MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce632addcc06682ebfabc43c0958de9c91c055e234cf9b7383dda4311ab1c3a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce632addcc06682ebfabc43c0958de9c91c055e234cf9b7383dda4311ab1c3a8
SHA3-384 hash: d819601cdb79841d0503346b113473aa58d003e7dd7029f02a19d05d0b3859b19b5ff360cf2d77b38f138942659ff8b2
SHA1 hash: 467bf9c453b70a52c4ec0f22e5f076bc35bcdace
MD5 hash: 1b71166123c1a8c36b6ddd9859992d96
humanhash: summer-zulu-william-asparagus
File name:Multipack Supplier order 2210018.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:6'144 bytes
First seen:2022-10-22 13:26:49 UTC
Last seen:2022-10-22 15:09:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 48:6tQhoSIIdcF5JWSvcnyDNM3U/+EFJOZl/a3kmMaSsTRi1tiOl26086nqFypfbNtm:OhIdcFGSv17+EFkPa3E5hY6086RzNt
Threatray 7'303 similar samples on MalwareBazaar
TLSH T11CC1C51163E94733DE734BB2AC73634206B9B3669823C79D25C0624B6D233561E22FB9
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter GovCERT_CH
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
280
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Multipack Supplier order 2210018.exe
Verdict:
Malicious activity
Analysis date:
2022-10-22 13:27:15 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/dfc7a699-c0e3-44d9-925f-98a71619dc26

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/322671/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader45.25551.15171.373.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending an HTTP GET request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6353efa6fdf6478a15afbd57/reports/e81fb348-f7e8-4bf1-bbf3-d188382e1c11/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/87e45bf8-433c-4aac-9e9b-b8b2494b6693
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1095520
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Encrypted powershell cmdline option found
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 728161 Sample: Multipack Supplier order 22... Startdate: 22/10/2022 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 10 other signatures 2->49 7 Multipack Supplier order 2210018.exe 16 7 2->7         started        12 Fenorj.exe 14 3 2->12         started        14 Fenorj.exe 3 2->14         started        process3 dnsIp4 41 41.216.183.54, 49695, 49698, 49699 AS40676US South Africa 7->41 31 C:\Users\user\AppData\Roaming\...\Fenorj.exe, PE32 7->31 dropped 33 C:\Users\user\...\Fenorj.exe:Zone.Identifier, ASCII 7->33 dropped 35 Multipack Supplier order 2210018.exe.log, ASCII 7->35 dropped 51 Encrypted powershell cmdline option found 7->51 16 Multipack Supplier order 2210018.exe 2 13 7->16         started        19 powershell.exe 14 7->19         started        53 Multi AV Scanner detection for dropped file 12->53 55 Machine Learning detection for dropped file 12->55 21 powershell.exe 11 12->21         started        23 powershell.exe 14->23         started        file5 signatures6 process7 dnsIp8 37 41.216.183.96, 49696, 50505 AS40676US South Africa 16->37 39 geoplugin.net 178.237.33.50, 49697, 80 ATOM86-ASATOM86NL Netherlands 16->39 25 conhost.exe 19->25         started        27 conhost.exe 21->27         started        29 conhost.exe 23->29         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ce632addcc06682ebfabc43c0958de9c91c055e234cf9b7383dda4311ab1c3a8/
Threat name:
ByteCode-MSIL.Trojan.Scarsi
Create hunting rule
Status:
Malicious
First seen:
2022-10-18 13:15:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zzrsvxomazuc5p5lyq6aswg6tsi4avpcgthzw44d3wsdcgvryoua._file
Verdict:
malicious
Similar samples:
0a869d139f509a45998437cb390ae80c9d5581bf615666e0535b0dd157f9e0aa
RemcosRAT
124cf8592e12fcf8da452eda47af833d34ffdd009935537d6e9f903d04ffd0f1
RemcosRAT
4bcabec27b62127148e5a986ab1d36d6485e686f03ab012d3631be04b82c29f5
RemcosRAT
57010882c49e6a6ec8fff4664eb8df03eb4cfb19d5ee32b3f973f03330e69cdd
RemcosRAT
62d3d9a1ea3239188f9735ab3959c8f336e0682cc868a446a53a876a51d44177
RemcosRAT
8454dbda35354737c7f1162466738d7077c0a9af21e93c2e49c2d7a8d5084647
RemcosRAT
b512d0f95a81e932ba60e4497b043a8358fccdb517c1489ee59962a01b07d276
RemcosRAT
e00e158ba45b49cdfdca374f0f8f64a1df6c3b05f2034ac71ed0f3a1144f2ee2
RemcosRAT
+ 7'293 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:50505 persistence rat
Link:
https://tria.ge/reports/221022-qp3s5sddhl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
41.216.183.96:50505
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/174f939a-0fd7-4e61-85bb-04c0067b3254
Unpacked files
SH256 hash:
ce632addcc06682ebfabc43c0958de9c91c055e234cf9b7383dda4311ab1c3a8
MD5 hash:
1b71166123c1a8c36b6ddd9859992d96
SHA1 hash:
467bf9c453b70a52c4ec0f22e5f076bc35bcdace
Detections:
PureCrypter_Stage1
Create hunting rule
Link:
https://www.unpac.me/results/70fe76c6-aa3d-435d-a25e-8f07d817d163/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ce632addcc06/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/ce632addcc06682ebfabc43c0958de9c91c055e234cf9b7383dda4311ab1c3a8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe ce632addcc06682ebfabc43c0958de9c91c055e234cf9b7383dda4311ab1c3a8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/322671/

Comments