MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b41e719470475dfacf64f42d8d8001d90cf442213fdf0e19ad5cd86d9742810. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b41e719470475dfacf64f42d8d8001d90cf442213fdf0e19ad5cd86d9742810
SHA3-384 hash: 645079f58f231be15f8fef2aea3dde069b79478ddf8fa8f4c713bd25446717768427661bee198c92f5d0dd2debea99dd
SHA1 hash: 8fe103e9ba59fe1db84de8f2a877eea6aa0fe1e2
MD5 hash: 6178cf16130ff17872945537f2ab64bb
humanhash: sodium-florida-single-monkey
File name:Payment Copy.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'090'560 bytes
First seen:2023-07-27 06:38:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:mgQreS13xDlFe4nbsf69coR4iBqFLLXUqYP3pK3j8:mgQr7BllFecbB9cobILjTp4
Threatray 2'312 similar samples on MalwareBazaar
TLSH T13635F160E6BACFAED43763F9102052100BB3AE9B5616F3895CCA78EF6534F016644E77
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon b0cf4a4c4c4ccfb0 (31 x Formbook, 20 x RemcosRAT, 18 x AgentTesla)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
273
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Payment Copy.exe
Verdict:
Malicious activity
Analysis date:
2023-07-27 06:40:02 UTC
Tags:
rat remcos remote keylogger
Link:
https://app.any.run/tasks/35982ba6-6b18-44f6-b286-b373e44a07d9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/434646/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed remcos
Link:
https://www.filescan.io/uploads/64c211082a568ab215b8bed8/reports/a582f658-481d-42b6-8dd4-7369bd83cb93/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/9b41e719470475dfacf64f42d8d8001d90cf442213fdf0e19ad5cd86d9742810
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0ebd759f-be79-479a-97cc-fd6742d0bc12
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1280862
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1280862 Sample: Payment_Copy.exe Startdate: 27/07/2023 Architecture: WINDOWS Score: 100 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus detection for URL or domain 2->54 56 10 other signatures 2->56 7 Payment_Copy.exe 7 2->7         started        11 IRXoLeRa.exe 5 2->11         started        process3 file4 36 C:\Users\user\AppData\Roaming\IRXoLeRa.exe, PE32 7->36 dropped 38 C:\Users\...\IRXoLeRa.exe:Zone.Identifier, ASCII 7->38 dropped 40 C:\Users\user\AppData\Local\...\tmpC739.tmp, XML 7->40 dropped 42 C:\Users\user\...\Payment_Copy.exe.log, ASCII 7->42 dropped 58 Uses schtasks.exe or at.exe to add and modify task schedules 7->58 60 Adds a directory exclusion to Windows Defender 7->60 13 Payment_Copy.exe 3 16 7->13         started        18 powershell.exe 18 7->18         started        20 powershell.exe 19 7->20         started        22 schtasks.exe 1 7->22         started        62 Antivirus detection for dropped file 11->62 64 Multi AV Scanner detection for dropped file 11->64 66 Machine Learning detection for dropped file 11->66 24 schtasks.exe 11->24         started        26 IRXoLeRa.exe 11->26         started        signatures5 process6 dnsIp7 46 51.75.209.245, 2404, 49711, 49714 OVHFR France 13->46 48 geoplugin.net 178.237.33.50, 49712, 80 ATOM86-ASATOM86NL Netherlands 13->48 44 C:\ProgramData\remcos\logs.dat, data 13->44 dropped 68 Installs a global keyboard hook 13->68 28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        32 conhost.exe 22->32         started        34 conhost.exe 24->34         started        file8 signatures9 process10
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9b41e719470475dfacf64f42d8d8001d90cf442213fdf0e19ad5cd86d9742810/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-07-27 04:08:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
23 of 37 (62.16%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tna6ogkhar257lhwj5bnrwaadwim6rbccp67bym22xgynwlufaia._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
2d12bedd8d6cee6c6fbee5ccb9d7dd25fc6693d9d6a7a0207104f94b681b55aa
RemcosRAT
2f7236c222fa634974037a2469d83098ee0a9aa28176106fd88f10c5beae35c4
RemcosRAT
34bfed7f2450542d851b696685ed0a43438683a54f1756a947119d7258a4adb1
RemcosRAT
49e4d4f6aaf967b656487d0d3dc27ecf3812b2d454b85339ae9ea79021bbe0d6
RemcosRAT
5e95168687b15de3724b3c8240c0b40cdb61c75b440d11a7fa72c2b247c920ae
RemcosRAT
8a7703a7a13f95e6e58aac075b70bc322355e7f683e04824c17407a1881838cf
RemcosRAT
a1b695b94ceabf5c9f17d0fe34d6242a62e277e4f269b83a0f0a8f26025dcfd2
RemcosRAT
a50ff27364591ebbe3589623d88752369ff33f67df2994f70d79177144376cc5
RemcosRAT
aba16ed8d742b8ebeb80e736ec3ad99e4480eeb977a1aeb3ec124dc7d7b3e546
RemcosRAT
f82c643baf10986a8ad197d2565b7a093aa1eef8b9d4463f4a42d3cc81a45b8f
RemcosRAT
+ 2'302 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/230727-hemp6sab52/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
51.75.209.245:2404
Unpacked files
SH256 hash:
59c4c36c090328c7e5d0d05294143d5bcc34befb252f360025b29437158d43d4
MD5 hash:
9e7497b825f478a86584b44260e08004
SHA1 hash:
be364d69bc7f412c7cb09a702fa3afb1875be6a5
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/bb1ac92e-3e19-4b58-ae5f-c87e073eb842/
Parent samples :
9b41e719470475dfacf64f42d8d8001d90cf442213fdf0e19ad5cd86d9742810
19b06353bd2b915f4fa9b30599477954534bfd37400c511d0868227044163e45
a0ebf0e5b7ddce607d73f58a9a3a676bc9cc4645bb1918c8ded7d287fd2275b9
48fb43de46240bb31eb2e76cf6302d3ba008de77319692a326c0f684b4923a06
4367214e711a4e335c0ad9cf6b186e835b5e34ffcec7468ffa3afdd68dac0403
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/bb1ac92e-3e19-4b58-ae5f-c87e073eb842/
SH256 hash:
514837acc4b9597e00f8ff5bb589905574fc575f24f6ac024fe620a8c58a2a37
MD5 hash:
6f802d0d3422dfe9f29dde80fd74cbb2
SHA1 hash:
0d6756c14131490cdd8fd84412912a75b947ceb9
Link:
https://www.unpac.me/results/bb1ac92e-3e19-4b58-ae5f-c87e073eb842/
SH256 hash:
a0b9aabe376fa88cd49144e9aa1cf8d915f5191f61334f72c648fe99c09d810d
MD5 hash:
d086ed782f92de43f8d02a60ad2d1dda
SHA1 hash:
0b4bf2e230c20d868f66f24b8b8fd4c5f67370cb
Link:
https://www.unpac.me/results/bb1ac92e-3e19-4b58-ae5f-c87e073eb842/
SH256 hash:
9b41e719470475dfacf64f42d8d8001d90cf442213fdf0e19ad5cd86d9742810
MD5 hash:
6178cf16130ff17872945537f2ab64bb
SHA1 hash:
8fe103e9ba59fe1db84de8f2a877eea6aa0fe1e2
Link:
https://www.unpac.me/results/bb1ac92e-3e19-4b58-ae5f-c87e073eb842/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9b41e7194704/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 9b41e719470475dfacf64f42d8d8001d90cf442213fdf0e19ad5cd86d9742810

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/434646/

Comments