MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a82398e3798998a98573b4255a7e2c5a6db73ffd724dbc463e293026815f206e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a82398e3798998a98573b4255a7e2c5a6db73ffd724dbc463e293026815f206e
SHA3-384 hash: f1dd011ba43587542a0d1556c9b7e602ebb8713701c3372e39ba1e53ea5abf517fcf64c30b93a5ad64f44cdacb15515f
SHA1 hash: 8cf090125e2b0bc2ffaa241e2cd8d990214575c4
MD5 hash: f0a41fcd7bd687141b949b6f71083f45
humanhash: delaware-double-texas-monkey
File name:Purchase Order No. PO2102559-1.pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'249'792 bytes
First seen:2022-10-08 04:29:11 UTC
Last seen:2022-10-10 06:11:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:u1/7eroQwQLdw7s9VkOD4hvcYL4FQjlUZNEg6raC6SBSDZ:udIoQvmaVr4hDcQUZUrDsD
Threatray 3'061 similar samples on MalwareBazaar
TLSH T161458BBA11C54107E8257675D883D1F32AFBAD606161E2CB2AD73F6FBC411BB851338A
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter GovCERT_CH
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
317
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/317808/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
packed
Link:
https://www.filescan.io/uploads/6340fccb5c60ccc9fcff6b57/reports/67bf29a2-90a9-41b1-9cee-9d9d20e540cc/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7b1366e0-0cb7-4555-8831-cfbd26ffa367
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1086157
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 718714 Sample: Purchase Order No. PO210255... Startdate: 08/10/2022 Architecture: WINDOWS Score: 100 43 geoplugin.net 2->43 51 Malicious sample detected (through community Yara rule) 2->51 53 Sigma detected: Scheduled temp file as task from temp location 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 11 other signatures 2->57 8 Purchase Order No. PO2102559-1.pdf.exe 7 2->8         started        12 LXlSfs.exe 5 2->12         started        signatures3 process4 file5 33 C:\Users\user\AppData\Roaming\LXlSfs.exe, PE32 8->33 dropped 35 C:\Users\user\...\LXlSfs.exe:Zone.Identifier, ASCII 8->35 dropped 37 C:\Users\user\AppData\Local\...\tmpDC38.tmp, XML 8->37 dropped 39 Purchase Order No....02559-1.pdf.exe.log, ASCII 8->39 dropped 59 Adds a directory exclusion to Windows Defender 8->59 14 Purchase Order No. PO2102559-1.pdf.exe 2 16 8->14         started        19 powershell.exe 21 8->19         started        21 schtasks.exe 1 8->21         started        61 Multi AV Scanner detection for dropped file 12->61 63 Machine Learning detection for dropped file 12->63 23 schtasks.exe 1 12->23         started        25 LXlSfs.exe 12->25         started        signatures6 process7 dnsIp8 45 185.136.170.229, 1960, 49702 VELIANET-ASvelianetInternetdiensteGmbHDE United Kingdom 14->45 47 geoplugin.net 178.237.33.50, 49703, 80 ATOM86-ASATOM86NL Netherlands 14->47 41 C:\ProgramData\remcos\logs.dat, data 14->41 dropped 49 Installs a global keyboard hook 14->49 27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a82398e3798998a98573b4255a7e2c5a6db73ffd724dbc463e293026815f206e/
Threat name:
Win32.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2022-10-07 08:32:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
26
AV detection:
18 of 26 (69.23%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=varzry3zrgmktbltwqsvu7rmljw3op75ojg3yrr6feycnak7ebxa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
4bd1f385e71c2b0c8bb27ce271cfd26c696e3049e3e92cd150ba62666bc6221f
RemcosRAT
592f15fec50eda79baadcb6bc5c4cb79de60e5bb285f20fb8e8927477495f065
RemcosRAT
7f89f38c1c2a3e42e7fe2d1c286816361fe77aa49d1d474de200df6eb2dbda81
RemcosRAT
8e7d1931cfe215a12acad3beb975cd78099a295a721069b35c05b469e2f703f9
RemcosRAT
9d724226a2a3c8676d4a58b64b636d9dcc178c1d40fcf321309afa14505cf285
RemcosRAT
e1eb708f47303b831f6eb0ddc846e21782e8f727dcb0088fcb997c3bf0d4dbd3
RemcosRAT
e76cebc404b8a79e2ab806a3e501b9d2f7260ea1d12f804320c1130be205dff6
RemcosRAT
+ 3'051 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost kaptain rat
Link:
https://tria.ge/reports/221008-e4tcgaeah8/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
185.136.170.229:1960
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a07b9fc5-5347-4d3a-9a43-4ef2112ca2b7
Unpacked files
SH256 hash:
161903f7d5633a0cdc5d416c229e1af16ad3f5a6d11dbe8d500aa9151a273f62
MD5 hash:
b460e7cd67e88a80f0b65f65d28b1c4c
SHA1 hash:
fef017687483cf2b5b9d5f8061b6f0645fdcf779
Link:
https://www.unpac.me/results/f7013702-1ec3-4373-89af-6b9d221d7d97/
SH256 hash:
9a2e448055eb88b824442ad8d1d6506ce9be2dad3a2d519b89cd11c28f93731f
MD5 hash:
69838bfbfdc85f19c6d7d69fc6855912
SHA1 hash:
d2c3e89b3f705d8e04d5880260945d9d18ddab54
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/f7013702-1ec3-4373-89af-6b9d221d7d97/
Parent samples :
a82398e3798998a98573b4255a7e2c5a6db73ffd724dbc463e293026815f206e
cf85ece20b01cf286079c455bf6cf3dc6a2fce9386641f4458edf2bdc7bbf65a
f5faaf973c1d19ec62c271762f887d0a419e5d17ffc8a385e13728867aa1620a
02232dd152bdb1747266d1e0970e37b243dcf2c75abedcab3ded8e04ee2868f0
SH256 hash:
a714f717b5bc1f669881d825e86e3e2891989bb056fd410b7512c6bec4e7a50d
MD5 hash:
6729d0a648af9066c18ad84db76b66e7
SHA1 hash:
c1f9958f6921e8c464a2d2e8a9eb47fabe5cd008
Link:
https://www.unpac.me/results/f7013702-1ec3-4373-89af-6b9d221d7d97/
SH256 hash:
a4f675cdfdeb0d93bfc3c922d8f4a39084a70ec66b2dec0952bae7e936de8e5e
MD5 hash:
53541d7fdb08ffde7932d0fd38e6f812
SHA1 hash:
42750fecafd3649415fb167f09a406d58725cc96
Link:
https://www.unpac.me/results/f7013702-1ec3-4373-89af-6b9d221d7d97/
SH256 hash:
1383999cb3682a0a0a54fad8a8e3f0fda2d4ce6422fa35286cece258aa1844a1
MD5 hash:
d891ee2f90e3392ee593067a038f3335
SHA1 hash:
347e96ac60f38938b0061ce5c21bec28c87f71f9
Link:
https://www.unpac.me/results/f7013702-1ec3-4373-89af-6b9d221d7d97/
SH256 hash:
a82398e3798998a98573b4255a7e2c5a6db73ffd724dbc463e293026815f206e
MD5 hash:
f0a41fcd7bd687141b949b6f71083f45
SHA1 hash:
8cf090125e2b0bc2ffaa241e2cd8d990214575c4
Link:
https://www.unpac.me/results/f7013702-1ec3-4373-89af-6b9d221d7d97/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a82398e37989/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a82398e3798998a98573b4255a7e2c5a6db73ffd724dbc463e293026815f206e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe a82398e3798998a98573b4255a7e2c5a6db73ffd724dbc463e293026815f206e

(this sample)

  
Dropped by
RemcosRAT
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/317808/

Comments