MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9a0c1222bea7c7a90eb111e5101dd2ca3355966af79dbd7a490498a8f3d6a58. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b9a0c1222bea7c7a90eb111e5101dd2ca3355966af79dbd7a490498a8f3d6a58
SHA3-384 hash: 6872eb9c218263b2e773e34deeec9f274978964eea37d21cc4bd5f5b76ad29d2a3fef4cc8feb963626823e703f5b7b7b
SHA1 hash: 7535e027bbe17595c0d7319d6f92614dab90609c
MD5 hash: ec36ba050f837fc4326c0efaa9835fc7
humanhash: eleven-stream-kitten-lemon
File name:RFQ No. 01.300.TRGVH.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:821'248 bytes
First seen:2022-10-25 12:14:09 UTC
Last seen:2022-10-25 22:22:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:As1itqyShGglrNUYiQlPV8LfoTiKLFVQa88E:PnUJ8moTi8
Threatray 3'138 similar samples on MalwareBazaar
TLSH T1950523AEEBE9862AC2DC177FDA314164D07AA903E767DB5C4888345E0E23BD8D854F50
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e8d4c4cccccccc70 (12 x Formbook, 10 x Loki, 9 x AgentTesla)
Reporter cocaman
Tags:exe RemcosRAT RFQ

Intelligence

File Origin
# of uploads :
2
# of downloads :
244
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
RFQ No. 01.300.TRGVH.exe
Verdict:
Malicious activity
Analysis date:
2022-10-25 12:17:20 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/396acee2-252e-46b1-8b7c-9f647fd39920

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/324006/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.16137.24193.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3e301856-b54e-4e54-b764-06fab3953787
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1097529
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 730180 Sample: RFQ No. 01.300.TRGVH.exe Startdate: 25/10/2022 Architecture: WINDOWS Score: 100 48 Malicious sample detected (through community Yara rule) 2->48 50 Sigma detected: Scheduled temp file as task from temp location 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 9 other signatures 2->54 7 RFQ No. 01.300.TRGVH.exe 7 2->7         started        11 kagBOPJAqcihqc.exe 5 2->11         started        process3 file4 36 C:\Users\user\AppData\...\kagBOPJAqcihqc.exe, PE32 7->36 dropped 38 C:\...\kagBOPJAqcihqc.exe:Zone.Identifier, ASCII 7->38 dropped 40 C:\Users\user\AppData\Local\...\tmpD864.tmp, XML 7->40 dropped 42 C:\Users\...\RFQ No. 01.300.TRGVH.exe.log, CSV 7->42 dropped 56 Adds a directory exclusion to Windows Defender 7->56 13 RFQ No. 01.300.TRGVH.exe 2 2 7->13         started        18 powershell.exe 19 7->18         started        20 powershell.exe 19 7->20         started        26 2 other processes 7->26 58 Multi AV Scanner detection for dropped file 11->58 60 Machine Learning detection for dropped file 11->60 22 schtasks.exe 1 11->22         started        24 kagBOPJAqcihqc.exe 11->24         started        signatures5 process6 dnsIp7 46 51.75.209.245, 2404 OVHFR France 13->46 44 C:\ProgramData\remcos\logs.dat, data 13->44 dropped 62 Installs a global keyboard hook 13->62 28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        32 conhost.exe 22->32         started        34 conhost.exe 26->34         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b9a0c1222bea7c7a90eb111e5101dd2ca3355966af79dbd7a490498a8f3d6a58/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2022-10-25 07:20:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
27 of 41 (65.85%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xgqmcirl5j6hvehlcepfcao5fsrtkwlgv545xv5esbeyvdz5njma._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
4bd1f385e71c2b0c8bb27ce271cfd26c696e3049e3e92cd150ba62666bc6221f
RemcosRAT
4c26268e01117b5cf41d2f14689452912d708e64af0040ed75a40c94b0a943ea
RemcosRAT
592f15fec50eda79baadcb6bc5c4cb79de60e5bb285f20fb8e8927477495f065
RemcosRAT
7f89f38c1c2a3e42e7fe2d1c286816361fe77aa49d1d474de200df6eb2dbda81
RemcosRAT
9d724226a2a3c8676d4a58b64b636d9dcc178c1d40fcf321309afa14505cf285
RemcosRAT
ad87f3ad6fb14d2b79d7b7aac1b38bc04fd20757460da0f02cac139408df9969
RemcosRAT
e1eb708f47303b831f6eb0ddc846e21782e8f727dcb0088fcb997c3bf0d4dbd3
RemcosRAT
e68ebc948356b0560fee06f52939504005fd848a93ccc41b4840c1db318a5409
RemcosRAT
+ 3'128 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/221025-pew26scfen/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
51.75.209.245:2404
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/461f610e-d678-4bf4-bf69-ca92505af00f
Unpacked files
SH256 hash:
1459ade80dd19b04b8d0037ce88f8f020b6c9d730e39fca181465355562f4b15
MD5 hash:
2c8b1b939947b35d647eb87373316fcb
SHA1 hash:
ec7b924e02076e3f6f1ba70d6990f7946c661d27
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/bbe7f4a5-50e3-41f9-9613-b023274db708/
Parent samples :
e68ebc948356b0560fee06f52939504005fd848a93ccc41b4840c1db318a5409
733ec6405b43d9ac4a266a3bfae9df34185cbd8147819f17851dd9d13c3b733b
b9a0c1222bea7c7a90eb111e5101dd2ca3355966af79dbd7a490498a8f3d6a58
bdb57463a45449889f971cc8f16abf66f695b00dabf917280ec6e7389916a0a2
f5758ccee5820f19251721999da1f927572f00bc472113638f2fb134d6599b68
8f6954e1834b49a24b8e937ff093f1e534f89691ce805ce2f14553315a18e651
8f2f7e3c4fdafd040879abd0e8fc0bcd7c4055217a4fac63e348ff391da62878
238e7b87bd6d152fce3ae3dbe8ea4a9f3b56c883944cb93695c58fdc20aad6e8
dfca7ce647ee8994cba9317516ce7f58b2b175f815fd5336dbfed34ccad5c4de
6af23878112166b4f2b99b4a7af53cf8c71ee4d0e27eead7eba335832e9449b4
d299c8e1864ae2089e28301ed127b86d92c3aeac935f35822479a018b025da59
f7ac248e39e55ccbf0b79fbfd3bbad23f00dd3e595d6f58166a70dfd82adb951
734e077ffd2beb5e2808ce5bf2d27f03757257d133794acad69bf80bee2e7348
c1cc5ad08f2796e777ab3006a88c3cfa5dc84b0d0bc5f95cb72cb73436220b4c
83d297c0de9846ebf9db06df45c0b09dd2751bbb2e487d9d6df1128a29da6d47
ff4eaf31a3a0f4f99fd9c71caa01388cd50a9917fc16625d549c470cf23cd68f
fff14d27cfcfd3a46729a41bd6dcbb09e667f894e2c85b4e7eb5098faccfa6ab
9bbad0b231f56f22855746de8883bb11d5cfc3b0888760ab47620d0538af8962
123b988cf46a721c113799db30e360848a05941032871f87d1ea6a12bd8e7f0f
f306fefee8114c023ad5056b16a490a82466e8bbf50296f2ecdac6a75123bd2d
fdc9196c194b31f7b221c487affe3d815775a436b1c26133fa6b1e8a9c252a51
4713512f84ba1fbb43666e1e0c5ef8f02d681c0fef3c469a13759d51018d1f0f
aa512df0ca1a0462046446c14ca5aaaa5255dc12b6aa06ea7662aff9d1b2eb41
a6655fefe6b0b32d5c94627d3b83a0d446fa329b162ac7f8409a1b8827b63abc
679f0dec60e8ac08f75b8e2731c1689544b9ae1d08a26e9c6607a7bad3941ebb
a84ffc6423f9efc057fcffadbf537056debc6b79d3d81a7dc4b16bd61a87b6ba
7001538a3316bf0f86e9730d0a38992357f4669d3a4a85e77f1ec42293499ff5
c8ce7d7a1b3511466f838f2b09f1a644ac2ceaa09f508a81a601cc5c576e18d4
df5e690e3853c11de2a42d9a958ed8ca923c704b3ccf320c3c6c154377b3bd38
5251517c9a5cc925e00988f3d9aa30706271cfd0bd6d33d3794e03a92b13b946
8758be9f226102217b3f28ffc1d6093dac1c9d5e8b3de32d85d150204169c10d
f34b65f828707e189c6197c3605e4b25bcd493e93bdb498bc91eeee6ac349d0b
da6d125701d41e2b9d6d9931b4747bbf6b3b4a6c0ca26311c7983fad94e22ef5
98479f2d5e3f5147ddd504bcc7bd1a2b0a3b06ff5525f313a55ce81efc67fc28
SH256 hash:
248a7c4997aacb14ca032daf9668636839f921d0a3403f09a3b0ccfdc948cbf1
MD5 hash:
a7952169b04a2c6a39661aad59e79dcf
SHA1 hash:
88722f1a32c913307c0c6385b04478a79fabd12b
Link:
https://www.unpac.me/results/bbe7f4a5-50e3-41f9-9613-b023274db708/
SH256 hash:
63d15cb24a7ea6538df317124c47b90da53a66cc34c0f0787725a67007f86365
MD5 hash:
7036431ac0dd0210c3c452a57aa0de61
SHA1 hash:
824479c3fa37e26ab25ad2aa62cc3c3a3ab3b5a6
Link:
https://www.unpac.me/results/bbe7f4a5-50e3-41f9-9613-b023274db708/
SH256 hash:
cfc16a2dbb933b1b85807d48966e9301b9fc34f4c44e7357713ca88b54bf4ab4
MD5 hash:
aabd0bdc81026ade6c57383f21d5c227
SHA1 hash:
4b26936bb8c03be6d7963184215a5ab594ecb765
Link:
https://www.unpac.me/results/bbe7f4a5-50e3-41f9-9613-b023274db708/
SH256 hash:
1c1d311b2b133d8bcbe1f3d09c716359e54141ccbb242d61fe601ef6c70bd18c
MD5 hash:
2450b2edc72f201e2b96ff4e784853c4
SHA1 hash:
41f2bf7440aaa76691d0e03e2c376e2a4d49d706
Link:
https://www.unpac.me/results/bbe7f4a5-50e3-41f9-9613-b023274db708/
SH256 hash:
b9a0c1222bea7c7a90eb111e5101dd2ca3355966af79dbd7a490498a8f3d6a58
MD5 hash:
ec36ba050f837fc4326c0efaa9835fc7
SHA1 hash:
7535e027bbe17595c0d7319d6f92614dab90609c
Link:
https://www.unpac.me/results/bbe7f4a5-50e3-41f9-9613-b023274db708/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b9a0c1222bea7c7a90eb111e5101dd2ca3355966af79dbd7a490498a8f3d6a58

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip d6adbd879d0b20d0ca5057006a890284e0ca9b477f6f07b2924d05b37881dfbf

RemcosRAT

Executable exe b9a0c1222bea7c7a90eb111e5101dd2ca3355966af79dbd7a490498a8f3d6a58

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 d6adbd879d0b20d0ca5057006a890284e0ca9b477f6f07b2924d05b37881dfbf
Cape
Cape
https://www.capesandbox.com/analysis/324006/
  
Dropped by
MD5 f3b6f2be974bae7146c215dbb66cc4c9

Comments