MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1f36f8ad9a6360ed406ff3e84dd9b9a765e6edea3d9beb7e5c303230001fd13. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c1f36f8ad9a6360ed406ff3e84dd9b9a765e6edea3d9beb7e5c303230001fd13
SHA3-384 hash: 6e8321295cf504e7dd2b0aad7ec62a340d5cb777a85e54fd8df7f0535055364821ab7d41f775d2662bf1017e24b695e2
SHA1 hash: 2dd9ced6021c1f1e8f772ead665e70ee4250c238
MD5 hash: 32fdfac1be3eeb287976d70b621ba718
humanhash: mockingbird-football-venus-utah
File name:order specification.pif
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:883'200 bytes
First seen:2024-09-16 09:52:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:PYZIth8N9PnPo2SxApB3x8uYU66U25BL:Pvth8N5Po2rpH8uYUOA
Threatray 4'463 similar samples on MalwareBazaar
TLSH T1A915232D63E1CAA7C8B967752DE3CE054B75C516E1D2E89B0FE460EF398B746460032B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
475
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Win.Dropper.Nanocore-10025638-0
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66e7ffff2ebf76853bd5d44c
Tags:
Discovery Execution Generic Infostealer Network Static Stealth
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade packed remcos
Link:
https://www.filescan.io/uploads/66e7ffff3c9389b729b87735/reports/12fa3635-5638-47c2-974b-c7d2864b8343/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/c1f36f8ad9a6360ed406ff3e84dd9b9a765e6edea3d9beb7e5c303230001fd13
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/767fb687-7989-482a-b8e7-01190ed911eb
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1511782
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1511782 Sample: order specification.pif.exe Startdate: 16/09/2024 Architecture: WINDOWS Score: 100 53 www.drechftankholding.com 2->53 55 geoplugin.net 2->55 57 Multi AV Scanner detection for domain / URL 2->57 59 Suricata IDS alerts for network traffic 2->59 61 Found malware configuration 2->61 63 16 other signatures 2->63 8 order specification.pif.exe 7 2->8         started        12 sOjQJdX.exe 5 2->12         started        signatures3 process4 file5 41 C:\Users\user\AppData\Roaming\sOjQJdX.exe, PE32 8->41 dropped 43 C:\Users\user\...\sOjQJdX.exe:Zone.Identifier, ASCII 8->43 dropped 45 C:\Users\user\AppData\Local\...\tmpC431.tmp, XML 8->45 dropped 47 C:\Users\...\order specification.pif.exe.log, ASCII 8->47 dropped 65 Adds a directory exclusion to Windows Defender 8->65 14 vbc.exe 8->14         started        17 vbc.exe 3 16 8->17         started        21 powershell.exe 23 8->21         started        27 3 other processes 8->27 67 Antivirus detection for dropped file 12->67 69 Multi AV Scanner detection for dropped file 12->69 71 Machine Learning detection for dropped file 12->71 23 vbc.exe 12->23         started        25 schtasks.exe 1 12->25         started        signatures6 process7 dnsIp8 73 Contains functionality to bypass UAC (CMSTPLUA) 14->73 75 Contains functionalty to change the wallpaper 14->75 77 Contains functionality to steal Chrome passwords or cookies 14->77 85 3 other signatures 14->85 49 www.drechftankholding.com 103.198.26.22, 2404, 49708 NXGNET-AS-APNextgenNetworksAU unknown 17->49 51 geoplugin.net 178.237.33.50, 49710, 80 ATOM86-ASATOM86NL Netherlands 17->51 39 C:\ProgramData\dfgh\logs.dat, data 17->39 dropped 79 Detected Remcos RAT 17->79 81 Installs a global keyboard hook 17->81 83 Loading BitLocker PowerShell Module 21->83 29 WmiPrvSE.exe 21->29         started        31 conhost.exe 21->31         started        33 conhost.exe 25->33         started        35 conhost.exe 27->35         started        37 conhost.exe 27->37         started        file9 signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c1f36f8ad9a6360ed406ff3e84dd9b9a765e6edea3d9beb7e5c303230001fd13
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c1f36f8ad9a6360ed406ff3e84dd9b9a765e6edea3d9beb7e5c303230001fd13/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2024-09-16 09:53:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yhzw7cwzuy3a5vag747ijxm3tj3f43w6upm35n7fymbsgaab7ujq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
212ecd5d051954ee43b7da3c5e998dffac460d74ac9ca99607e399015d3067c4
RemcosRAT
322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24
RemcosRAT
66f3abf06c96c938894a2d721331e7dec08154d681bfae6f2db4dbc35a995e46
RemcosRAT
b4952421150265489acc51c83234643237b1f06e468c450d604210e3ee50316e
RemcosRAT
f94c2da3623066f0066d1e403069a3125160b4200a4d86138cee932cc6970e69
RemcosRAT
+ 4'453 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost discovery execution rat
Link:
https://tria.ge/reports/240916-lwmchs1emr/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Uses the VBS compiler for execution
Command and Scripting Interpreter: PowerShell
Remcos
Malware Config
C2 Extraction:
www.drechftankholding.com:2404
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5c26e13b-630d-4086-9460-6aba98103a05
Unpacked files
SH256 hash:
1b727719d548c93b677a6e55184ae74bc4a85e2e217289634f563516327e8c0d
MD5 hash:
f971f6bb7308654f0013bfc2622b5399
SHA1 hash:
ddca047095e2c0160bed312c9447f74b729bd111
Link:
https://www.unpac.me/results/6cc7b15c-8a44-4cce-9150-d27d09a8ec42/
Parent samples :
67f4b6cba186520b5247fa0ec23e129dd20c51640662108c2b9db61cf968f17d
bc5ee788c33389a426c9b5b10405a41a83f6875864bf09b0de6df15ab88cfbda
3bd3c438394939146b7e081e05cd0973bcc7c7d01f624502f70ff7f7da986a41
SH256 hash:
6e4b3d5559d84c0df06640b4a24b3f773cc42ff77b8cba28196f4cae93ca500a
MD5 hash:
787424594479f19718f30a705c5d13bf
SHA1 hash:
7f17c995bf8cd864b572340a9022a86b0cd0e706
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/6cc7b15c-8a44-4cce-9150-d27d09a8ec42/
SH256 hash:
879276b0a6a9ed9a14ea05450f75ad6c254a78ba99b7b7292ae39b8aca4abfad
MD5 hash:
a89de4f61bef32a2d8bfbcb15b283f7d
SHA1 hash:
3149a37d44cf5d77045ea86a1f53897b7e93f299
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
win_remcos_w0
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
Link:
https://www.unpac.me/results/6cc7b15c-8a44-4cce-9150-d27d09a8ec42/
Parent samples :
c1f36f8ad9a6360ed406ff3e84dd9b9a765e6edea3d9beb7e5c303230001fd13
4ed81a9a25e52a99d76805b081679cfe3628756be4bda6a47e365506c7df3a0c
SH256 hash:
c1f36f8ad9a6360ed406ff3e84dd9b9a765e6edea3d9beb7e5c303230001fd13
MD5 hash:
32fdfac1be3eeb287976d70b621ba718
SHA1 hash:
2dd9ced6021c1f1e8f772ead665e70ee4250c238
Link:
https://www.unpac.me/results/6cc7b15c-8a44-4cce-9150-d27d09a8ec42/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c1f36f8ad9a6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/c1f36f8ad9a6360ed406ff3e84dd9b9a765e6edea3d9beb7e5c303230001fd13

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe c1f36f8ad9a6360ed406ff3e84dd9b9a765e6edea3d9beb7e5c303230001fd13

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments