MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b84d775cf5de9234ec178e4a94c5c459f0c6e8ad3bffc977ba20b116b4d9d88e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b84d775cf5de9234ec178e4a94c5c459f0c6e8ad3bffc977ba20b116b4d9d88e
SHA3-384 hash: abd28ee4b2f6ba5ae17081d9094759dd7606bb043fa8c554de2d02c7c58d8baf5842b1a3ee0e53659fce95a2949c660d
SHA1 hash: 7ec2da3bb118a5065e084d3f114ad4dab4ba1f1a
MD5 hash: e33c66f8ac18189660cc9c71e7d544e8
humanhash: georgia-whiskey-arkansas-apart
File name:Invoice011.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:873'472 bytes
First seen:2023-04-14 06:11:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:pIqzHUwgQLh+E6f/t2ZfJYrZtPRinJW4f7:PfgyuscVtPRsJW4f7
Threatray 1'880 similar samples on MalwareBazaar
TLSH T14B052365730C872AE65E87F5645D8A1003338B22B5BBEB4C5D4DB0E39C16B2DA6D0F63
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
237
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Invoice011.exe
Verdict:
Malicious activity
Analysis date:
2023-04-14 06:16:06 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/98ea0cbc-ebc9-42a5-b752-7883fd295aba

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/382180/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
86%
Tags:
comodo packed
Link:
https://www.filescan.io/uploads/6438eeb70c9f1744b585f769/reports/4a82ec82-61b1-4220-8de2-4f3f3d3938ba/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/b84d775cf5de9234ec178e4a94c5c459f0c6e8ad3bffc977ba20b116b4d9d88e
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d7fcf2da-e07a-4ad9-99db-249bc86d95f3
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1213670
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 846596 Sample: Invoice011.exe Startdate: 14/04/2023 Architecture: WINDOWS Score: 100 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for URL or domain 2->48 50 9 other signatures 2->50 7 IqlBbFzvRykz.exe 5 2->7         started        10 Invoice011.exe 7 2->10         started        process3 file4 54 Multi AV Scanner detection for dropped file 7->54 56 Contains functionality to bypass UAC (CMSTPLUA) 7->56 58 Contains functionalty to change the wallpaper 7->58 66 5 other signatures 7->66 13 schtasks.exe 1 7->13         started        15 IqlBbFzvRykz.exe 7->15         started        34 C:\Users\user\AppData\...\IqlBbFzvRykz.exe, PE32 10->34 dropped 36 C:\Users\...\IqlBbFzvRykz.exe:Zone.Identifier, ASCII 10->36 dropped 38 C:\Users\user\AppData\Local\...\tmp9DB1.tmp, XML 10->38 dropped 40 C:\Users\user\AppData\...\Invoice011.exe.log, ASCII 10->40 dropped 60 Uses schtasks.exe or at.exe to add and modify task schedules 10->60 62 Adds a directory exclusion to Windows Defender 10->62 64 Injects a PE file into a foreign processes 10->64 17 Invoice011.exe 3 2 10->17         started        22 powershell.exe 21 10->22         started        24 schtasks.exe 1 10->24         started        signatures5 process6 dnsIp7 26 conhost.exe 13->26         started        42 212.193.30.230, 3366 SPD-NETTR Russian Federation 17->42 32 C:\ProgramData\remcos\logs.dat, data 17->32 dropped 52 Installs a global keyboard hook 17->52 28 conhost.exe 22->28         started        30 conhost.exe 24->30         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b84d775cf5de9234ec178e4a94c5c459f0c6e8ad3bffc977ba20b116b4d9d88e/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-04-14 06:12:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xbgxoxhv32jdj3axrzfjjroelhymn2fnhp74s552ecyrnngz3cha._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
10889504234fe600c781aefe6ba0918e2e1d98a777f6e4e03da6d006a06bffb0
RemcosRAT
11327f3b5123a0f6325b9370d4321bddc00ef1619f6da209503ae1370b24121e
RemcosRAT
2e4c6cc30705e1398ea19d064bd7cfba58448798a81f3c89b86fa66750904a7b
RemcosRAT
38455251726a64db957d8e30e6c1dc1ca2b10c35691dadbcf3bf8172babe94e3
RemcosRAT
3a7511034e72aa8874f3763cb01604464c74571237bc08906578ed9dcf2c137f
RemcosRAT
5139217f06a06c8e1ed07dc698e466753577c1b5d8c54bf9fb698d13df19b31a
RemcosRAT
655260800846128f96bb9bd7e4926711a5b75df01f36ae7dfa5b2197f1105f67
RemcosRAT
74f0cd3a4b819ccc977a778fccba82e096dec880a6dba59641fedbdcfb4f7292
RemcosRAT
b19c0bb20a5fe51658666464950c582cef626cdf1f50bf5c775109a0cf2267db
RemcosRAT
cbeb5d87de099ac454539a287b3c20c7cb4daee733800eb57ca7d589ccb406e9
RemcosRAT
+ 1'870 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:host rat
Link:
https://tria.ge/reports/230414-gx7ydsgf24/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
212.193.30.230:3366
Unpacked files
SH256 hash:
c53a1136ea72e25eba623a022a14bfc1c5ceea0fe1a523d53ddee0a86c484018
MD5 hash:
ee2513239eda4855f8c5f5ae1e1cb36c
SHA1 hash:
bf2421f17432439035e55a50b2350904a8a95286
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/eb66d4e7-f5e6-4a09-8e2b-f0cb541a98b8/
Parent samples :
10889504234fe600c781aefe6ba0918e2e1d98a777f6e4e03da6d006a06bffb0
b84d775cf5de9234ec178e4a94c5c459f0c6e8ad3bffc977ba20b116b4d9d88e
3c2ffc42864aba9e07bb8cd494141ea7125a2d24a8717f0cf0a33da8020dbdfb
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/eb66d4e7-f5e6-4a09-8e2b-f0cb541a98b8/
SH256 hash:
b4ca2bec0c6a53b03317aeae39fc89db425988728ed90bae1142b249a253e819
MD5 hash:
ae4c85deebe210c50f0c584c2e9dcd21
SHA1 hash:
63a40e1aae87c4ece9509f5ef5f19a49ba3de366
Link:
https://www.unpac.me/results/eb66d4e7-f5e6-4a09-8e2b-f0cb541a98b8/
SH256 hash:
07e886121f734cc79022890239578670e31b9967bef1f4043757fcc1543c00c2
MD5 hash:
15c2542a2ab85112ce40afc4241ee071
SHA1 hash:
49ec9c3e83fab4c197ceb653bf64b4c9e734011a
Link:
https://www.unpac.me/results/eb66d4e7-f5e6-4a09-8e2b-f0cb541a98b8/
SH256 hash:
f074b2c09142fa55caae482b5ec6ba350fda0ac62329bb825d61f21e2e7059a1
MD5 hash:
567bbf43aac601560b1def4a872d4089
SHA1 hash:
21dfc6e6ecf39c9c23927c114ca911559ca4593e
Link:
https://www.unpac.me/results/eb66d4e7-f5e6-4a09-8e2b-f0cb541a98b8/
SH256 hash:
b84d775cf5de9234ec178e4a94c5c459f0c6e8ad3bffc977ba20b116b4d9d88e
MD5 hash:
e33c66f8ac18189660cc9c71e7d544e8
SHA1 hash:
7ec2da3bb118a5065e084d3f114ad4dab4ba1f1a
Link:
https://www.unpac.me/results/eb66d4e7-f5e6-4a09-8e2b-f0cb541a98b8/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b84d775cf5de/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Dotnet_Hidden_Executables_Detect
Create hunting rule
Author:Mehmet Ali Kerimoglu (@CYB3RMX)
Description:This rule detects hidden PE file presence.
Reference:https://github.com/CYB3RMX/Qu1cksc0pe
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe b84d775cf5de9234ec178e4a94c5c459f0c6e8ad3bffc977ba20b116b4d9d88e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/382180/

Comments