MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8da12e68ed8f20c9e15ce149a302c9320e78672fd22ffb5fbba9cd89b3d55ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 18


Intelligence 18 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b8da12e68ed8f20c9e15ce149a302c9320e78672fd22ffb5fbba9cd89b3d55ea
SHA3-384 hash: 809a2910e35026418b00153e1c6d77772099df0a56cdacd0bb89fc61aa1ba9e946c7df2cc8c5336830109d27dbfe5f10
SHA1 hash: 823990aabc34510175f87047929c9d92e765ba45
MD5 hash: 5b262eda9652c97fdccca1d4c143eb7f
humanhash: emma-fillet-oranges-burger
File name:PO_142023 December final order.scr
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:2'182'880 bytes
First seen:2023-12-14 07:23:53 UTC
Last seen:2023-12-14 09:23:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 49152:z+Iw8Mgqq0ItbmpUFa0WpOhlRciK7xwRCvKGU/udzKDFZ:z+MX9CUw0WwhlrpRCvdKDr
Threatray 21 similar samples on MalwareBazaar
TLSH T134A5F1008C1256C0E1E2665F5DE1A7530EBF00BB28EAF75A39B35DD628E038794D7F99
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon c4414c46464c41c4 (3 x RemcosRAT, 2 x NanoCore)
Reporter abuse_ch
Tags:exe RemcosRAT scr signed

Code Signing Certificate

Organisation:Microsoft Code Signing PCA 2011
Issuer:Microsoft Code Signing PCA 2011
Algorithm:sha256WithRSAEncryption
Valid from:2023-12-14T04:22:43Z
Valid to:2024-12-14T04:22:43Z
Serial number: b4b545c3d2de0b90e2d85012dabf6889
Thumbprint Algorithm:SHA256
Thumbprint: aa8df59519936c01a246921127b73b6dca1752543fccc407b676378083639816
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
326
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
PO_142023 December final order.scr
Verdict:
Malicious activity
Analysis date:
2023-12-14 07:38:08 UTC
Tags:
rat remcos remote keylogger stealer
Link:
https://app.any.run/tasks/5870f77b-7e23-41d2-a408-f70bbe684915

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/467394/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Launching a process
Creating a process from a recently created file
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Reading critical registry keys
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Stealing user critical data
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade overlay packed
Link:
https://www.filescan.io/uploads/657aad9a8b5ba47db2e205bf/reports/070722cb-5d42-4956-8d5e-300c12b47179/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/b8da12e68ed8f20c9e15ce149a302c9320e78672fd22ffb5fbba9cd89b3d55ea
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/475fc353-57a0-4f29-a4f3-a3770ca9f8ec
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1361975
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops PE files with benign system names
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Remcos
Sigma detected: Schedule system process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1361975 Sample: PO_142023_December_final_or... Startdate: 14/12/2023 Architecture: WINDOWS Score: 100 71 maxlogs.webhop.me 2->71 73 geoplugin.net 2->73 81 Multi AV Scanner detection for domain / URL 2->81 83 Found malware configuration 2->83 85 Malicious sample detected (through community Yara rule) 2->85 87 10 other signatures 2->87 10 PO_142023_December_final_order.scr.exe 1 7 2->10         started        14 svchost.exe 2->14         started        16 svchost.exe 2 2->16         started        18 9 other processes 2->18 signatures3 process4 dnsIp5 67 C:\Users\user\AppData\Roaming\svchost.exe, PE32 10->67 dropped 115 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->115 117 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->117 119 Drops PE files with benign system names 10->119 21 cmd.exe 1 10->21         started        23 cmd.exe 1 10->23         started        26 clip.exe 14->26         started        121 Multi AV Scanner detection for dropped file 16->121 123 Machine Learning detection for dropped file 16->123 29 clip.exe 16->29         started        75 127.0.0.1 unknown unknown 18->75 125 Query firmware table information (likely to detect VMs) 18->125 127 Changes security center settings (notifications, updates, antivirus, firewall) 18->127 31 MpCmdRun.exe 18->31         started        33 WerFault.exe 18->33         started        35 clip.exe 18->35         started        37 WerFault.exe 18->37         started        file6 signatures7 process8 dnsIp9 39 svchost.exe 2 21->39         started        54 2 other processes 21->54 89 Uses schtasks.exe or at.exe to add and modify task schedules 23->89 42 conhost.exe 23->42         started        44 schtasks.exe 1 23->44         started        77 geoplugin.net 178.237.33.50, 49725, 80 ATOM86-ASATOM86NL Netherlands 26->77 91 Maps a DLL or memory area into another process 26->91 93 Installs a global keyboard hook 26->93 46 clip.exe 26->46         started        48 clip.exe 26->48         started        50 clip.exe 26->50         started        56 4 other processes 26->56 95 Contains functionality to bypass UAC (CMSTPLUA) 29->95 97 Contains functionalty to change the wallpaper 29->97 99 Contains functionality to steal Chrome passwords or cookies 29->99 101 4 other signatures 29->101 52 conhost.exe 31->52         started        signatures10 process11 signatures12 103 Writes to foreign memory regions 39->103 105 Allocates memory in foreign processes 39->105 107 Injects a PE file into a foreign processes 39->107 58 clip.exe 39->58         started        109 Tries to steal Instant Messenger accounts or passwords 46->109 111 Tries to steal Mail credentials (via file / registry access) 46->111 113 Tries to harvest and steal browser information (history, passwords, etc) 50->113 process13 dnsIp14 79 maxlogs.webhop.me 139.84.139.29, 1645, 49709, 49717 LASALLEUS United States 58->79 69 C:\ProgramData\remc\logs.dat, data 58->69 dropped 129 Installs a global keyboard hook 58->129 63 WerFault.exe 58->63         started        65 WerFault.exe 58->65         started        file15 signatures16 process17
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b8da12e68ed8f20c9e15ce149a302c9320e78672fd22ffb5fbba9cd89b3d55ea
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b8da12e68ed8f20c9e15ce149a302c9320e78672fd22ffb5fbba9cd89b3d55ea/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-12-14 05:49:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
20 of 37 (54.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xdnbfzuo3dzazhqvzykjumbmsmqopbts7urp7np3xkonrgz5kxva._file
Verdict:
malicious
Similar samples:
3310176989a25f60f2406a1da8ebfd962b27c07ee107b3472faff5e1df3857c9
RemcosRAT
3665a41374b9b77f594fe118728ff5ffbd741aa6a7534088b4940d0f4f1015da
RemcosRAT
57dd76c7c512afbed21d7304a66fffd89cd904c39a47d459a49aec1f5f1d5235
RemcosRAT
6289ccd8121caf8808c91f229e70b4275af6452ef74f507e9919e09c38b02e44
RemcosRAT
c32118c2a3762e9f726d9ff46966beff26669fa952798183642e8c1de6efc927
RemcosRAT
c77aeea8df56c68cf64ac5486a0d5774a1bd8dc6f94e3fa8ae447ff78ec12ace
RemcosRAT
fc0648345e4be061ff4ec08d72c7210afa00a8ff3c490dd0e4f023474e87bef9
RemcosRAT
+ 11 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:rembin collection evasion persistence rat
Link:
https://tria.ge/reports/231214-h8dz5acbcl/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
maxlogs.webhop.me:1645
newnex.3utilities.com:5187
Unpacked files
SH256 hash:
b8da12e68ed8f20c9e15ce149a302c9320e78672fd22ffb5fbba9cd89b3d55ea
MD5 hash:
5b262eda9652c97fdccca1d4c143eb7f
SHA1 hash:
823990aabc34510175f87047929c9d92e765ba45
Link:
https://www.unpac.me/results/c7d03f28-b7bb-4536-a20b-8bd592c08812/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b8da12e68ed8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/b8da12e68ed8f20c9e15ce149a302c9320e78672fd22ffb5fbba9cd89b3d55ea

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe b8da12e68ed8f20c9e15ce149a302c9320e78672fd22ffb5fbba9cd89b3d55ea

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/467394/

Comments