MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d81a0fe47c7cc9fdba1c13c2aa4f0372579f4c9ac51e16b7384da4b19c7c26a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d81a0fe47c7cc9fdba1c13c2aa4f0372579f4c9ac51e16b7384da4b19c7c26a0
SHA3-384 hash: 712414d5ecd297a5d25c8f83a51268174ddb2fbce937e75889ae27926d47b509ac13f65880654d4bf8c559cb8dcb4598
SHA1 hash: 060f7cf96d0bebf08d37fa1d80f145122acb7a08
MD5 hash: 5aac5734ed076748455e82ea0d3872a9
humanhash: butter-twenty-indigo-apart
File name:New Order, Quantity&Design.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'209'344 bytes
First seen:2023-07-31 06:40:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:sS6I3KLLNhuG+aOi9ZwOOLopfgtYDxm4ydB23R:srUK9sTaOiLOMhg+nydB
Threatray 2'331 similar samples on MalwareBazaar
TLSH T1C645092804EB0E12C121D1FF6AE5B5AFF2415CB6A11C8D6752AD6F878D23D736C4AC2D
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon d1d0e8e8e4f4ecd4 (30 x AgentTesla, 18 x RedLineStealer, 16 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
273
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
New Order, Quantity&Design.exe
Verdict:
Malicious activity
Analysis date:
2023-07-31 06:44:48 UTC
Tags:
rat remcos remote keylogger
Link:
https://app.any.run/tasks/fb901276-b21e-4085-adb5-32b63cb101ec

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/439282/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d81a0fe47c7cc9fdba1c13c2aa4f0372579f4c9ac51e16b7384da4b19c7c26a0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/38551996-72e6-4a2d-8899-cd07c42ac00e
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1282914
Signature
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1282914 Sample: New_Order,_Quantity&Design.exe Startdate: 31/07/2023 Architecture: WINDOWS Score: 100 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Sigma detected: Scheduled temp file as task from temp location 2->54 56 8 other signatures 2->56 7 AwRVEoN.exe 5 2->7         started        10 New_Order,_Quantity&Design.exe 7 2->10         started        process3 file4 60 Multi AV Scanner detection for dropped file 7->60 62 Contains functionality to bypass UAC (CMSTPLUA) 7->62 64 Machine Learning detection for dropped file 7->64 70 5 other signatures 7->70 13 schtasks.exe 1 7->13         started        15 AwRVEoN.exe 7->15         started        17 AwRVEoN.exe 7->17         started        38 C:\Users\user\AppData\Roaming\AwRVEoN.exe, PE32 10->38 dropped 40 C:\Users\user\...\AwRVEoN.exe:Zone.Identifier, ASCII 10->40 dropped 42 C:\Users\user\AppData\Local\...\tmp4EFB.tmp, XML 10->42 dropped 44 C:\...44ew_Order,_Quantity&Design.exe.log, ASCII 10->44 dropped 66 Uses schtasks.exe or at.exe to add and modify task schedules 10->66 68 Adds a directory exclusion to Windows Defender 10->68 19 New_Order,_Quantity&Design.exe 3 15 10->19         started        24 powershell.exe 21 10->24         started        26 schtasks.exe 1 10->26         started        28 2 other processes 10->28 signatures5 process6 dnsIp7 30 conhost.exe 13->30         started        46 80.76.51.205, 49680, 6262 CLOUDCOMPUTINGDE Bulgaria 19->46 48 geoplugin.net 178.237.33.50, 49681, 80 ATOM86-ASATOM86NL Netherlands 19->48 36 C:\ProgramData\remcos\logs.dat, data 19->36 dropped 58 Installs a global keyboard hook 19->58 32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        file8 signatures9 process10
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d81a0fe47c7cc9fdba1c13c2aa4f0372579f4c9ac51e16b7384da4b19c7c26a0/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ana7zd4pte73oq4cpbkutydojlz6te2yupbnnzyjwsldhd4e2qa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
19b06353bd2b915f4fa9b30599477954534bfd37400c511d0868227044163e45
RemcosRAT
3100c2815280c4d4ccb7719c8a2f2cc150c80d53c3675a5070b9499028dafacc
RemcosRAT
3ddab0e4f018293bc930fb5a635c471074af3cce36801955d938d3eae8a5c737
RemcosRAT
4400353ebbbd72f1a260b3021c48fa67439ec6accd01ecd27ada202052f27391
RemcosRAT
9b41e719470475dfacf64f42d8d8001d90cf442213fdf0e19ad5cd86d9742810
RemcosRAT
a8ae7002d16df08878c864f8cd2f8722dfcb5950372f3b12c88f4e265f2eee40
RemcosRAT
a940a2266d54aab5f787e6b9a3889fb3c615d9754de46ad25a7ba3a1b5fe9109
RemcosRAT
f60667b9e2a0a25221cdb47844149beb3b1cd08abbc3360e8684fad9d8aaa20e
RemcosRAT
+ 2'321 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:softgee logs rat
Link:
https://tria.ge/reports/230731-hfrqhsda25/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
80.76.51.205:6262
Unpacked files
SH256 hash:
7532336b3fb752a7fa95aa1da5ddc527600d0cbba1aa2d77b46052439a32e619
MD5 hash:
b38640c1870edfd88e7a5cff3df11473
SHA1 hash:
f85da54b2d95beb76b3e32384adea6eef50abf45
Link:
https://www.unpac.me/results/587baed3-3b56-4ec6-a747-c3fd93d0b2d7/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/587baed3-3b56-4ec6-a747-c3fd93d0b2d7/
SH256 hash:
3fb23faa9b2020265aa6d371e51ec749b64082ee26c73351be1de96bcf3a3dc1
MD5 hash:
87882215ca9597879ebdc7560ebfcce3
SHA1 hash:
3ce8799db05909696be6e3340037822dab822ffb
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/587baed3-3b56-4ec6-a747-c3fd93d0b2d7/
Parent samples :
d81a0fe47c7cc9fdba1c13c2aa4f0372579f4c9ac51e16b7384da4b19c7c26a0
be34a7f3fb6fd3a52d2c2fa5452b6cf7fb4afa00ca29bda99c0e4710771ef71c
SH256 hash:
0b21c2aa6d9b8f807ff7171103c0d3311a852223f66c22c0223d2044dfcd8e60
MD5 hash:
d80ad864ea9b71a6f27a19209a17b26a
SHA1 hash:
33b7929963dba2dd3800a6e5ab8c530cb9cbd3ba
Link:
https://www.unpac.me/results/587baed3-3b56-4ec6-a747-c3fd93d0b2d7/
SH256 hash:
d81a0fe47c7cc9fdba1c13c2aa4f0372579f4c9ac51e16b7384da4b19c7c26a0
MD5 hash:
5aac5734ed076748455e82ea0d3872a9
SHA1 hash:
060f7cf96d0bebf08d37fa1d80f145122acb7a08
Link:
https://www.unpac.me/results/587baed3-3b56-4ec6-a747-c3fd93d0b2d7/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d81a0fe47c7c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe d81a0fe47c7cc9fdba1c13c2aa4f0372579f4c9ac51e16b7384da4b19c7c26a0

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/439282/

Comments