MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b91f38ed7a92a5b3223698c5be0bb0daaa1230981501fd306f5b30744317bbc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b91f38ed7a92a5b3223698c5be0bb0daaa1230981501fd306f5b30744317bbc
SHA3-384 hash: 7f15848654f350a888893180935c321b6595e7b3c9b507aa1423d5fa409e8940c398902df5181766679401f21aad26d2
SHA1 hash: 6de58e451707b34166dc132876d4c726dbb85e59
MD5 hash: 6d99c0cd5292f377d7334ad0a90a19f4
humanhash: leopard-wolfram-eighteen-william
File name:Pagamento.UniCredit.pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:16'896 bytes
First seen:2024-11-19 11:36:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 192:F3qy1lV+ZfxqFkyPx6UhTv/d/qI0CgQRHzLbGL3HsOe0U/IkG+grXDunbDeY:v1afxhKzfqtCjVE8Oe9+XDunbDe
Threatray 4'351 similar samples on MalwareBazaar
TLSH T1CD729E41E3B88B37E0FA0BB0A9A313D503B8E7A1D882EF9D5C08410E1D93B444993FE5
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon d8d8989898a880b8 (13 x RemcosRAT, 6 x PureCrypter, 3 x AsyncRAT)
Reporter JAMESWT_WT
Tags:exe RemcosRAT Spam-ITA UniCredit windowsssforjunee-duckdns-org

Intelligence

File Origin
# of uploads :
1
# of downloads :
487
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Pagamento.UniCredit.pdf.exe
Verdict:
Malicious activity
Analysis date:
2024-11-19 11:39:09 UTC
Tags:
rat remcos remote evasion purecrypter netreactor
Link:
https://app.any.run/tasks/a375749a-f8e7-4f02-b224-72897ded4674

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.28147.1796.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673c79725107a56eacc7f273
Tags:
underscore autorun remcos
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %AppData% directory
Launching a process
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade packed packed packer_detected
Link:
https://www.filescan.io/uploads/673c78677a6ae3d44b9f7431/reports/41260ef6-2095-40ed-82e9-bca7e65f8bf7/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/9b91f38ed7a92a5b3223698c5be0bb0daaa1230981501fd306f5b30744317bbc
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/bc66f90d-95e3-4133-a232-8738c5c1b17c
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1558377
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension File Execution
Behaviour
Behavior Graph:
Download SVG
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9b91f38ed7a92a5b3223698c5be0bb0daaa1230981501fd306f5b30744317bbc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9b91f38ed7a92a5b3223698c5be0bb0daaa1230981501fd306f5b30744317bbc/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2024-11-19 11:35:34 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=toi7hdwxvevfwmrdnggfxyf3bwvkciyjqfib7uyg6wzqorbrpo6a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
4bd1f385e71c2b0c8bb27ce271cfd26c696e3049e3e92cd150ba62666bc6221f
RemcosRAT
592f15fec50eda79baadcb6bc5c4cb79de60e5bb285f20fb8e8927477495f065
RemcosRAT
9586ec674a0e4b7558bcb9df6a8bcde244d05658f818aec5eb86328fc9d14ffd
RemcosRAT
9d724226a2a3c8676d4a58b64b636d9dcc178c1d40fcf321309afa14505cf285
RemcosRAT
a0a124777df35d015c84f61af9a8e4d0dba82120a30fa031b73b885a13d88214
RemcosRAT
ad87f3ad6fb14d2b79d7b7aac1b38bc04fd20757460da0f02cac139408df9969
RemcosRAT
cd5de9645bcf37759921a67c205b215141ac17cc47281a159f2eada11e6f45ca
RemcosRAT
e1eb708f47303b831f6eb0ddc846e21782e8f727dcb0088fcb997c3bf0d4dbd3
RemcosRAT
e68ebc948356b0560fee06f52939504005fd848a93ccc41b4840c1db318a5409
RemcosRAT
error
RemcosRAT
+ 4'341 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost discovery rat
Link:
https://tria.ge/reports/241119-nq5m1svpes/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Drops startup file
Remcos
Remcos family
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
162.251.122.76:7119
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/af4b5349-102a-4349-91e8-d9265453b7d9
Unpacked files
SH256 hash:
9b91f38ed7a92a5b3223698c5be0bb0daaa1230981501fd306f5b30744317bbc
MD5 hash:
6d99c0cd5292f377d7334ad0a90a19f4
SHA1 hash:
6de58e451707b34166dc132876d4c726dbb85e59
Detections:
PureCrypter_Stage1
Create hunting rule
Link:
https://www.unpac.me/results/664e33b0-2606-46e1-a4e2-1fa09cc2d408/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9b91f38ed7a9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9b91f38ed7a92a5b3223698c5be0bb0daaa1230981501fd306f5b30744317bbc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 9b91f38ed7a92a5b3223698c5be0bb0daaa1230981501fd306f5b30744317bbc

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments