MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba82a2d12cfee47fcfab1e288a80e1792e6a8e8260e7582b007221918aba0310. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba82a2d12cfee47fcfab1e288a80e1792e6a8e8260e7582b007221918aba0310
SHA3-384 hash: 3cabf24144bc50a2f2d48e22af44db2bd8ba6f4fd0695989f0ba1f3c1c0cea404d93a9ab6212af94f8e8131cfffbcd04
SHA1 hash: 4cc85c0e8330dc7d04b1883d0eac35ddd5caf45e
MD5 hash: 03822cedfe4d336fb7b8bab0e101ae7f
humanhash: alanine-saturn-romeo-triple
File name:ORDER 0749.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'004'544 bytes
First seen:2023-08-21 07:26:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:j1g++PA0agXAK0QyU7QWRWrfAWC0Jjm8T5:jU40JT0QnsdC09m8F
Threatray 388 similar samples on MalwareBazaar
TLSH T1E7251204A2A48B3AE0BCDBF23497A1603FB99A5F9096EE942FC534DF253075512D391F
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter adrian__luca
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
277
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
ORDER 0749.exe
Verdict:
Malicious activity
Analysis date:
2023-08-21 07:26:58 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/e2f96013-b3db-4fc9-a3bb-6d2b768afea6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/443901/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ba82a2d12cfee47fcfab1e288a80e1792e6a8e8260e7582b007221918aba0310
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8abfbdb3-57a3-4681-9dcc-c64a0fe9eb63
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1294333
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates autostart registry keys with suspicious names
Delayed program exit found
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1294333 Sample: ORDER_0749.exe Startdate: 21/08/2023 Architecture: WINDOWS Score: 100 88 Found malware configuration 2->88 90 Malicious sample detected (through community Yara rule) 2->90 92 Antivirus detection for URL or domain 2->92 94 10 other signatures 2->94 10 ORDER_0749.exe 7 2->10         started        14 GHhUHN.exe 5 2->14         started        16 remcos.exe 2->16         started        18 remcos.exe 2->18         started        process3 file4 74 C:\Users\user\AppData\RoamingbehaviorgraphHhUHN.exe, PE32 10->74 dropped 76 C:\Users\user\AppData\Local\...\tmp565B.tmp, XML 10->76 dropped 112 Contains functionality to bypass UAC (CMSTPLUA) 10->112 114 Contains functionality to steal Chrome passwords or cookies 10->114 116 Uses schtasks.exe or at.exe to add and modify task schedules 10->116 124 4 other signatures 10->124 20 ORDER_0749.exe 1 4 10->20         started        24 powershell.exe 21 10->24         started        26 schtasks.exe 1 10->26         started        118 Multi AV Scanner detection for dropped file 14->118 120 Machine Learning detection for dropped file 14->120 122 Injects a PE file into a foreign processes 14->122 28 schtasks.exe 14->28         started        30 GHhUHN.exe 14->30         started        32 schtasks.exe 16->32         started        34 remcos.exe 16->34         started        signatures5 process6 file7 72 C:\ProgramData\Remcos\remcos.exe, PE32 20->72 dropped 104 Creates autostart registry keys with suspicious names 20->104 36 remcos.exe 5 20->36         started        39 conhost.exe 24->39         started        41 conhost.exe 26->41         started        43 conhost.exe 28->43         started        45 conhost.exe 32->45         started        signatures8 process9 signatures10 96 Multi AV Scanner detection for dropped file 36->96 98 Machine Learning detection for dropped file 36->98 100 Adds a directory exclusion to Windows Defender 36->100 102 Injects a PE file into a foreign processes 36->102 47 remcos.exe 36->47         started        51 powershell.exe 36->51         started        53 schtasks.exe 36->53         started        55 remcos.exe 36->55         started        process11 dnsIp12 78 212.193.30.230, 3330, 49721, 49722 SPD-NETTR Russian Federation 47->78 80 geoplugin.net 178.237.33.50, 49723, 80 ATOM86-ASATOM86NL Netherlands 47->80 82 192.168.2.1 unknown unknown 47->82 84 Maps a DLL or memory area into another process 47->84 86 Installs a global keyboard hook 47->86 57 remcos.exe 47->57         started        60 remcos.exe 47->60         started        62 remcos.exe 47->62         started        68 13 other processes 47->68 64 conhost.exe 51->64         started        66 conhost.exe 53->66         started        signatures13 process14 signatures15 106 Tries to steal Instant Messenger accounts or passwords 57->106 108 Tries to steal Mail credentials (via file / registry access) 57->108 110 Tries to harvest and steal browser information (history, passwords, etc) 68->110 70 WerFault.exe 68->70         started        process16
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ba82a2d12cfee47fcfab1e288a80e1792e6a8e8260e7582b007221918aba0310/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-08-19 02:37:33 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xkbkfujm73sh7t5ldyuivahbpexgvducmdtvqkyaoiqzdcv2amia._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
180f09c1346f69b5273a595bac15a705cf4a5d15b3699742baf292a5e81050ed
RemcosRAT
1da52d43ea75756d8e52c5056eea7c60a75308145df8afe479799ec30bdb12ea
RemcosRAT
2470f5cd9fcdd5fee479668698bb2b5d09e8319caf8ead338a8c776dba14064b
RemcosRAT
2d12bedd8d6cee6c6fbee5ccb9d7dd25fc6693d9d6a7a0207104f94b681b55aa
RemcosRAT
2f6f8d08fcf273fa79b7a13d3b24d4f71bbc9f2fdf6965afd737ccc0d5316429
RemcosRAT
4b66b1c337c83ccb79e4862a7a32421fd75a565a59fee1f830d4aae55b64af9a
RemcosRAT
4eaf10beee3ffe3dff4d6bd78c7a8f04c7a1b067c1f7cb6d414a53d56b1dee8e
RemcosRAT
877371d8ae10433714781fc8187b21a9bd55e01738d1e701603118d1e2b89944
RemcosRAT
8dd8b145ec24876f20be6dcbf4818b5e6d38a2b5cba55d19ea5590d14208d787
RemcosRAT
9dcfe4a742d054e152e5e8b1f7c2c88aa5efa7896a5e072ca6af8f723d9c1509
RemcosRAT
+ 378 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat spyware stealer
Link:
https://tria.ge/reports/230821-h94beadd21/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
212.193.30.230:3330
Unpacked files
SH256 hash:
2ac2f55e15fd8da559f99925ceee9166ca978e94cbc53a5cb29bf02d0a76ac7f
MD5 hash:
1081db0b25581c7958e6fbff4d9aa64a
SHA1 hash:
bcb0e0fe844884a5b0d05cd3b0cc5fd7a5ff53b9
Link:
https://www.unpac.me/results/596332dd-c8b7-4006-80ac-d3ff85f20e18/
SH256 hash:
3d9f5ea8ca556999596abb635130081f1d64c5706117ba6282f5860ddc072df2
MD5 hash:
6e54cd25231c296bf2f0f9ac8164b253
SHA1 hash:
7caff39d9cc3eaf343e135f599a9cde4dc749b0a
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/596332dd-c8b7-4006-80ac-d3ff85f20e18/
Parent samples :
36f8e4eb768b6f4bcb732179cfb4d8795452c285d565e4fc4998455de0006f51
877371d8ae10433714781fc8187b21a9bd55e01738d1e701603118d1e2b89944
a5dfa6c8066bb006adb1490b52540bd2f049b3556c4c51eb59c4c9830c499286
e842b6dff73f8cc125170bafb505357263972cefc0d7187207295a207a6a3bdf
ba82a2d12cfee47fcfab1e288a80e1792e6a8e8260e7582b007221918aba0310
SH256 hash:
b26a7e88c2fc5a6dbf3e1f5d8ac59c4579b3b9047f462c5cb7ee79548fa18da9
MD5 hash:
06dc1333af7361fb9ebebe5c4dbe58e4
SHA1 hash:
1adadf881904c5370e96c0a566085cf3c83ca8d0
Link:
https://www.unpac.me/results/596332dd-c8b7-4006-80ac-d3ff85f20e18/
SH256 hash:
e037c02ca7c424c2899b9ba33e1c6c690b714d15e3be6cc1347e0a4c1cee359a
MD5 hash:
3757d401aac6d05f3d19f88da9727e62
SHA1 hash:
04dfe94ba87c0402211209ef964e40ce3cbee72e
Link:
https://www.unpac.me/results/596332dd-c8b7-4006-80ac-d3ff85f20e18/
SH256 hash:
ba82a2d12cfee47fcfab1e288a80e1792e6a8e8260e7582b007221918aba0310
MD5 hash:
03822cedfe4d336fb7b8bab0e101ae7f
SHA1 hash:
4cc85c0e8330dc7d04b1883d0eac35ddd5caf45e
Link:
https://www.unpac.me/results/596332dd-c8b7-4006-80ac-d3ff85f20e18/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ba82a2d12cfe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ba82a2d12cfee47fcfab1e288a80e1792e6a8e8260e7582b007221918aba0310

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe ba82a2d12cfee47fcfab1e288a80e1792e6a8e8260e7582b007221918aba0310

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/443901/

Comments