MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a97f182e8e7da0854b932b946352626e4c94c6f1319ea6ddf5cefa854af93bd7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a97f182e8e7da0854b932b946352626e4c94c6f1319ea6ddf5cefa854af93bd7
SHA3-384 hash: 0c08cbd4869abcd185913088d288ebf71f27dd5b965a8a014daa8dd115b6039ea9800cd3e2f4e77993f07992a56036ea
SHA1 hash: 4ab5de3c9df69b32bdb2c7b39fa36ab5f14ec97a
MD5 hash: 3cd5112e9d9cd2bc8ed794401cc271e9
humanhash: early-harry-eight-bulldog
File name:solicitud de presupuesto 29-11-2022.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:128'000 bytes
First seen:2022-11-29 12:25:38 UTC
Last seen:2022-12-05 21:17:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 1536:FXVlyB2mzz5plxj6gpf6m4JE/9F6i8x6YEDHBDF1aOHCmvRwv+SfF1FVj:BVlyB2srxWxwF6iNDHzJwv+k1FVj
Threatray 3'466 similar samples on MalwareBazaar
TLSH T16FC384E235218286FDFB9EF22E8E5470E1F139BCC4C9561DB4E55B2C86E2354109F1AE
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 939392b28f9ede86 (1 x RemcosRAT)
Reporter lowmal3
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
207
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
solicitud de presupuesto 29-11-2022.exe
Verdict:
Suspicious activity
Analysis date:
2022-11-29 12:26:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3ce0457b-6a48-418b-a7fc-36f17841b017

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/339732/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.20253.20642.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6385fa5d5be128ac718f96b1/reports/ea80fa6c-3148-473a-8908-75f4a72ccd5f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/37c02873-c98c-4028-a267-9e84f2e43ac6
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1123273
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 755997 Sample: solicitud de presupuesto 29... Startdate: 29/11/2022 Architecture: WINDOWS Score: 100 56 transfer.sh 2->56 62 Multi AV Scanner detection for domain / URL 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Antivirus detection for URL or domain 2->66 68 8 other signatures 2->68 8 solicitud de presupuesto 29-11-2022.exe 16 7 2->8         started        13 Qjscytuqaqq.exe 2 2->13         started        15 Qjscytuqaqq.exe 2->15         started        signatures3 process4 dnsIp5 58 transfer.sh 144.76.136.153, 443, 49699, 49703 HETZNER-ASDE Germany 8->58 46 C:\Users\user\AppData\...\Qjscytuqaqq.exe, PE32 8->46 dropped 48 C:\Users\...\Qjscytuqaqq.exe:Zone.Identifier, ASCII 8->48 dropped 50 solicitud de presu... 29-11-2022.exe.log, ASCII 8->50 dropped 70 Encrypted powershell cmdline option found 8->70 72 Writes to foreign memory regions 8->72 74 Injects a PE file into a foreign processes 8->74 17 aspnet_compiler.exe 2 14 8->17         started        21 powershell.exe 16 8->21         started        23 powershell.exe 13 8->23         started        76 Multi AV Scanner detection for dropped file 13->76 78 Machine Learning detection for dropped file 13->78 25 powershell.exe 13->25         started        27 powershell.exe 15->27         started        file6 signatures7 process8 dnsIp9 52 obologs.work.gd 194.5.98.244, 4044, 49700, 49701 DANILENKODE Netherlands 17->52 54 geoplugin.net 178.237.33.50, 49702, 80 ATOM86-ASATOM86NL Netherlands 17->54 60 Maps a DLL or memory area into another process 17->60 29 aspnet_compiler.exe 1 17->29         started        32 aspnet_compiler.exe 17->32         started        34 aspnet_compiler.exe 17->34         started        44 12 other processes 17->44 36 conhost.exe 21->36         started        38 conhost.exe 23->38         started        40 conhost.exe 25->40         started        42 conhost.exe 27->42         started        signatures10 process11 signatures12 80 Tries to steal Instant Messenger accounts or passwords 29->80 82 Tries to steal Mail credentials (via file / registry access) 29->82
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a97f182e8e7da0854b932b946352626e4c94c6f1319ea6ddf5cefa854af93bd7/
Threat name:
ByteCode-MSIL.Trojan.Bsymem
Create hunting rule
Status:
Malicious
First seen:
2022-11-29 11:44:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
13 of 26 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vf7rqluopwqiks4tfokggutcnzgjjrxrggpknxpvz35iksxzhplq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0cb9ffbc77206540a648b96e790d884f5662c114e831533e1eb31b63157e3953
RemcosRAT
139d0b13776f8fea46db2d77f0391b480cf290abcca453aacd2e003e7a618787
RemcosRAT
7a5870c5e7f9253deca223afcbf295a99ad0cc014543b26e162e56ad2f22a36e
RemcosRAT
88729c3c2f0d440cb964a0b14af9f726a961700288ea860cc8db492685ca4546
RemcosRAT
9063dd7d69236cca3007587ccc04334b4289ec456f6983673f3d9f749092a29c
RemcosRAT
a04d627bf01f18ee5ca0d47dac132c9ae2f12973aa9c54c331170d67967deb7d
RemcosRAT
c8f7124c43eb317024e9e329f6a05b8e278b3c6ac99a2f202406b719dbb815ca
RemcosRAT
f2643b4686b59c10dd7e51a8482f5515f15ab47eb81b6d8674b135c7ea266d24
RemcosRAT
+ 3'456 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/221129-pl66qahd74/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
a97f182e8e7da0854b932b946352626e4c94c6f1319ea6ddf5cefa854af93bd7
MD5 hash:
3cd5112e9d9cd2bc8ed794401cc271e9
SHA1 hash:
4ab5de3c9df69b32bdb2c7b39fa36ab5f14ec97a
Link:
https://www.unpac.me/results/082a51fc-0afb-4d5b-b5ba-6e0b27c9abc0/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a97f182e8e7d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a97f182e8e7da0854b932b946352626e4c94c6f1319ea6ddf5cefa854af93bd7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe a97f182e8e7da0854b932b946352626e4c94c6f1319ea6ddf5cefa854af93bd7

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/339732/

Comments