MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 930de6b7369a7c5b68405b1873f531a0df45101717631afe651dd8ab3bbee8ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 930de6b7369a7c5b68405b1873f531a0df45101717631afe651dd8ab3bbee8ef
SHA3-384 hash: 05ad18647e1656ee17a187c3cf13ebbf3f6d3780d41e552f589e528ba406088afb939639b117237db073ee0978cec996
SHA1 hash: 08d5e9b10101f376e7e2265b7cdb4a8b2072b791
MD5 hash: 7b95bd97c6282f65eee7eab6097957f4
humanhash: fillet-london-august-michigan
File name:RFQ_NEW ORDER INQUIRY.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:915'456 bytes
First seen:2024-01-30 16:18:34 UTC
Last seen:2024-01-30 18:45:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fc6683d30d9f25244a50fd5357825e79 (92 x Formbook, 52 x AgentTesla, 23 x SnakeKeylogger)
ssdeep 12288:0YV6MorX7qzuC3QHO9FQVHPF51jgcEMiIrr88EXSgFmKsa3gnpp1cTF2bsjs0XpS:zBXu9HGaVHRHmS+mY3gnqRI0XMHNd
TLSH T14B1512A311538957C08059BD9275F7EC833C9FB28B2B32C9602A7221D6B1D9B5F9CCE5
TrID 31.3% (.EXE) UPX compressed Win32 Executable (27066/9/6)
30.7% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
12.1% (.EXE) Win64 Executable (generic) (10523/12/4)
7.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon f0f0f2b2e834b498 (29 x AgentTesla, 12 x AveMariaRAT, 8 x RedLineStealer)
Reporter cocaman
Tags:exe RemcosRAT RFQ

Intelligence

File Origin
# of uploads :
3
# of downloads :
298
Origin country :
CH CH
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/473615/
Detection(s):
SecuriteInfo.com.Trojan.Autoit.F.29079.29593.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
autoit fingerprint keylogger lolbin masquerade packed packed packed shell32 upx
Link:
https://www.filescan.io/uploads/65b921803af306d5bedde568/reports/22a9de61-1210-410c-9aee-d2e1a0d10241/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/930de6b7369a7c5b68405b1873f531a0df45101717631afe651dd8ab3bbee8ef
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/24eb050f-6279-4450-ab5a-402a09815b59
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1383440
Signature
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops VBS files to the startup folder
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Remcos
Sigma detected: Suspicious Process Patterns NTDS.DIT Exfil
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/930de6b7369a7c5b68405b1873f531a0df45101717631afe651dd8ab3bbee8ef
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/930de6b7369a7c5b68405b1873f531a0df45101717631afe651dd8ab3bbee8ef/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-01-30 13:47:57 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=smg6nnzwtj6fw2calmmhh5jrudpukeaxc5rrv7tfdxmkwo565dxq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  7/10
Tags:
upx
Link:
https://tria.ge/reports/240130-tshh6aheh3/
Behaviour
Suspicious use of WriteProcessMemory
AutoIT Executable
Drops startup file
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
119e1eb6d38ad141db3a7dcb1b2b3d9e6fd39dbcae99ffbe9f9030acf324bb60
MD5 hash:
f461f02fad84537dae39cf155d65c5e1
SHA1 hash:
c232e9e7fe42225bd61f3cc07f9b1d85a5ec4719
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/4d7a723d-87e1-4d1d-a02a-92ab2ec62871/
SH256 hash:
38df21b322f9d269a8be28f08919cf0128d6e9e82ce34c566433395195b1f5dc
MD5 hash:
24c031b5f049aef011eaaf99cd0b13e9
SHA1 hash:
7758e211f1a3e97fc4ec29e4bdd51e650e400f69
Detections:
Remcos
Create hunting rule
win_remcos_w0
Create hunting rule
win_remcos_auto
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Link:
https://www.unpac.me/results/4d7a723d-87e1-4d1d-a02a-92ab2ec62871/
Parent samples :
930de6b7369a7c5b68405b1873f531a0df45101717631afe651dd8ab3bbee8ef
710f9dfce220b67f013d898c2243b6a54705c06fbb3d0a34db3eb6b08709b893
c09a27a46df5d4e4320beea5f2538a5a43b6d6a5eb62a9b10bdc4a182f0eb0af
b6423183197258def48955de6122b0c3283f0839f729f80a106aa467c058c4af
SH256 hash:
930de6b7369a7c5b68405b1873f531a0df45101717631afe651dd8ab3bbee8ef
MD5 hash:
7b95bd97c6282f65eee7eab6097957f4
SHA1 hash:
08d5e9b10101f376e7e2265b7cdb4a8b2072b791
Detections:
SUSP_Imphash_Mar23_3
Create hunting rule
Link:
https://www.unpac.me/results/4d7a723d-87e1-4d1d-a02a-92ab2ec62871/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/930de6b7369a7c5b68405b1873f531a0df45101717631afe651dd8ab3bbee8ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

arj ab98a78665b6c28cd761be1c6b82017c3e0747285f272956397661383013e7e0

RemcosRAT

Executable exe 930de6b7369a7c5b68405b1873f531a0df45101717631afe651dd8ab3bbee8ef

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 ab98a78665b6c28cd761be1c6b82017c3e0747285f272956397661383013e7e0
Cape
Cape
https://www.capesandbox.com/analysis/473615/
  
Dropped by
MD5 3644e9886531420d6480a2afb09f420b

Comments