MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8fae7f95981a7ef822808a3421cb6b779d993cb7b24b2bcfd5ce5b0665169ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b8fae7f95981a7ef822808a3421cb6b779d993cb7b24b2bcfd5ce5b0665169ea
SHA3-384 hash: 83441fb980d98cbcfce3a80be3a955fda3662108ae84bc91fc036a2e392b0f76248bbadb766167dde05556d6816ff364
SHA1 hash: d7aa61db76b5ee256a770f58c5fe574d5972d644
MD5 hash: 2f5ce34b0683480df93c92e322009d22
humanhash: social-hot-oven-equal
File name:Shipping Doc.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'111'040 bytes
First seen:2022-11-09 10:17:58 UTC
Last seen:2022-11-09 11:54:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:Z5UDLZf6XLMkrYXEt+Akrl0F/ZDDJm/PNlFmkkPZ:Z5kLZuVUXG+AAiBDDukP
Threatray 4'225 similar samples on MalwareBazaar
TLSH T1BB352335A070C654C55C833E44F0534766F06B0F6A17CA7A4E447EFA5BB23BBA253CAA
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 96e8f296ccf2e884 (8 x Formbook, 7 x AgentTesla, 4 x Loki)
Reporter GovCERT_CH
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/331117/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1654.17117.24306.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Forced shutdown of a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/636b7e5b83b66bc0f042291b/reports/a8fbdaeb-4a89-4fe2-9a6a-ab7c67eb4641/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6308745f-910c-4711-a34a-9c394862bfc6
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1109153
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 741831 Sample: Shipping Doc.exe Startdate: 09/11/2022 Architecture: WINDOWS Score: 100 43 Malicious sample detected (through community Yara rule) 2->43 45 Sigma detected: Scheduled temp file as task from temp location 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 7 other signatures 2->49 7 Shipping Doc.exe 7 2->7         started        11 EPxuSHBdqceXoT.exe 5 2->11         started        process3 file4 35 C:\Users\user\AppData\...PxuSHBdqceXoT.exe, PE32 7->35 dropped 37 C:\...PxuSHBdqceXoT.exe:Zone.Identifier, ASCII 7->37 dropped 39 C:\Users\user\AppData\Local\...\tmp6DE5.tmp, XML 7->39 dropped 41 C:\Users\user\...\Shipping Doc.exe.log, ASCII 7->41 dropped 51 Adds a directory exclusion to Windows Defender 7->51 13 powershell.exe 19 7->13         started        15 schtasks.exe 1 7->15         started        17 vbc.exe 7->17         started        25 4 other processes 7->25 53 Multi AV Scanner detection for dropped file 11->53 55 Machine Learning detection for dropped file 11->55 19 schtasks.exe 1 11->19         started        21 vbc.exe 11->21         started        23 vbc.exe 11->23         started        27 3 other processes 11->27 signatures5 process6 process7 29 conhost.exe 13->29         started        31 conhost.exe 15->31         started        33 conhost.exe 19->33         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b8fae7f95981a7ef822808a3421cb6b779d993cb7b24b2bcfd5ce5b0665169ea/
Threat name:
ByteCode-MSIL.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2022-11-08 04:30:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
24 of 40 (60.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xd5op6kzqgt67aribcruehfww545te6lpmslfph5lts3azsrnhva._file
Verdict:
malicious
Similar samples:
02dc48922da470cc737ed9dbb68429e71f54cf03b047258dadef384cc5106ba1
RemcosRAT
43bcf6924cb264def01f9731d1bbe60271bed539004d3c91da09c3015f48bd4f
RemcosRAT
44af542480535de8b9060996210572ca8e7e4873ca4d8537e23dfbca6219fa6b
RemcosRAT
6fdd83ce734c15685ad9e2ef87b2f57825c2bb816bf9182ac123eb5e3613f5d5
RemcosRAT
8a93dabd3dda5548c792f3064979a25a5770e5870a8d9989a0b16b5f2cc56204
RemcosRAT
9f45c62cca089f9452a56fb22a43bc373514ca2bbe6a6618b179090f5e7fa975
RemcosRAT
+ 4'215 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost goldenhost rat
Link:
https://tria.ge/reports/221109-mbyeqafhc9/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Uses the VBS compiler for execution
Remcos
Malware Config
C2 Extraction:
185.222.58.57:1960
Unpacked files
SH256 hash:
4a742a34ab245cf279392c38b6d1ff35bf54f1e88c7f042b2e0aac3fa9238283
MD5 hash:
54365bb1a564586966ba21824771522a
SHA1 hash:
ff2a341f2f71f6eda4cc0db0e930d1015cfe75ab
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/d26494bf-0f31-48b0-bc11-2cfaeb7e378a/
Parent samples :
b8fae7f95981a7ef822808a3421cb6b779d993cb7b24b2bcfd5ce5b0665169ea
902b8354b83848d9ebffb587eae97814fc98b3a71c16c4b2b97d306cf02148a0
SH256 hash:
cfc16a2dbb933b1b85807d48966e9301b9fc34f4c44e7357713ca88b54bf4ab4
MD5 hash:
aabd0bdc81026ade6c57383f21d5c227
SHA1 hash:
4b26936bb8c03be6d7963184215a5ab594ecb765
Link:
https://www.unpac.me/results/d26494bf-0f31-48b0-bc11-2cfaeb7e378a/
SH256 hash:
393c22b5156cb374f4be9813caffe069f95628740973389e2e7288033577c553
MD5 hash:
5f6275a41a6f9063089aa7ff82b7c583
SHA1 hash:
4789f764378cddc7dcd7558ebc6a130eef99d7b6
Link:
https://www.unpac.me/results/d26494bf-0f31-48b0-bc11-2cfaeb7e378a/
SH256 hash:
92bd802a0f7eb1213758a6c1a4c07302e0320c3a2aeb6273b0303dd3bbdefe90
MD5 hash:
046e97119545e5abde2f40b5dc3a0344
SHA1 hash:
3e69b67ddff2554c8cd72e129d4da9c8acd9d331
Link:
https://www.unpac.me/results/d26494bf-0f31-48b0-bc11-2cfaeb7e378a/
SH256 hash:
62dfcad25302484456419eed8bcf576c5ea56dc91b7745f83b653d8b10fedde6
MD5 hash:
f38b7ba756fa89833c88a45c08c67661
SHA1 hash:
31f72e4f643a0683598dd12ea1bcde9166ef0e8d
Link:
https://www.unpac.me/results/d26494bf-0f31-48b0-bc11-2cfaeb7e378a/
SH256 hash:
b8fae7f95981a7ef822808a3421cb6b779d993cb7b24b2bcfd5ce5b0665169ea
MD5 hash:
2f5ce34b0683480df93c92e322009d22
SHA1 hash:
d7aa61db76b5ee256a770f58c5fe574d5972d644
Link:
https://www.unpac.me/results/d26494bf-0f31-48b0-bc11-2cfaeb7e378a/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b8fae7f95981/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b8fae7f95981a7ef822808a3421cb6b779d993cb7b24b2bcfd5ce5b0665169ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe b8fae7f95981a7ef822808a3421cb6b779d993cb7b24b2bcfd5ce5b0665169ea

(this sample)

  
Dropped by
RemcosRAT
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/331117/

Comments