MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cbeb5d87de099ac454539a287b3c20c7cb4daee733800eb57ca7d589ccb406e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cbeb5d87de099ac454539a287b3c20c7cb4daee733800eb57ca7d589ccb406e9
SHA3-384 hash: 6e51ab555ddb0b7987ac59f0e09a164b428f3cee9354962f9a38ee96a72812eda7c7656377b26e245c9f68ca99f04e4d
SHA1 hash: 4b87b09ca4799e3c1e89005046963225165147fd
MD5 hash: 7373ad32fd9d370f54402a83dfec32b6
humanhash: kitten-beryllium-sink-bacon
File name:hesaphareketi-01.PDF.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:910'336 bytes
First seen:2023-04-06 10:31:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:LrrDczlV/K11FuaAh4uweBnkkc83RSrXYweI4fYvyahOYq0Mr/sfrsoM2/QUW:L4K1nM4VR83jw7qYaX10MIfYo9/QUW
Threatray 1'791 similar samples on MalwareBazaar
TLSH T15B15234D2319BB36C66C47B5E883204107B8F651E593F36D1CF69BD92EE77488882B83
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe geo RemcosRAT TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
260
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
hesaphareketi-01.PDF.exe
Verdict:
Malicious activity
Analysis date:
2023-04-06 10:32:35 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/8239d02c-93c1-4270-a667-c6277ac25f7a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/380607/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/642e9fa4bf68c1790afac745/reports/2f4494eb-4706-4ed6-b4e2-059b66ffd6a4/overview
Verdict:
Malicious
Labled as:
Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/cbeb5d87de099ac454539a287b3c20c7cb4daee733800eb57ca7d589ccb406e9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5954c468-b73d-47ed-88c2-fc528316ddb7
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1209590
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Deletes itself after installation
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 842508 Sample: hesaphareketi-01.PDF.exe Startdate: 06/04/2023 Architecture: WINDOWS Score: 100 90 Multi AV Scanner detection for domain / URL 2->90 92 Malicious sample detected (through community Yara rule) 2->92 94 Antivirus detection for URL or domain 2->94 96 11 other signatures 2->96 9 hesaphareketi-01.PDF.exe 7 2->9         started        13 hguKgvRiZGHG.exe 5 2->13         started        process3 file4 62 C:\Users\user\AppData\...\hguKgvRiZGHG.exe, PE32 9->62 dropped 64 C:\Users\...\hguKgvRiZGHG.exe:Zone.Identifier, ASCII 9->64 dropped 66 C:\Users\user\AppData\Local\...\tmp4A0E.tmp, XML 9->66 dropped 68 C:\Users\...\hesaphareketi-01.PDF.exe.log, ASCII 9->68 dropped 98 Contains functionality to bypass UAC (CMSTPLUA) 9->98 100 Contains functionality to steal Chrome passwords or cookies 9->100 102 Contains functionality to inject code into remote processes 9->102 110 4 other signatures 9->110 15 hesaphareketi-01.PDF.exe 8 19 9->15         started        20 powershell.exe 21 9->20         started        22 schtasks.exe 1 9->22         started        104 Multi AV Scanner detection for dropped file 13->104 106 Machine Learning detection for dropped file 13->106 108 Injects a PE file into a foreign processes 13->108 24 hguKgvRiZGHG.exe 13->24         started        26 schtasks.exe 13->26         started        signatures5 process6 dnsIp7 80 ennenbach.duckdns.org 193.42.33.155, 49700, 49702, 49703 EENET-ASEE Germany 15->80 82 geoplugin.net 178.237.33.50, 49701, 49812, 80 ATOM86-ASATOM86NL Netherlands 15->82 60 C:\ProgramData\remcos\logs.dat, data 15->60 dropped 84 Writes to foreign memory regions 15->84 86 Maps a DLL or memory area into another process 15->86 88 Installs a global keyboard hook 15->88 28 svchost.exe 12 15->28         started        31 wscript.exe 15->31         started        34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        38 svchost.exe 24->38         started        40 conhost.exe 26->40         started        file8 signatures9 process10 dnsIp11 78 192.168.2.1 unknown unknown 28->78 42 chrome.exe 28->42         started        45 chrome.exe 28->45         started        112 Deletes itself after installation 31->112 47 chrome.exe 38->47         started        49 chrome.exe 38->49         started        signatures12 process13 dnsIp14 76 239.255.255.250 unknown Reserved 42->76 51 chrome.exe 42->51         started        54 chrome.exe 45->54         started        56 chrome.exe 47->56         started        58 chrome.exe 49->58         started        process15 dnsIp16 70 microsoftmscompoc.tt.omtrdc.net 51->70 72 part-0032.t-0009.fdv2-t-msedge.net 13.107.237.60, 443, 49718, 49719 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 51->72 74 14 other IPs or domains 51->74
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cbeb5d87de099ac454539a287b3c20c7cb4daee733800eb57ca7d589ccb406e9/
Threat name:
ByteCode-MSIL.Trojan.Mamut
Create hunting rule
Status:
Malicious
First seen:
2023-04-06 09:16:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zpvv3b66bgnmivcttiuhwpbay7fu3lxhgoaa5nl4u7kyttfua3uq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
2e5243c0f25a508026aa4bc82e7cdddd2df91f556c8509ac6e2b60d3ef17b517
RemcosRAT
38455251726a64db957d8e30e6c1dc1ca2b10c35691dadbcf3bf8172babe94e3
RemcosRAT
3d1a75579ef0717708782f63318b36e8dc0356fc477370ad9c69feac793a6a95
RemcosRAT
50e39da793e84dc45780be3dca5aed8fa300ae2aaf7708a58da92e31865f2e81
RemcosRAT
6760ae6bf21620a631a5fd3c6d56a01080be0fa127db8322ec2eb87ce17728e7
RemcosRAT
892ec6b7d5d18610afae6178542d991ee4b6b47adc7b61a02f78cc270f0cb84a
RemcosRAT
8aad378acd6bb2912809751007cc762facf7eefcc867b5fd8ace1e1728329c08
RemcosRAT
9bfac87ca7cc550553ff3db0da040499c96ff7d68c694243e07c06017da63b8b
RemcosRAT
b19c0bb20a5fe51658666464950c582cef626cdf1f50bf5c775109a0cf2267db
RemcosRAT
c4696bab213507b524fecce34faa2c1594669a95593f6ff1abf76cfa329b7b58
RemcosRAT
+ 1'781 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost brand:microsoft phishing rat
Link:
https://tria.ge/reports/230406-mkyrvaee6v/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Detected potential entity reuse from brand microsoft.
Suspicious use of SetThreadContext
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
ennenbach.duckdns.org:5800
Unpacked files
SH256 hash:
c679eb96382cab95086a93891f71c47651900bee03a7fd6696ed9600c658ce2c
MD5 hash:
b3cdb7158bc74b5e66e315c92c634298
SHA1 hash:
d315382e4e76f0e177095f3983cb6c046e008b12
Link:
https://www.unpac.me/results/a6ac869d-38ce-4c79-977f-fe048dd21861/
SH256 hash:
3c507afadbb1c31a9ebdd24baac5739d47576159e01c5e84f973c951885100aa
MD5 hash:
e79bf0e7e9d52d398e0b23b352394c68
SHA1 hash:
682325763a0ec77e0fd475ea3a4021b4651eceac
Link:
https://www.unpac.me/results/a6ac869d-38ce-4c79-977f-fe048dd21861/
SH256 hash:
90a181900df4541d02ad3e26db7d12de18a2419470d0d5e327fa8be8ab282174
MD5 hash:
3e965196faceb53e0db90e9240b69e35
SHA1 hash:
4f171e4f1977d4bc2f621ce48b820a9078f54a4e
Link:
https://www.unpac.me/results/a6ac869d-38ce-4c79-977f-fe048dd21861/
SH256 hash:
c61e8545db16fb762d4ce22f55d7b4b7ae544e9353499e0b7faddb79e0f8b28b
MD5 hash:
22b5558b087c651bd3355c24843882a4
SHA1 hash:
35580e33b3cf0c4b55c881c874c4bf4af0e8a11e
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/a6ac869d-38ce-4c79-977f-fe048dd21861/
Parent samples :
75b45c924b0796b2dd96b96e9602c6039b18e5be28c1d6f5dd9ebcfd0668fd64
3ba0e0a20d46ffeda99975fbbb27d535a5cbc149b6b8ee30c66c690e1a71c627
cbeb5d87de099ac454539a287b3c20c7cb4daee733800eb57ca7d589ccb406e9
SH256 hash:
5009ce8a372663d7599af6ceb44da70ca3b4eaca9c23c9c9e12fa155c39fe6cd
MD5 hash:
621b47a9febdfa485c40cba37bc5c013
SHA1 hash:
23933494dd6b00ecd593b479be35fa42066e186b
Link:
https://www.unpac.me/results/a6ac869d-38ce-4c79-977f-fe048dd21861/
SH256 hash:
cbeb5d87de099ac454539a287b3c20c7cb4daee733800eb57ca7d589ccb406e9
MD5 hash:
7373ad32fd9d370f54402a83dfec32b6
SHA1 hash:
4b87b09ca4799e3c1e89005046963225165147fd
Link:
https://www.unpac.me/results/a6ac869d-38ce-4c79-977f-fe048dd21861/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cbeb5d87de09/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cbeb5d87de099ac454539a287b3c20c7cb4daee733800eb57ca7d589ccb406e9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe cbeb5d87de099ac454539a287b3c20c7cb4daee733800eb57ca7d589ccb406e9

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/380607/

Comments