MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d930e3006b889c13cdebe9004c021ed18ebe31f1504ffce27f10277e439329e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d930e3006b889c13cdebe9004c021ed18ebe31f1504ffce27f10277e439329e0
SHA3-384 hash: 001d0af2d556831350ef44227d0909a00e75c4a67394c9fb6470cdaa816b5f3136c63546c420613556238b43d3cae315
SHA1 hash: 0efbb54567b18570ccec48ec3fc1bfc4e4afe19c
MD5 hash: 0ac25f96a967ac41a1e23a6d3a791412
humanhash: iowa-foxtrot-washington-dakota
File name:AP202-230504001-ORDER.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'051'136 bytes
First seen:2023-05-05 13:14:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:xQCtqK7enlhpAd89yvum9EKf/N11tkiSnRF3ECJ4:qCtbeKiyvT9EKf/NZkLRFzJ
Threatray 1'888 similar samples on MalwareBazaar
TLSH T11C25025123A9F7A1ECA183FC730CE4019FA51D52B3FAE7E48DCBE0D99508B18B654693
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter James_inthe_box
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
252
Origin country :
US US
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
AP202-230504001-ORDER.exe
Verdict:
Malicious activity
Analysis date:
2023-05-05 13:15:23 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/2cd16b29-9063-468b-aefe-1cf5e6493530

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/386946/
Detection(s):
SecuriteInfo.com.Variant.Barys.351838.22076.22601.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
86%
Tags:
packed
Link:
https://www.filescan.io/uploads/645501578da4a9cb99b71897/reports/eb6f2bc6-7875-4659-b739-e59230529dcd/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d930e3006b889c13cdebe9004c021ed18ebe31f1504ffce27f10277e439329e0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/31cef26b-7ae5-4b5a-bdc7-452d32efe120
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1226934
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Found malware configuration
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 859900 Sample: AP202-230504001-ORDER.exe Startdate: 05/05/2023 Architecture: WINDOWS Score: 100 83 Found malware configuration 2->83 85 Malicious sample detected (through community Yara rule) 2->85 87 Antivirus detection for URL or domain 2->87 89 11 other signatures 2->89 9 AP202-230504001-ORDER.exe 7 2->9         started        13 HxaZcmcZlGQXc.exe 2 2->13         started        15 Date.exe 2->15         started        17 2 other processes 2->17 process3 file4 69 C:\Users\user\AppData\...\HxaZcmcZlGQXc.exe, PE32 9->69 dropped 71 C:\...\HxaZcmcZlGQXc.exe:Zone.Identifier, ASCII 9->71 dropped 73 C:\Users\user\AppData\Local\...\tmp5406.tmp, XML 9->73 dropped 75 C:\Users\...\AP202-230504001-ORDER.exe.log, ASCII 9->75 dropped 99 Contains functionality to bypass UAC (CMSTPLUA) 9->99 101 Contains functionality to steal Chrome passwords or cookies 9->101 103 Uses schtasks.exe or at.exe to add and modify task schedules 9->103 109 4 other signatures 9->109 19 AP202-230504001-ORDER.exe 2 4 9->19         started        22 powershell.exe 19 9->22         started        24 powershell.exe 19 9->24         started        34 5 other processes 9->34 105 Multi AV Scanner detection for dropped file 13->105 107 Machine Learning detection for dropped file 13->107 26 schtasks.exe 15->26         started        28 Date.exe 15->28         started        30 schtasks.exe 17->30         started        32 Date.exe 17->32         started        signatures5 process6 file7 65 C:\ProgramData\Remcos\Date.exe, PE32 19->65 dropped 67 C:\ProgramData\...\Date.exe:Zone.Identifier, ASCII 19->67 dropped 36 Date.exe 5 19->36         started        39 conhost.exe 22->39         started        41 conhost.exe 24->41         started        43 conhost.exe 26->43         started        45 conhost.exe 30->45         started        47 conhost.exe 34->47         started        process8 signatures9 93 Multi AV Scanner detection for dropped file 36->93 95 Machine Learning detection for dropped file 36->95 97 Adds a directory exclusion to Windows Defender 36->97 49 Date.exe 36->49         started        53 powershell.exe 36->53         started        55 powershell.exe 36->55         started        57 schtasks.exe 36->57         started        process10 dnsIp11 77 212.193.30.230, 2286, 49706, 49707 SPD-NETTR Russian Federation 49->77 79 45.139.105.174, 2210 CMCSUS Italy 49->79 81 geoplugin.net 178.237.33.50, 49709, 80 ATOM86-ASATOM86NL Netherlands 49->81 91 Installs a global keyboard hook 49->91 59 conhost.exe 53->59         started        61 conhost.exe 55->61         started        63 conhost.exe 57->63         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d930e3006b889c13cdebe9004c021ed18ebe31f1504ffce27f10277e439329e0/
Threat name:
ByteCode-MSIL.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-05-05 10:12:56 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3eyogadlrcobhtpl5eaeyaq62ghl4mprkbh7zyt7catx4q4tfhqa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
10889504234fe600c781aefe6ba0918e2e1d98a777f6e4e03da6d006a06bffb0
RemcosRAT
19836f65b08970b838c64ef0ffd5f8f4d8ed2063a1df2b826e3dc9e66b3c8f37
RemcosRAT
2010a7e1a136a9881ba4db4beb99088ea77ea2997d36e6d1d16fc696b34fda8b
RemcosRAT
23b3b5a24a51826ddb55a28333f4bfb9455f891f946e7d71a8d1eb3bab1f02f2
RemcosRAT
2416e5bfdf5fc88f9d7ceaf117cd1173370b357b8d4b5070f81f0df7a0253075
RemcosRAT
3c2ffc42864aba9e07bb8cd494141ea7125a2d24a8717f0cf0a33da8020dbdfb
RemcosRAT
3d35655b8a265b213dba9d23a9542e024895cba4c18dbfb782cb844125c23654
RemcosRAT
52062e748f2857bf6bc3161cdfade85ec042d45093673514ca1787f7216a70f3
RemcosRAT
814e073523aed94d4433e76ef0d0ecaa94224313fb4e54e6716b26e22f06e5ac
RemcosRAT
b84d775cf5de9234ec178e4a94c5c459f0c6e8ad3bffc977ba20b116b4d9d88e
RemcosRAT
+ 1'878 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost collection persistence rat spyware stealer
Link:
https://tria.ge/reports/230505-qg8dnaag42/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
45.139.105.174:2210
212.193.30.230:6320
212.193.30.230:2286
212.193.30.230:3330
Unpacked files
SH256 hash:
80ea16fb9208b85da63b0d53ec01884bde8ef3a2cc42f93ab79091cda3d7faee
MD5 hash:
c6880396ee22e4ed8ebb8677f7df7a5b
SHA1 hash:
c83158f342ceb89ff15d4ce9131faa2b636fcb9c
Link:
https://www.unpac.me/results/ff14bc3b-7094-4bee-ac88-f0d1ea3eed19/
SH256 hash:
e6ecc640876e676a08ee2d1b9e8e06329930dea9c4319fe6502dc5a9c9e14d35
MD5 hash:
be0604a399ab6ba90dd0519e33bd32a8
SHA1 hash:
353f916d2674aa66fe0b06e0b70f42231de3b52d
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/ff14bc3b-7094-4bee-ac88-f0d1ea3eed19/
Parent samples :
814e073523aed94d4433e76ef0d0ecaa94224313fb4e54e6716b26e22f06e5ac
d930e3006b889c13cdebe9004c021ed18ebe31f1504ffce27f10277e439329e0
e5349a064403917e3f1c3aa1cb2f18e4a09477242eb9f7bee5a80c724b1a49ab
a11f84458eb6e2663905a5f98596fb495ae8b813cd28f3cda787377976168453
SH256 hash:
14e93cd36656997100d8be0feecc93dfcedf01ff4e08ba69e7b429bea0b097a7
MD5 hash:
cd11977f6179ffee6c7200f9e6e00ac9
SHA1 hash:
ff0e46e02d2d8c37e3e40d9f450349c6e2d9d5e4
Link:
https://www.unpac.me/results/ff14bc3b-7094-4bee-ac88-f0d1ea3eed19/
SH256 hash:
280001013946838a651abbdee890fa4a4d49c382b7b5e78b7805caef036304e2
MD5 hash:
d4b6893a5512534104c6c7403be60897
SHA1 hash:
d4b51c3e4cafb3b146435a4e2e21bb5ddf15956d
Link:
https://www.unpac.me/results/ff14bc3b-7094-4bee-ac88-f0d1ea3eed19/
SH256 hash:
c8808b69b0f4d52c253e35b001da94086786b34162fd51daa3f17eda94bac7f0
MD5 hash:
da56041df789c24cb2a36a364431f766
SHA1 hash:
876e6c579d1092a76ce90c500c43af0cf11724a4
Link:
https://www.unpac.me/results/ff14bc3b-7094-4bee-ac88-f0d1ea3eed19/
SH256 hash:
d930e3006b889c13cdebe9004c021ed18ebe31f1504ffce27f10277e439329e0
MD5 hash:
0ac25f96a967ac41a1e23a6d3a791412
SHA1 hash:
0efbb54567b18570ccec48ec3fc1bfc4e4afe19c
Link:
https://www.unpac.me/results/ff14bc3b-7094-4bee-ac88-f0d1ea3eed19/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d930e3006b88/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d930e3006b889c13cdebe9004c021ed18ebe31f1504ffce27f10277e439329e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/386946/

Comments