MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 98e8a76487a5811e1dd8574c08a8b66dc39506044045fc8c994e5d0e533a663c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 98e8a76487a5811e1dd8574c08a8b66dc39506044045fc8c994e5d0e533a663c
SHA3-384 hash: 3c54111748a98149696e6c33ad73b3834f5ef2fe85ee12c624d379c287d05b8ff4a942d4920d5e79bf0c80cb361d96fa
SHA1 hash: addc939a067d02b2fe541a3a3116675e1295f698
MD5 hash: 0cf0d018debfce1695e34759289e31db
humanhash: autumn-orange-carolina-quiet
File name:0cf0d018debfce1695e34759289e31db
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'128'960 bytes
First seen:2023-05-22 00:54:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:oS8hue/3H1xrIqn1F50eqdnO32TF2EqViwr7znqm0QIZZAEJXZ7PU45/Hr7scMFO:oBxrIsPPY3F5qokXnqFrJXdPD/Xqm2
Threatray 1'926 similar samples on MalwareBazaar
TLSH T17335D02062AC9F1AE03A93F94091D5B047F95EAA647FD7478ED2BCCB3A65F110A51F03
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
309
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
0cf0d018debfce1695e34759289e31db
Verdict:
Malicious activity
Analysis date:
2023-05-22 00:57:33 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/fbe0d6a2-b2fc-4eca-851a-6ed0334da5e0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67107485.32075.18367.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin packed
Link:
https://www.filescan.io/uploads/646abd6853a4e6f066cd0481/reports/b6e7c549-2d43-4df2-ac2a-bec3fc068434/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/98e8a76487a5811e1dd8574c08a8b66dc39506044045fc8c994e5d0e533a663c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/faadf52a-e76c-4fa2-b4b4-dd524d038604
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1239115
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 872106 Sample: RQc5gsNYCh.exe Startdate: 22/05/2023 Architecture: WINDOWS Score: 100 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 5 other signatures 2->58 8 RQc5gsNYCh.exe 3 2->8         started        12 remcos.exe 2 2->12         started        14 remcos.exe 2 2->14         started        16 remcos.exe 2 2->16         started        process3 file4 42 C:\Users\user\AppData\...\RQc5gsNYCh.exe.log, ASCII 8->42 dropped 60 Contains functionality to bypass UAC (CMSTPLUA) 8->60 62 Contains functionalty to change the wallpaper 8->62 64 Contains functionality to steal Chrome passwords or cookies 8->64 68 3 other signatures 8->68 18 RQc5gsNYCh.exe 2 4 8->18         started        66 Injects a PE file into a foreign processes 12->66 21 remcos.exe 12->21         started        23 remcos.exe 12->23         started        25 remcos.exe 14->25         started        27 remcos.exe 16->27         started        signatures5 process6 file7 38 C:\ProgramData\Remcos\remcos.exe, PE32 18->38 dropped 40 C:\ProgramData\...\remcos.exe:Zone.Identifier, ASCII 18->40 dropped 29 remcos.exe 3 18->29         started        process8 signatures9 70 Multi AV Scanner detection for dropped file 29->70 72 Machine Learning detection for dropped file 29->72 32 remcos.exe 3 16 29->32         started        36 remcos.exe 29->36         started        process10 dnsIp11 44 45.81.243.246, 2022, 49698 LVLT-10753US Germany 32->44 46 geoplugin.net 178.237.33.50, 49699, 80 ATOM86-ASATOM86NL Netherlands 32->46 48 192.168.2.1 unknown unknown 32->48 50 Installs a global keyboard hook 32->50 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/98e8a76487a5811e1dd8574c08a8b66dc39506044045fc8c994e5d0e533a663c/
Threat name:
ByteCode-MSIL.Trojan.StormKitty
Create hunting rule
Status:
Malicious
First seen:
2023-05-18 19:53:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
32
AV detection:
22 of 37 (59.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tdukozehuwar4hoyk5garkfwnxbzkbqeibc7zdezjzoq4uz2my6a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
2010a7e1a136a9881ba4db4beb99088ea77ea2997d36e6d1d16fc696b34fda8b
RemcosRAT
2e4c6cc30705e1398ea19d064bd7cfba58448798a81f3c89b86fa66750904a7b
RemcosRAT
3c2ffc42864aba9e07bb8cd494141ea7125a2d24a8717f0cf0a33da8020dbdfb
RemcosRAT
3d1a75579ef0717708782f63318b36e8dc0356fc477370ad9c69feac793a6a95
RemcosRAT
4b923765825c934c252ec1734636bd366b1b3e739716ad3ae31f29f13a0b6864
RemcosRAT
50ca98ba2d54858b97cbbfff758edf7f81a29a8a4884a4319ae994cb8a434de3
RemcosRAT
52062e748f2857bf6bc3161cdfade85ec042d45093673514ca1787f7216a70f3
RemcosRAT
c9ec59e23695adca831f06aca398c511cac81f2fd65c7353f14b4725791ab80a
RemcosRAT
d930e3006b889c13cdebe9004c021ed18ebe31f1504ffce27f10277e439329e0
RemcosRAT
+ 1'916 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat
Link:
https://tria.ge/reports/230522-a9r95sdb73/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Remcos
Malware Config
C2 Extraction:
45.81.243.246:2022
Unpacked files
SH256 hash:
cde5261bdad87500463ac8253a7b1d58be96c0f9ba9ef87013f2a35c608eba7e
MD5 hash:
c4bc6b9861f6eab38d6f59df4b2ebd34
SHA1 hash:
f8b3c1279a48c7ac2b910b7d998f0e191697779a
Link:
https://www.unpac.me/results/d8511065-5b3c-4738-a7bd-c1409e16bf0f/
SH256 hash:
85634c7d54b5570314aacb79770adb0a9c04171355a226fee6d1c91429f759e0
MD5 hash:
e8bc090f9e212f747be25e1687c278c9
SHA1 hash:
e9786c57ecdbd2d27cd2cf87505f3b0a7b7ea225
Link:
https://www.unpac.me/results/d8511065-5b3c-4738-a7bd-c1409e16bf0f/
SH256 hash:
fff746174928c35449076985da6826cb36940c9f218aa076516b27d44b504a07
MD5 hash:
f3f8e1d1a7940adfe79f9937d3205d70
SHA1 hash:
c663d43f2e59a67048f17f525769d16701455565
Link:
https://www.unpac.me/results/d8511065-5b3c-4738-a7bd-c1409e16bf0f/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/d8511065-5b3c-4738-a7bd-c1409e16bf0f/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
48df2b04646d261d10644b725f4867d7913e3294ddf4e141904f5b2b527a0b8d
MD5 hash:
fa2931302c8cc7679a7357d8a78ea9e7
SHA1 hash:
6d33ae716c6991019ab16e61c8b650d2056192b0
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/d8511065-5b3c-4738-a7bd-c1409e16bf0f/
Parent samples :
b795277d105f23e54cff675b26437ccfa26dd597aa6475978e472843cf994e5c
98e8a76487a5811e1dd8574c08a8b66dc39506044045fc8c994e5d0e533a663c
9f1ee6916ffb1de887fd7f8e9a6c6a23cf588d6498db31e35182bfd5f94fd62a
SH256 hash:
98e8a76487a5811e1dd8574c08a8b66dc39506044045fc8c994e5d0e533a663c
MD5 hash:
0cf0d018debfce1695e34759289e31db
SHA1 hash:
addc939a067d02b2fe541a3a3116675e1295f698
Link:
https://www.unpac.me/results/d8511065-5b3c-4738-a7bd-c1409e16bf0f/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/98e8a76487a5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/98e8a76487a5811e1dd8574c08a8b66dc39506044045fc8c994e5d0e533a663c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 98e8a76487a5811e1dd8574c08a8b66dc39506044045fc8c994e5d0e533a663c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2638378/

Comments


Avatar
zbet commented on 2023-05-22 00:54:33 UTC

url : hxxp://194.180.48.59/jawazx.exe