MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3dbe53fe29989df593f3777fe297e4840c2f004c1f069e77a8c0c79ba10698d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b3dbe53fe29989df593f3777fe297e4840c2f004c1f069e77a8c0c79ba10698d
SHA3-384 hash: 662bb5a499b61b082fc6840fd30c53204d5eb90ee6cde18a11537bd831e4969e4867189deb4c8bde823da16ffd483093
SHA1 hash: 7a254851fe3b393be746fdbebd27e1309d7ee9e1
MD5 hash: 9dca4148a5588eab684efc69125bf569
humanhash: november-sink-sixteen-sodium
File name:9dca4148a5588eab684efc69125bf569.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'254'912 bytes
First seen:2022-10-10 14:49:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:iyTQO2iNMJ2u8BvuT/xMDmEL3clzW95PJz9EByCJmy7r53LMO2LUFFvuoGdRR:iQD1v56JMqE7IWRBGlLr57aUFFa
Threatray 3'123 similar samples on MalwareBazaar
TLSH T1B5457ABA11C5411BE8253175D883D5F32AFBAD606062D2CB6AD73F5FBC811BB911338A
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13101/52/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
227
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/318529/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Running batch commands
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6344311d0aa036a7dfcdcab7/reports/db3ea44d-9d52-46af-bd7c-b693c2a68631/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a5db24fe-e874-4be5-8060-27f523a9d7ab
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1086945
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 719527 Sample: pXjkT9YCI8.exe Startdate: 10/10/2022 Architecture: WINDOWS Score: 100 78 Multi AV Scanner detection for domain / URL 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 Antivirus detection for URL or domain 2->82 84 8 other signatures 2->84 13 pXjkT9YCI8.exe 3 2->13         started        16 sdfge.exe 2 2->16         started        18 sdfge.exe 2 2->18         started        process3 file4 60 C:\Users\user\AppData\...\pXjkT9YCI8.exe.log, ASCII 13->60 dropped 20 pXjkT9YCI8.exe 4 4 13->20         started        23 pXjkT9YCI8.exe 13->23         started        25 pXjkT9YCI8.exe 13->25         started        27 sdfge.exe 16->27         started        process5 file6 54 C:\Users\user\AppData\Roaming\sdfge.exe, PE32 20->54 dropped 56 C:\Users\user\...\sdfge.exe:Zone.Identifier, ASCII 20->56 dropped 58 C:\Users\user\AppData\Local\...\install.vbs, data 20->58 dropped 29 wscript.exe 1 20->29         started        process7 process8 31 cmd.exe 1 29->31         started        process9 33 sdfge.exe 3 31->33         started        36 conhost.exe 31->36         started        signatures10 74 Multi AV Scanner detection for dropped file 33->74 76 Machine Learning detection for dropped file 33->76 38 sdfge.exe 4 1 33->38         started        process11 dnsIp12 68 76.8.53.133, 1198, 49704, 49705 QUONIXNETUS United States 38->68 86 Writes to foreign memory regions 38->86 88 Maps a DLL or memory area into another process 38->88 90 Installs a global keyboard hook 38->90 42 svchost.exe 38->42         started        signatures13 process14 process15 44 chrome.exe 42->44         started        47 chrome.exe 42->47         started        dnsIp16 70 192.168.2.1 unknown unknown 44->70 72 239.255.255.250 unknown Reserved 44->72 49 chrome.exe 44->49         started        52 chrome.exe 47->52         started        process17 dnsIp18 62 mdec.nelreports.net 49->62 64 part-0032.t-0009.fbs1-t-msedge.net 13.107.219.60, 443, 49726, 49727 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 49->64 66 9 other IPs or domains 49->66
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b3dbe53fe29989df593f3777fe297e4840c2f004c1f069e77a8c0c79ba10698d/
Threat name:
ByteCode-MSIL.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2022-10-10 02:10:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wpn6kp7ctge56wj7g5374kl6jbamf4aeyhygtz32rqghtoqqnggq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
31edb5c9a0590d100f941cfcb0c142abf141fba4a90c6bddb6c7fc59b4475f28
RemcosRAT
3ab2ca682019279e28525a8ff1a72e08badba1c0f3012f926bad1528b2b0944a
RemcosRAT
3c21819ed32b31c231e20b51b1f956e4160a7b8dbfe7468b096ce64b4b138007
RemcosRAT
47dabe278b8a171986b17e69ac9fac43657c11eb3c2c1523848074e0cfe6a57f
RemcosRAT
89adcb90dcc56d8e5b6cab4fce35a7ea8619ed9d47a5a947aaf4f34cb42c5021
RemcosRAT
8e7d1931cfe215a12acad3beb975cd78099a295a721069b35c05b469e2f703f9
RemcosRAT
9d724226a2a3c8676d4a58b64b636d9dcc178c1d40fcf321309afa14505cf285
RemcosRAT
fe800049d4ece336205fd83c50c747fc4f7f18e4cb2f2e80f37d0ec1700166d1
RemcosRAT
+ 3'113 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:peterobi2023 brand:microsoft persistence phishing rat
Link:
https://tria.ge/reports/221010-r7kwqacdfn/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Detected potential entity reuse from brand microsoft.
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
76.8.53.133:1198
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d43f67e1-2268-4bf7-91b8-5491a7332666
Unpacked files
SH256 hash:
fbf0d947bf22491229799e2ddaca2484d24b1cd7e4be6945758a9a153cc98791
MD5 hash:
82602aed5a4328fd0f432ac95f05a500
SHA1 hash:
83c7d33c0d034ec89953986d191fe82e5f5ba297
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/b4ef883c-bc67-4063-b2c5-970f6856c59a/
Parent samples :
91bbc8c0f7a6be5a881fab20f4cbdaf94bed915c0e28fd3f24dfa519ec801cec
3ab2ca682019279e28525a8ff1a72e08badba1c0f3012f926bad1528b2b0944a
4774065c2fb27747ef38643fdf9e301b9801250e8edc6518c06c589baffc52c9
b3dbe53fe29989df593f3777fe297e4840c2f004c1f069e77a8c0c79ba10698d
SH256 hash:
835f56ddf446072400b799d6e432dabeef9ccfbac5e28717f2df7a17904a8155
MD5 hash:
96599ad0dc389dc1a75e8fcc9758bbcd
SHA1 hash:
0c0d1513c53a9d1b0c46cb431d3d7a834736036b
Link:
https://www.unpac.me/results/b4ef883c-bc67-4063-b2c5-970f6856c59a/
SH256 hash:
01bc78928617077bb44f66d1b08d60fc51b9b169e5a2cf6beebffd9d2c08d18f
MD5 hash:
1718370e90cd425f5b69e7ad352d8623
SHA1 hash:
94e7525b1ba5b09d90bcf4740c190022a17d5322
Link:
https://www.unpac.me/results/b4ef883c-bc67-4063-b2c5-970f6856c59a/
SH256 hash:
1383999cb3682a0a0a54fad8a8e3f0fda2d4ce6422fa35286cece258aa1844a1
MD5 hash:
d891ee2f90e3392ee593067a038f3335
SHA1 hash:
347e96ac60f38938b0061ce5c21bec28c87f71f9
Link:
https://www.unpac.me/results/b4ef883c-bc67-4063-b2c5-970f6856c59a/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/b4ef883c-bc67-4063-b2c5-970f6856c59a/
SH256 hash:
b3dbe53fe29989df593f3777fe297e4840c2f004c1f069e77a8c0c79ba10698d
MD5 hash:
9dca4148a5588eab684efc69125bf569
SHA1 hash:
7a254851fe3b393be746fdbebd27e1309d7ee9e1
Link:
https://www.unpac.me/results/b4ef883c-bc67-4063-b2c5-970f6856c59a/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b3dbe53fe299/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b3dbe53fe29989df593f3777fe297e4840c2f004c1f069e77a8c0c79ba10698d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe b3dbe53fe29989df593f3777fe297e4840c2f004c1f069e77a8c0c79ba10698d

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/318529/
  
URLhaus
https://urlhaus.abuse.ch/url/2260819/
  
Delivery method
Distributed via web download

Comments