MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91f044ce199fdb8cbeceb7258e35198edb44c181a75e289293905bdc627866de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 91f044ce199fdb8cbeceb7258e35198edb44c181a75e289293905bdc627866de
SHA3-384 hash: d2b122d5e18749cb99e2e236b6729428ae4814155f99dd7b3b6bd3b87220dec6b897e4dfacf10a1843d75992cc68d991
SHA1 hash: b369c1f326858a45d543d960e7057e299b137036
MD5 hash: ccb3a0a2e42b06dacd986aba41c5f3f8
humanhash: edward-solar-nineteen-chicken
File name:REV-New Order 20240717.pif
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:6'656 bytes
First seen:2024-07-17 15:18:11 UTC
Last seen:2024-07-24 19:04:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'477 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 96:jPuKYsNLs7ussm0k47ZAvwlwZohj20lMDf8MWnogtdnzNt:jhWx3SowSZoNTWD0MWn/T
Threatray 3'795 similar samples on MalwareBazaar
TLSH T131D1D615A3E84337C9760B39ACB2A7805378E760EE57CF5E30C8558EAD52B4807A2B60
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter lowmal3
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
403
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.32737.5891.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6697e0e6936dc865ddc74ec1
Tags:
Stealth Heur
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a UDP request
Restart of the analyzed sample
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade obfuscated packed packed smartassembly smart_assembly
Link:
https://www.filescan.io/uploads/6697e0eba59c11b474e9278d/reports/e264e2d0-b710-4364-992c-3654589f4c9d/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/91f044ce199fdb8cbeceb7258e35198edb44c181a75e289293905bdc627866de
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/109c8736-0492-43de-b6ac-1a439cfea052
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1475175
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected Remcos RAT
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Remcos
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses ipconfig to lookup or modify the Windows network settings
Yara detected Costura Assembly Loader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1475175 Sample: REV-New Order 20240717.pif.exe Startdate: 17/07/2024 Architecture: WINDOWS Score: 100 68 remremc.duckdns.org 2->68 70 windows.standard.us-east-1.oortech.com 2->70 72 geoplugin.net 2->72 76 Found malware configuration 2->76 78 Malicious sample detected (through community Yara rule) 2->78 80 Antivirus detection for URL or domain 2->80 84 12 other signatures 2->84 8 REV-New Order 20240717.pif.exe 16 8 2->8         started        13 cssrssx.exe 14 5 2->13         started        15 cssrssx.exe 6 2->15         started        signatures3 82 Uses dynamic DNS services 68->82 process4 dnsIp5 74 windows.standard.us-east-1.oortech.com 170.106.47.94, 443, 49710, 49720 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN Singapore 8->74 58 C:\Users\user\AppData\Roaming\cssrssx.exe, PE32 8->58 dropped 60 C:\Users\user\...\cssrssx.exe:Zone.Identifier, ASCII 8->60 dropped 62 C:\...\REV-New Order 20240717.pif.exe.log, ASCII 8->62 dropped 92 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->92 17 REV-New Order 20240717.pif.exe 3 16 8->17         started        22 cmd.exe 1 8->22         started        24 cmd.exe 1 8->24         started        94 Multi AV Scanner detection for dropped file 13->94 96 Machine Learning detection for dropped file 13->96 26 cssrssx.exe 13->26         started        28 cmd.exe 13->28         started        30 cmd.exe 13->30         started        98 Injects a PE file into a foreign processes 15->98 32 cmd.exe 15->32         started        34 cmd.exe 15->34         started        36 cssrssx.exe 15->36         started        file6 signatures7 process8 dnsIp9 64 remremc.duckdns.org 193.187.91.124, 49718, 57155 OBE-EUROPEObenetworkEuropeSE Sweden 17->64 66 geoplugin.net 178.237.33.50, 49719, 80 ATOM86-ASATOM86NL Netherlands 17->66 56 C:\ProgramData\remcos\logs.dat, data 17->56 dropped 86 Detected Remcos RAT 17->86 88 Installs a global keyboard hook 17->88 90 Uses ipconfig to lookup or modify the Windows network settings 22->90 38 conhost.exe 22->38         started        40 ipconfig.exe 1 22->40         started        42 conhost.exe 24->42         started        44 ipconfig.exe 1 24->44         started        48 2 other processes 28->48 50 2 other processes 30->50 52 2 other processes 32->52 54 2 other processes 34->54 46 WerFault.exe 36->46         started        file10 signatures11 process12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/91f044ce199fdb8cbeceb7258e35198edb44c181a75e289293905bdc627866de
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/91f044ce199fdb8cbeceb7258e35198edb44c181a75e289293905bdc627866de/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2024-07-17 02:55:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=shyejtqzt7nyzpwow4sy4nizr3nujqmbu5pcreutsbn5yytym3pa._file
Verdict:
malicious
Similar samples:
20b53c31facf80b9f3440c6792c77b21c95f7089e2e6895cb35e168440409929
RemcosRAT
221e7f2bf537ab5210e9dd309ac922c988eb6121a67e0a8e063a677f38619a02
RemcosRAT
4ec050b4dfd931ed6d30256b3ed1d042f313860da23e7ca064aaf95ad83e257e
RemcosRAT
54a87ca5534f4901947f6eb2a6af5093832de272cfe6b498972676d1fae6ade0
RemcosRAT
697444c2cb0a7bd6fde35bd250870e7a9aa4a2b49beb0ff2c795f8c507bb5c15
RemcosRAT
e79e83851d7a1d359a9c2aa4a8ad42790a7d4671d2fa832c908c4ec2374319b9
RemcosRAT
+ 3'785 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:yenom persistence rat
Link:
https://tria.ge/reports/240717-sp6k5szcqc/
Behaviour
Gathers network information
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
remremc.duckdns.org:57155
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e35d02e9-49ba-4b06-93c5-8bdea50b9362
Unpacked files
SH256 hash:
91f044ce199fdb8cbeceb7258e35198edb44c181a75e289293905bdc627866de
MD5 hash:
ccb3a0a2e42b06dacd986aba41c5f3f8
SHA1 hash:
b369c1f326858a45d543d960e7057e299b137036
Detections:
PureCrypter_Stage1
Create hunting rule
Link:
https://www.unpac.me/results/705e815f-f40b-4654-bbe2-76b06694049e/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/91f044ce199f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.97
Link:
https://yomi.yoroi.company/submissions/91f044ce199fdb8cbeceb7258e35198edb44c181a75e289293905bdc627866de

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 91f044ce199fdb8cbeceb7258e35198edb44c181a75e289293905bdc627866de

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments