started        signatures14 process15 process16 45 chrome.exe 41->45         started        48 chrome.exe 41->48         started        50 chrome.exe 43->50         started        52 chrome.exe 43->52         started        dnsIp17 81 192.168.2.1 unknown unknown 45->81 83 239.255.255.250 unknown Reserved 45->83 54 chrome.exe 45->54         started        57 chrome.exe 48->57         started        59 chrome.exe 50->59         started        61 chrome.exe 52->61         started        process18 dnsIp19 75 part-0032.t-0009.t-msedge.net 13.107.246.60, 443, 49737, 49738 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 54->75 77 accounts.google.com 142.250.184.237, 443, 49728 GOOGLEUS United States 54->77 79 7 other IPs or domains 54->79
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/91bbc8c0f7a6be5a881fab20f4cbdaf94bed915c0e28fd3f24dfa519ec801cec/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-09-06 02:51:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
46
AV detection:
19 of 40 (47.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sg54rqhxu27fvca7vmqpjs627ff63ek4byup2pze36srt3eadtwa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
146e9314dabcad733e15ab5e796c53fda2be2b34ea00a0bc03efda9ea674202f
RemcosRAT
1eb85ede00f809ba0f2ae9ea64c78615705f7314f31934887849c60f86b6505e
RemcosRAT
2cf1525cdb58ec9e5d47e5c66619b9cf2966155ece68a66e9bf935369971ccdc
RemcosRAT
2d066636d5043a308a989edc747304d9087a60e7a0df3f021ce8b1642466cc52
RemcosRAT
5d6eba999783a02b983236280eb56702dcd5b7df5d8320b5d13209aee3141d8d
RemcosRAT
79591c17fbca50b3698fd0176958e394dd500e7afdd75b5b33cd31095665caa2
RemcosRAT
808b1f23a0d9457d31d5abd083b2b81cc68b0a0d3a87e59e9e6d56d773dbde39
RemcosRAT
94798c0478f2ecebff0e05360bb8c6f4646fa267811d15e9d534c7067225df97
RemcosRAT
b7cc11f42808bc13ea70def8382654e7c9294eb30c42ed29d5eb9f2d7bbf9514
RemcosRAT
edd76f4398cd937c508d229a8482add54c2ec8efe84a6881af90bbd40d8b8601
RemcosRAT
+ 2'077 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:peterobi2023 brand:microsoft persistence phishing rat
Link:
https://tria.ge/reports/220906-tagh5sfda2/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Detected potential entity reuse from brand microsoft.
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
76.8.53.133:1198
Unpacked files
SH256 hash:
3c99eed2bfa7b99fa016577e230288d245a0651d3844d0c61cf939f63a8d5eed
MD5 hash:
c47667c67201fe029d93f895e6475811
SHA1 hash:
f580e06aa6217f91641fdc2fa7a81a2ece907354
Link:
https://www.unpac.me/results/d842e54b-f242-44e6-bc63-16fbba007764/
SH256 hash:
8b533ffaed24e0351e489b14aaac6960b731db189ce7ed0c0c02d4a546af8e63
MD5 hash:
dbc7be56e6e32349315170599c8b333f
SHA1 hash:
d8e5840e3574b87d435e55a65ac648e040871aee
Link:
https://www.unpac.me/results/d842e54b-f242-44e6-bc63-16fbba007764/
SH256 hash:
40412ee945049283c82df7f7c27d12d724695e407425c86e771183a24b1936da
MD5 hash:
b550c7a9e0131e920fbacaa82df84f39
SHA1 hash:
b566ff42cf34d741d821a55e0345e04f4a2d1cdd
Link:
https://www.unpac.me/results/d842e54b-f242-44e6-bc63-16fbba007764/
SH256 hash:
fbf0d947bf22491229799e2ddaca2484d24b1cd7e4be6945758a9a153cc98791
MD5 hash:
82602aed5a4328fd0f432ac95f05a500
SHA1 hash:
83c7d33c0d034ec89953986d191fe82e5f5ba297
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/d842e54b-f242-44e6-bc63-16fbba007764/
Parent samples :
91bbc8c0f7a6be5a881fab20f4cbdaf94bed915c0e28fd3f24dfa519ec801cec
3ab2ca682019279e28525a8ff1a72e08badba1c0f3012f926bad1528b2b0944a
4774065c2fb27747ef38643fdf9e301b9801250e8edc6518c06c589baffc52c9
b3dbe53fe29989df593f3777fe297e4840c2f004c1f069e77a8c0c79ba10698d
SH256 hash:
9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034
MD5 hash:
93c6391d23c1aa1ed66fb13f82f2ee31
SHA1 hash:
220098c3047c32b51ae13a5cc1e9beeef3da6e18
Link:
https://www.unpac.me/results/d842e54b-f242-44e6-bc63-16fbba007764/
SH256 hash:
91bbc8c0f7a6be5a881fab20f4cbdaf94bed915c0e28fd3f24dfa519ec801cec
MD5 hash:
94c505176de54f8014133b05bb1c876b
SHA1 hash:
ecb70019c807f95741855b7fecfb8d38fd8f2c19
Link:
https://www.unpac.me/results/d842e54b-f242-44e6-bc63-16fbba007764/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/91bbc8c0f7a6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/91bbc8c0f7a6be5a881fab20f4cbdaf94bed915c0e28fd3f24dfa519ec801cec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 91bbc8c0f7a6be5a881fab20f4cbdaf94bed915c0e28fd3f24dfa519ec801cec

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2260819/
Cape
Cape
https://www.capesandbox.com/analysis/308248/

Comments


Avatar
zbet commented on 2022-09-06 15:50:21 UTC

url : hxxp://208.67.105.179/ikmerozx.exe