MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9bf55d8f3b892e6b8706ec526eaa51cc8a1a727b45759494e2e388979a5708b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9bf55d8f3b892e6b8706ec526eaa51cc8a1a727b45759494e2e388979a5708b8
SHA3-384 hash: 547e470f44f45817c0f8d2df77f080cfffec68bf8513295f444be8f216b06ceb2e63f21f72162713ba314d59c55bc69d
SHA1 hash: 967ed28f6fe35de046b678bda593efd1fefb92e6
MD5 hash: 05492ba0dd021b81e573bcaf60a78faa
humanhash: football-iowa-oven-india
File name:HB23090003.EXE
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:81'408 bytes
First seen:2023-09-01 12:32:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 1536:oNqFIZsnSJ/y3VbGBv4jMZ5LGKqn3LvMM/vnwhxgY3H6K+i3:2sSJ/cCuwqTnwbgYX6Q
Threatray 2'521 similar samples on MalwareBazaar
TLSH T1CE83F83BBA1A85B2C644177ACB97600403E7D781B293D70E398ED35E58033FA99CD52B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter cocaman
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
301
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
HB23090003.EXE
Verdict:
Malicious activity
Analysis date:
2023-09-01 12:34:41 UTC
Tags:
rat remcos remote keylogger
Link:
https://app.any.run/tasks/a88f788b-04b0-49f2-a9ae-59d03c58298b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/445606/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.18126.29297.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware masquerade packed remcos
Link:
https://www.filescan.io/uploads/64f1d9ffe52937d43d9fec0b/reports/9d0b2781-4153-466c-a472-138d94cdc312/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/9bf55d8f3b892e6b8706ec526eaa51cc8a1a727b45759494e2e388979a5708b8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1f0db0a4-de4d-474d-ae91-675eece01734
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1301593
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Remcos
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1301593 Sample: HB23090003.EXE.exe Startdate: 01/09/2023 Architecture: WINDOWS Score: 100 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 8 other signatures 2->46 6 HB23090003.EXE.exe 16 5 2->6         started        11 Awpdfgswmhd.exe 14 5 2->11         started        13 Awpdfgswmhd.exe 4 2->13         started        process3 dnsIp4 30 files.catbox.moe 108.181.20.35, 443, 49725, 49736 ASN852CA Canada 6->30 28 C:\Users\user\AppData\...\Awpdfgswmhd.exe, PE32 6->28 dropped 48 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 6->48 50 Writes to foreign memory regions 6->50 52 Injects a PE file into a foreign processes 6->52 15 MSBuild.exe 3 16 6->15         started        32 192.168.2.1 unknown unknown 11->32 54 Antivirus detection for dropped file 11->54 56 Multi AV Scanner detection for dropped file 11->56 58 Machine Learning detection for dropped file 11->58 20 MSBuild.exe 11->20         started        22 MSBuild.exe 13->22         started        24 MSBuild.exe 13->24         started        file5 signatures6 process7 dnsIp8 34 37.139.129.251, 2404, 49728 LVLT-10753US Germany 15->34 36 geoplugin.net 178.237.33.50, 49729, 80 ATOM86-ASATOM86NL Netherlands 15->36 26 C:\ProgramData\remcos\logs.dat, data 15->26 dropped 38 Installs a global keyboard hook 15->38 file9 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9bf55d8f3b892e6b8706ec526eaa51cc8a1a727b45759494e2e388979a5708b8/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Suspicious
First seen:
2023-09-01 12:32:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tp2v3dz3rexgxbyg5rjg5ksrzsfbu4t3iv2zjfhc4oejpgsxbc4a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0a1d374fc74a19fafd920caee9a08e1a999e633d098b8ed02aebf7ad9a66281a
RemcosRAT
3da90b636e39cd1f67e3542c60d813c6ff8152f7f740b3ef4ef086ef120836df
RemcosRAT
50360abbc508d169cda7d1a79ad2032827b553f0b9ed82c7b1609d074c20a112
RemcosRAT
5e95168687b15de3724b3c8240c0b40cdb61c75b440d11a7fa72c2b247c920ae
RemcosRAT
61a3e788d1ae18d12df0bf7198a922c14e998c195b520a5543b43814b8bcbfa0
RemcosRAT
6d69abf704c0ac0c71d7d35cc0eaa5b0ba230b7538ee159ad415b06798143c33
RemcosRAT
8bf8b980381fd607ec9065bfbcd572973770ee77c815354a35455c10651516d5
RemcosRAT
b2d5e15268cb130c995118e17afa1198ca19604a20b91f1907a7ef18210db30f
RemcosRAT
d31044022de445b61ba735083a47c5fd1f4d5c8dfcf544da489572ce3fafdc79
RemcosRAT
e029bc85866faf62332458961316cf1561c335b06076936f9e1ae87cbc0a868e
RemcosRAT
+ 2'511 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:working persistence rat
Link:
https://tria.ge/reports/230901-pq62hsef8w/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
37.139.129.251:2404
Unpacked files
SH256 hash:
9bf55d8f3b892e6b8706ec526eaa51cc8a1a727b45759494e2e388979a5708b8
MD5 hash:
05492ba0dd021b81e573bcaf60a78faa
SHA1 hash:
967ed28f6fe35de046b678bda593efd1fefb92e6
Link:
https://www.unpac.me/results/bc477467-f79e-44b1-bf4b-7cc2340cb4c1/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9bf55d8f3b89/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9bf55d8f3b892e6b8706ec526eaa51cc8a1a727b45759494e2e388979a5708b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

iso 0c6fe2c0d46a37a9bfcad2e6716351ad62497bf91484be42f7928a539de29c42

RemcosRAT

Executable exe 9bf55d8f3b892e6b8706ec526eaa51cc8a1a727b45759494e2e388979a5708b8

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 0c6fe2c0d46a37a9bfcad2e6716351ad62497bf91484be42f7928a539de29c42
Cape
Cape
https://www.capesandbox.com/analysis/445606/
  
Dropped by
MD5 99e699809de0ea723d5f3ad3aeb81f13

Comments