MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b06040b023873e257e3cc5d803186e714ad4de74fd3bb305205550e5ce5233f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 15

Intelligence 15 IOCs 1 YARA 2 File information Comments

SHA256 hash:	b06040b023873e257e3cc5d803186e714ad4de74fd3bb305205550e5ce5233f7
SHA3-384 hash:	1daf2916b4fe1c096c10a3910c043a720ee24357eaa3ee8318d7263042d4789cd79de0be971d7dc45ad36c8a7fb755b7
SHA1 hash:	32db1c49c1b5e29040813856afb775ac27d09f6e
MD5 hash:	3ecb0e9b8b7a4d9ee3f91d9bc41658cf
humanhash:	november-hawaii-fillet-neptune
File name:	DHL Receipt Document AWB 2032675634.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	934'400 bytes
First seen:	2022-08-11 15:05:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:WnQd1P8FujAGuIg3Rnq4NojYBf115opx:WnQde0AFIghnq4NojEX
TLSH	T11E15F02C25F6B10AF561BB7A0CC360A506D5ED34ED1AF02BACD6321602B5AD34B5E737
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	326919326767e73f (1 x RemcosRAT, 1 x DarkCloud)
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

abuse_ch

RemcosRAT C2:
91.193.75.131:7446

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
91.193.75.131:7446	https://threatfox.abuse.ch/ioc/842531/

Intelligence

File Origin

# of uploads :

# of downloads :

321

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

DHL Receipt Document AWB 2032675634.exe

Verdict:

Malicious activity

Analysis date:

2022-08-11 15:08:29 UTC

Tags:

remcos trojan rat

Link:

https://app.any.run/tasks/bfcc8f5e-9fe6-41f5-95bb-244a9b97cbe4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/298010/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

75%

Tags:

packed

Link:

https://www.filescan.io/uploads/62f51b18810e2831b739631a/reports/2581dba8-9101-409e-b05b-cb685c80e6db/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/90d45e5e-8f7d-459f-bccb-d455db5ebf7a

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1050025

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large strings

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/b06040b023873e257e3cc5d803186e714ad4de74fd3bb305205550e5ce5233f7/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2022-08-11 15:06:09 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wbqebmbdq47ck7r4yxmaggdooffnjxtu7u53gbjakvioltssgp3q._file

Verdict:

malicious

Label(s):

remcos

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost rat

Link:

https://tria.ge/reports/220811-sgqvqagfcp/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Uses the VBS compiler for execution

Remcos

Malware Config

C2 Extraction:

julygoals.hopto.org:7446

Unpacked files

SH256 hash:

5e97ccd8dafcb36b3cb772f6a2fd425abcf221ab9ea1930e8c2618c95332f2c6

MD5 hash:

01800f6b045def8d90c649842f56d752

SHA1 hash:

f8434a4636d0772d01aac44bb3f9753a41f01d34

Link:

https://www.unpac.me/results/ff3800c5-9a99-4f40-85e4-86fe80f4764d/

SH256 hash:

1073698e03fe30518f3d22173f097798cf83c03176bec65ef200561677924e3c

MD5 hash:

8ec4dacbdd83e7dcf6bbf9a35cf90481

SHA1 hash:

4ef0dfa55f02cd5c55acbaa266f98a76c02c5955

Detections:

win_remcos_auto

Link:

https://www.unpac.me/results/ff3800c5-9a99-4f40-85e4-86fe80f4764d/

SH256 hash:

36b4de5f3627a712dc69ae681ea83b1c69e3d1d1e712686b4aeed34897cb7ba2

MD5 hash:

9214f1e539210006273d572a72da9324

SHA1 hash:

041540f6a8710e3017f85004281b7e6f433bbd86

Link:

https://www.unpac.me/results/ff3800c5-9a99-4f40-85e4-86fe80f4764d/

SH256 hash:

b06040b023873e257e3cc5d803186e714ad4de74fd3bb305205550e5ce5233f7

MD5 hash:

3ecb0e9b8b7a4d9ee3f91d9bc41658cf

SHA1 hash:

32db1c49c1b5e29040813856afb775ac27d09f6e

Link:

https://www.unpac.me/results/ff3800c5-9a99-4f40-85e4-86fe80f4764d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.54

Link:

https://yomi.yoroi.company/submissions/b06040b023873e257e3cc5d803186e714ad4de74fd3bb305205550e5ce5233f7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/298010/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample