MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dabb657acfa0d239bcd7f26fa84eb567790a3ab47d46bbf1a3bb9f5c4e6e3b25. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dabb657acfa0d239bcd7f26fa84eb567790a3ab47d46bbf1a3bb9f5c4e6e3b25
SHA3-384 hash: 7e99c5d536c25b2374a388bef24ffca276e64f2e773441ccff489e9e3b6ffdd0cd232aaff35b7bc555e4987840f1b294
SHA1 hash: e8fbd3346516b00d7486c6648dd921528cd95e1e
MD5 hash: 3e09786c1616945b1fd2b986a3b73254
humanhash: wyoming-seven-mirror-uncle
File name:PURCHASE_ORDERS PO-010507.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'614'848 bytes
First seen:2023-02-25 08:17:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 24576:CgIQllp/Y02CwwKrMarlkNu2Sc+WumGz/n9n5cxK8Y3Vu2Li5tpW+AF4LZ:zH/Y0wBkjSc+Wux/9nKxK8Y3Vu2Utd
Threatray 1'869 similar samples on MalwareBazaar
TLSH T1D9759D8AB370B07FF8AF417A0570298D6C31AD563329F61E4D6B38455E3A8F7B589063
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 70f88cc6f0f0f071 (1 x RemcosRAT)
Reporter abuse_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
223
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
PURCHASE_ORDERS PO-010507.exe
Verdict:
Malicious activity
Analysis date:
2023-02-25 08:25:42 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/889cdae6-9b1e-49dd-9265-c995bf86c892

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/369614/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63f9c43d5d47c2515e8005ef/reports/3661bd99-0df1-4388-8417-0a3997f52717/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/dabb657acfa0d239bcd7f26fa84eb567790a3ab47d46bbf1a3bb9f5c4e6e3b25
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/cc23afda-38c2-4ce6-8db1-b2cb2268203f
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1182260
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-02-24 07:31:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
46
AV detection:
23 of 39 (58.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3k5wk6wpudjdtpgx6jx2qtvvm54quovupvdlx4ndxopvyttohmsq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
03541b2cf3bf022eda584b9ead6b6edeb7a47e8ccaa99b2415ee56694c9868cb
RemcosRAT
08bc96eb8f857b9e84b4536d96ddb85e8be8329f8572b8b91d4d645e79a84ccc
RemcosRAT
305e9aa2df19b77ad92b897543e803b5dea0c851b37cf8c9b4e2206282343946
RemcosRAT
3a20e81b1f0bf0699007470e5a8e2a9a0d6507ea99696f0df9bd99b80910d656
RemcosRAT
5ca676b334d8a3f4542877a696a7092b29dbdeddabcd70af2a80e5c8384a75b6
RemcosRAT
7e82cf496170e81178aa01bb117531aaf096b2ee9797e5d82e6e141ad550c0ef
RemcosRAT
9846c8ffd0aec6ff3c8b8db350032e4d9586ac6aa22b06944672c837d3bbcf28
RemcosRAT
ce4f7b095af43eceb75710f074f5c39eaf53039cd470ad6e56c254af33a0b0a3
RemcosRAT
+ 1'859 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:crypted rat
Link:
https://tria.ge/reports/230225-j7afzscf73/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Remcos
Malware Config
C2 Extraction:
20.38.32.202:2347
Unpacked files
SH256 hash:
41b49b10d7037a1a15a347d3aeccea2b2104fff71c06775d3abef9194a64112f
MD5 hash:
d98d5639eb07122a26ba1c2bfd5a8564
SHA1 hash:
d51fa93e52c6e492aa1dd88bdc964d850f1dfa64
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/e5ac366a-a4d0-460b-b43f-088d9d58656f/
SH256 hash:
52ba66b8ec52beda6e061bcb0e9c4bb7ce8877b3a823f1caf15389a0002d33a0
MD5 hash:
7d4b06f1419571b15d30efccfa6b2e69
SHA1 hash:
8fc221b9f187e9d5acbf48e029a4f1124fa01564
Link:
https://www.unpac.me/results/e5ac366a-a4d0-460b-b43f-088d9d58656f/
SH256 hash:
b2dd5bcf9138720f9ffeca3b8aefa001e40b2dd879c1db3bb8e47281c3575f8e
MD5 hash:
301d49f143b4559eebb04d6604c9c806
SHA1 hash:
8e1065918d606bf77bf8d0fd3375de5c1e4ec0b3
Link:
https://www.unpac.me/results/e5ac366a-a4d0-460b-b43f-088d9d58656f/
SH256 hash:
5416edb8da17ad9673952926db6dd52ed65bac3f3b19ae7f64af01cbd5e06e14
MD5 hash:
56bf44a078cf07585d3115bd966ce55c
SHA1 hash:
48f4043fd1ce11908a2304d93a9a2a9d39684d17
Link:
https://www.unpac.me/results/e5ac366a-a4d0-460b-b43f-088d9d58656f/
SH256 hash:
e386840537170219177c2bb3404f4c7bd9da1a2d53cdf2ae1e857c3b19628a29
MD5 hash:
d170ab8c03b9c37d5be449454db131d2
SHA1 hash:
2031b6754a65d21b47dd11a34fee86f048d6048d
Link:
https://www.unpac.me/results/e5ac366a-a4d0-460b-b43f-088d9d58656f/
SH256 hash:
dabb657acfa0d239bcd7f26fa84eb567790a3ab47d46bbf1a3bb9f5c4e6e3b25
MD5 hash:
3e09786c1616945b1fd2b986a3b73254
SHA1 hash:
e8fbd3346516b00d7486c6648dd921528cd95e1e
Link:
https://www.unpac.me/results/e5ac366a-a4d0-460b-b43f-088d9d58656f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dabb657acfa0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/dabb657acfa0d239bcd7f26fa84eb567790a3ab47d46bbf1a3bb9f5c4e6e3b25

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/369614/

Comments