MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0b3a869d6b24ab7a223cc2b74d8be81f5071e36397fcf64c110a332fc6e0f0c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0b3a869d6b24ab7a223cc2b74d8be81f5071e36397fcf64c110a332fc6e0f0c
SHA3-384 hash: 465f4268de464fdea49e1ba3ed0ac6c20fbc09d1984ba6c7768e3901dcec08a39b0b022a586271e2c3d6a2840de162f2
SHA1 hash: 6eaff5e2672fbbdfd46b503365dbdc02ae668407
MD5 hash: 4334fe2b2fc94acca8388291eece9ac8
humanhash: eight-william-earth-speaker
File name:sample order.scr.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'250'816 bytes
First seen:2022-10-07 13:19:55 UTC
Last seen:2022-10-10 06:11:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:Z1r1uXqY/jeTNSpOvDfB835LoipEUvJJD:Z7uXcNSU7J8tpEU
Threatray 2'179 similar samples on MalwareBazaar
TLSH T197458BBA21C54117E8257275D887D5F32AFBAD606162E1CB2AD33F6FBC401BB911334A
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter James_inthe_box
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
280
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/317657/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63402786d089a0c15dd5bac1/reports/55190374-683d-401f-a976-1e98839b9758/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d269ee74-ca54-4e34-a0a6-0d9a6d47afe4
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1085760
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 718323 Sample: sample order.scr.exe Startdate: 07/10/2022 Architecture: WINDOWS Score: 100 60 Snort IDS alert for network traffic 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Sigma detected: Scheduled temp file as task from temp location 2->64 66 13 other signatures 2->66 7 sample order.scr.exe 7 2->7         started        11 icsOakcPSkFF.exe 5 2->11         started        process3 file4 44 C:\Users\user\AppData\...\icsOakcPSkFF.exe, PE32 7->44 dropped 46 C:\Users\...\icsOakcPSkFF.exe:Zone.Identifier, ASCII 7->46 dropped 48 C:\Users\user\AppData\Local\...\tmpC400.tmp, XML 7->48 dropped 50 C:\Users\user\...\sample order.scr.exe.log, ASCII 7->50 dropped 68 Adds a directory exclusion to Windows Defender 7->68 13 sample order.scr.exe 2 17 7->13         started        18 powershell.exe 21 7->18         started        20 schtasks.exe 1 7->20         started        70 Multi AV Scanner detection for dropped file 11->70 72 Machine Learning detection for dropped file 11->72 22 schtasks.exe 11->22         started        24 icsOakcPSkFF.exe 11->24         started        26 icsOakcPSkFF.exe 11->26         started        signatures5 process6 dnsIp7 56 91.192.100.12, 2404, 49696, 49697 AS-SOFTPLUSCH Switzerland 13->56 58 geoplugin.net 178.237.33.50, 49698, 80 ATOM86-ASATOM86NL Netherlands 13->58 52 C:\ProgramData\remcos\logs.dat, data 13->52 dropped 80 Maps a DLL or memory area into another process 13->80 82 Installs a global keyboard hook 13->82 28 sample order.scr.exe 1 13->28         started        31 sample order.scr.exe 13->31         started        33 sample order.scr.exe 13->33         started        41 28 other processes 13->41 35 conhost.exe 18->35         started        37 conhost.exe 20->37         started        39 conhost.exe 22->39         started        file8 signatures9 process10 dnsIp11 74 Tries to steal Instant Messenger accounts or passwords 28->74 76 Tries to steal Mail credentials (via file / registry access) 28->76 54 192.168.2.1 unknown unknown 41->54 78 Tries to harvest and steal browser information (history, passwords, etc) 41->78 signatures12
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d0b3a869d6b24ab7a223cc2b74d8be81f5071e36397fcf64c110a332fc6e0f0c/
Threat name:
Win32.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2022-10-07 08:18:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
26
AV detection:
18 of 26 (69.23%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2cz2q2owwjflpirdzqvxjwf6qh2qohrwhf746zgbccrtf7dob4ga._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
04a15b34b627794caf34f7277c8663ea7a75d32576f6484dc85ba2bfcbe39bfd
RemcosRAT
0773f517b40992fd3e6291eb906558588f1de9e3887bb2433f95bb4ea9f5904a
RemcosRAT
2cf1525cdb58ec9e5d47e5c66619b9cf2966155ece68a66e9bf935369971ccdc
RemcosRAT
31edb5c9a0590d100f941cfcb0c142abf141fba4a90c6bddb6c7fc59b4475f28
RemcosRAT
3e0bcdfffded9aaede7644824841490767cf472e2dafebdc04b090870853d8ac
RemcosRAT
788a6a0d67e10a4235043d0f12cc5841ab77bac0518842aea964e720318f674d
RemcosRAT
a4f1f9124305cce82a6b8c70ccde9b4d646103f5b320bd766ad53fcd5a19ff08
RemcosRAT
c751eef24ba7492781e43c5034f1175ec098ebc72602e68822fd4c09cac0b9bb
RemcosRAT
da780e7f18a59bf4184769099656b951986ff9915e684a7d9c063f471f4f6876
RemcosRAT
+ 2'169 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:ip-remcos collection rat spyware stealer
Link:
https://tria.ge/reports/221007-qk4jwacfa2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Checks computer location settings
Reads user/profile data of web browsers
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
91.192.100.12:2404
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e983b944-8eb1-4544-ba7c-22caac213db4
Unpacked files
SH256 hash:
df97ba2c71db7d6e3a59d3d45400dac3c1ce03c417a9bd035a31de3cb869c1bf
MD5 hash:
52c36044d578dc25b4050131da017054
SHA1 hash:
92ae814afbc1028d94b538ac47d46922ae819927
Link:
https://www.unpac.me/results/9274bd6f-6687-4428-b4a3-31cdf656db8e/
SH256 hash:
4446109874dea7149770e10e01b6bcbb6c322558dfd4370c708d072650c8cda6
MD5 hash:
7b6a7ef6dcca9dc7798a5f813626d5fb
SHA1 hash:
74112722e6b9853978cc46e5c31c81af818b4484
Link:
https://www.unpac.me/results/9274bd6f-6687-4428-b4a3-31cdf656db8e/
SH256 hash:
1383999cb3682a0a0a54fad8a8e3f0fda2d4ce6422fa35286cece258aa1844a1
MD5 hash:
d891ee2f90e3392ee593067a038f3335
SHA1 hash:
347e96ac60f38938b0061ce5c21bec28c87f71f9
Link:
https://www.unpac.me/results/9274bd6f-6687-4428-b4a3-31cdf656db8e/
SH256 hash:
870d4f7e420e54b86039ac5852c78d3da45ff18f413286eb904abb76b979161b
MD5 hash:
7ecbecd7b77cb2a46af2b50f793ee13d
SHA1 hash:
302e32a8b97d1b174184dba6013be36bf8cd635b
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/9274bd6f-6687-4428-b4a3-31cdf656db8e/
Parent samples :
b563d460e40277fd18dfa645f16081ed6328f519e218afc6570dafe951f5feea
20d06c9366037f9c7d08d843ddcb74e264accf481dbefd7b1f77669abb4d9be9
e1951d7c32816561ef8f00f5612a088479e1edb3a8cdbc7b7a48d8b60de5c541
236493354378eefc6203b957baa7df24b566d8e5b0f04523bbb060999cc8a227
d0b3a869d6b24ab7a223cc2b74d8be81f5071e36397fcf64c110a332fc6e0f0c
e3f448f340d936b220f0cbdf838a812dde35c13568a48853679d4755984632fc
SH256 hash:
edadc813f4440ada276da601d8f31780e5e138b8ee392e3f49a509322a1fb51e
MD5 hash:
574597554c69083c1af2b742a97a92b6
SHA1 hash:
043eea660b8650c5a0042f842fd8db3516d37a2c
Link:
https://www.unpac.me/results/9274bd6f-6687-4428-b4a3-31cdf656db8e/
SH256 hash:
d0b3a869d6b24ab7a223cc2b74d8be81f5071e36397fcf64c110a332fc6e0f0c
MD5 hash:
4334fe2b2fc94acca8388291eece9ac8
SHA1 hash:
6eaff5e2672fbbdfd46b503365dbdc02ae668407
Link:
https://www.unpac.me/results/9274bd6f-6687-4428-b4a3-31cdf656db8e/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d0b3a869d6b2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d0b3a869d6b24ab7a223cc2b74d8be81f5071e36397fcf64c110a332fc6e0f0c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/317657/

Comments