MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8c66af97b06b4660cd8000811f9333bda7bb032f57767c0417819820b3ebdf8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 6


Intelligence 6 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b8c66af97b06b4660cd8000811f9333bda7bb032f57767c0417819820b3ebdf8
SHA3-384 hash: 078cf5963c5c2a471dfaaf3f1c309ee22abeaff235b4a2aade21df1da1a5c92289ffb05f16fa0fe3a3491846b26dd514
SHA1 hash: 84f5051d520b35f036a4befc7c30df32e92cb8ee
MD5 hash: 5c6c02f3080118030dd73ceb30b9e249
humanhash: fanta-eighteen-apart-spring
File name:MEMQ098789009000.pdf.xz
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:429'882 bytes
First seen:2023-12-12 11:21:18 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 6144:gLQ229cAsL97Ytiktb8G3XE2cT9wLr7VM+QF0YBQV2yVFI6e7h4LvhmYT6N4gmW:g3NzL94Zr0wP/YBQVtI6xvhmYGnmW
TLSH T11694235F1E035C23D3521CF1B6708B9BCEACD9A876647BBB5A51FE8F1431A049A1863C
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:INVOICE QUOTATION RemcosRAT xz zip


Avatar
cocaman
Malicious email (T1566.001)
From: "Muhammet <comercial.rspharma@gmail.com>" (likely spoofed)
Received: "from hosted-by.rootlayer.net (unknown [45.137.22.114]) "
Date: "11 Dec 2023 03:57:36 +0100"
Subject: "Quotation invoice"
Attachment: "MEMQ098789009000.pdf.xz"

Intelligence

File Origin
# of uploads :
1
# of downloads :
164
Origin country :
CH CH
File Archive Information

This file archive contains 3 file(s), sorted by their relevance:

File name:MEMQ098789009000.cmd
File size:443'541 bytes
SHA256 hash: 5ed2be2c358988a27a0973273b80c89f3e0cb808b654a2a09b91bcf5a38c46c7
MD5 hash: a8866d1129bde5e76d54062999935308
MIME type:application/x-dosexec
Signature RemcosRAT
File name:yrhrmxpett.dhv
File size:258'273 bytes
SHA256 hash: 0d29db7d340aad6e7a08bdf00f001d522bdc8af5ff740151850bb92af6db76c8
MD5 hash: 67caf834c6a2ed78267251636f70dd2c
MIME type:application/octet-stream
Signature RemcosRAT
File name:rriyu.exe
File size:305'152 bytes
SHA256 hash: 78c6bf53430e1e759b0fbaa4ec19f896c8346c8685fc70aa42c41bd54d0e1f80
MD5 hash: 9ed7804f770de113fae310cdaf2be689
MIME type:application/x-dosexec
Signature RemcosRAT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Loader.1550.16137.27345.UNOFFICIAL
Create hunting rule

Porcupine.Malware.43883.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/6578425e855eb2633d67b916/reports/de08132d-521e-4018-856f-444a334aff3a/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/b8c66af97b06b4660cd8000811f9333bda7bb032f57767c0417819820b3ebdf8
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/b8c66af97b06b4660cd8000811f9333bda7bb032f57767c0417819820b3ebdf8
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Score:
0%
Verdict:
Benign
File Type:
Archive
Link:
https://malprob.io/report/b8c66af97b06b4660cd8000811f9333bda7bb032f57767c0417819820b3ebdf8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b8c66af97b06b4660cd8000811f9333bda7bb032f57767c0417819820b3ebdf8/
Threat name:
Win32.Trojan.GenShell
Create hunting rule
Status:
Malicious
First seen:
2023-12-11 01:54:28 UTC
File Type:
Binary (Archive)
Extracted files:
3
AV detection:
16 of 37 (43.24%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xddgv6l3a22gmdgyaaebd6jthpnhxmbs6v3wpqcbpamyecz6xx4a._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost collection persistence rat spyware stealer upx
Link:
https://tria.ge/reports/231212-r1ar6sgcg7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
107.175.229.139:8087
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXv20MarkusLaszloReiser
Create hunting rule
Author:malware-lu
Rule name:upx_3
Create hunting rule
Author:Kevin Falcoz
Description:UPX 3.X
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.
Rule name:win_remcos_rat_unpacked
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:win_remcos_w0
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:yarahub_win_remcos_rat_unpacked_aug_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip b8c66af97b06b4660cd8000811f9333bda7bb032f57767c0417819820b3ebdf8

(this sample)

RemcosRAT

Executable exe 5ed2be2c358988a27a0973273b80c89f3e0cb808b654a2a09b91bcf5a38c46c7

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 5ed2be2c358988a27a0973273b80c89f3e0cb808b654a2a09b91bcf5a38c46c7
  
Dropping
RemcosRAT
  
Dropping
MD5 a8866d1129bde5e76d54062999935308

Comments