MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b33f1430088ad3c77a02a36d407b8928b2dfe9ffb03a6c62e43845e086926eb9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	b33f1430088ad3c77a02a36d407b8928b2dfe9ffb03a6c62e43845e086926eb9
SHA3-384 hash:	289bf2cff588ca9bf7aaaaa081314931881bc04ba8ec569f1832b3968c437297cca5593b8c2833d13d816319cbd936d6
SHA1 hash:	5f390ab63a23dcd12ae36646a873987ecde576ef
MD5 hash:	b2fe2833b916d968ac2bf08e955e0ceb
humanhash:	emma-connecticut-zulu-robert
File name:	qoute_pdf.com.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'535'414 bytes
First seen:	2023-10-26 13:18:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e2a592076b17ef8bfb48b7e03965a3fc (385 x GuLoader, 58 x RemcosRAT, 40 x AgentTesla)
ssdeep	24576:1Mmsez9ybZSzQkmJMG7erO+VGxWCQ2VScaOyA2GOxtefI7CC4Q9L7YR011f5OpA9:1MmYLdor+xQvJzAWeg94mBSgZGaD
Threatray	3'079 similar samples on MalwareBazaar
TLSH	T1DB652340B1E8C1E3E5764AB2EC939BF218E5FC1CD096499F37693F19B871382142FA56
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	8703354f2da67171 (1 x RemcosRAT)
Reporter	James_inthe_box
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

1

# of downloads :

361

Origin country :

US

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/456547/

Detection(s):

SecuriteInfo.com.Win32.SuspectCrc.14701.20582.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a window

Creating a file

Сreating synchronization primitives

Creating a process from a recently created file

Creating a process with a hidden window

Searching for the window

Launching a process

Sending a custom TCP request

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control installer lolbin masquerade overlay packed shell32

Link:

https://www.filescan.io/uploads/653a674772356e4f29e766b9/reports/e0781dc2-413a-4d02-b2ad-215a7c8984a1/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/b33f1430088ad3c77a02a36d407b8928b2dfe9ffb03a6c62e43845e086926eb9

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e17d73fb-d2ce-4721-96cd-2322472cc37a

Score:

99%

Verdict:

Malware

File Type:

PE

Link:

https://malprob.io/report/b33f1430088ad3c77a02a36d407b8928b2dfe9ffb03a6c62e43845e086926eb9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b33f1430088ad3c77a02a36d407b8928b2dfe9ffb03a6c62e43845e086926eb9/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wm7rimairlj4o6qcunwua64jfczn72p7wa5gyyxehbc6bbusn24q._file

Verdict:

malicious

Label(s):

remcos

Similar samples:

045b514767dbbe5c411284ea83b2d47b62b1f7a258f866871bfebc14667ef5e6

4a30f84c5fc555603a11244bf58e1a01bacfc09047068f942d48d674a1375c6d

512e4f1783f9dd5aae8e6a8fa3489845481041884984b3f30f59e95de7ffe0cf

691b3081c37299b525225363c19e0bbd9610295740f6b8efefba801730613432

868e699e1197dd8964c12f89b973ecce755244515c3207063e6fc4218a321b6a

a969522536954bf8122e7ebe679bc7d881dbb8337906cfd581aec9762f8ffb80

bd7a135d43cc26d8b77b151c19bafab99e45c344988b7da907d7dc293310d09f

cd9ccf3f16c2d3733cfa52a60c6364ac7219cf79eab6f956ce4726adc2ac53a4

d4c96c493952ab9601201dc7875a664148107c06a5481ae53414037fc1edccda

+ 3'069 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost persistence rat

Link:

https://tria.ge/reports/231026-qkhbmsdf72/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Adds Run key to start application

Checks computer location settings

Remcos

Malware Config

C2 Extraction:

45.95.169.140:2404

Unpacked files

SH256 hash:

b33f1430088ad3c77a02a36d407b8928b2dfe9ffb03a6c62e43845e086926eb9

MD5 hash:

b2fe2833b916d968ac2bf08e955e0ceb

SHA1 hash:

5f390ab63a23dcd12ae36646a873987ecde576ef

Link:

https://www.unpac.me/results/6b190f8f-28be-40e6-ae2c-be3fc289a671/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b33f1430088a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b33f1430088ad3c77a02a36d407b8928b2dfe9ffb03a6c62e43845e086926eb9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

Cape

https://www.capesandbox.com/analysis/456547/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample