MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd073f23a4b16333eb687e7b994e47c393fd38da8ecee7ac5174e82a50dd2d15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	dd073f23a4b16333eb687e7b994e47c393fd38da8ecee7ac5174e82a50dd2d15
SHA3-384 hash:	8acb01eece6ec4b1c6389ae9715b61550929bb9ac2b90a3d65b8a15f6531b7d646e08d6af424c015548d7e3d6d4a28d0
SHA1 hash:	ff304310be7e584d04bd307d34cab86a27600a91
MD5 hash:	307b0e1293a53bf74719e8c2ce568073
humanhash:	march-stream-may-gee
File name:	#75758.......pdf.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'347'584 bytes
First seen:	2022-09-14 10:57:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:l6EpZ5fZYQmzo3pvkJ/3Vcjm3wlEiuJjYaiipb7I57gd20esk2pR0Qv565E4ZT2x:l6m5hLmzaOcSoEiutfiipby909b0Ov4I
Threatray	1'881 similar samples on MalwareBazaar
TLSH	T12055231BD2589F27E8680B7452B0F50153BAAF2A65B5C784CDC4E2F432EDB574206BA3
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	cocaman
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

311

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/309996/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.1427-2.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Creating a file

Enabling autorun by creating a file

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

80%

Tags:

packed

Link:

https://www.filescan.io/uploads/6321b4021594be804f8669f9/reports/c9f4c494-e94a-4891-8018-eacfaa110c0b/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/98ca4bb7-014a-4db8-a002-3bca60bcf7d5

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1070176

Signature

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sample uses process hollowing technique

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/dd073f23a4b16333eb687e7b994e47c393fd38da8ecee7ac5174e82a50dd2d15/

Threat name:

ByteCode-MSIL.Trojan.Remcos

Status:

Malicious

First seen:

2022-09-03 11:00:17 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 39 (61.54%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3udt6i5ewfrth23ipz5zstshyoj72og2r3hoplcrotucuug5fukq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

2a6cd5b04a1f823de82896e8d2758ce91498ee9231032ae946363477ccc7701a

RemcosRAT

b563d460e40277fd18dfa645f16081ed6328f519e218afc6570dafe951f5feea

RemcosRAT

b7cc11f42808bc13ea70def8382654e7c9294eb30c42ed29d5eb9f2d7bbf9514

RemcosRAT

be4f9d4697e47ff2b6d73b0949a39be6f9defba32f4f4070673efc84de4c6113

RemcosRAT

ecf1b219adc24822bf9dc4593509ff7052a8e62a3715143235c0347cde7f354b

RemcosRAT

edd76f4398cd937c508d229a8482add54c2ec8efe84a6881af90bbd40d8b8601

RemcosRAT

+ 1'871 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost golden rat

Link:

https://tria.ge/reports/220914-m2tjfsdfhn/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Uses the VBS compiler for execution

Remcos

Malware Config

C2 Extraction:

23.19.227.82:1986

Verdict:

Unknown

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/c27510ee-fa63-4079-a410-f0e962dcb034

Unpacked files

SH256 hash:

c45a3dae97e5e635a567df02635fe941af384f35cc993d4e52a57fa4f4026b3e

MD5 hash:

966c65a2893f62df72494272d810448f

SHA1 hash:

de82f765123b6ed954996603b663e9bac36acfb6

Link:

https://www.unpac.me/results/ee657c68-7dd3-48de-ab74-ec7f13d8373c/

SH256 hash:

7c89e6ece23a34b2bf1b5b2166a663c251f8d51f7bf2224bc3ea431f08da24f8

MD5 hash:

a4fb0154b25f795924267777f1a4431b

SHA1 hash:

ba28e94d484ea84d5b6ae03293b1b2ae6379066a

Detections:

win_remcos_auto

Link:

https://www.unpac.me/results/ee657c68-7dd3-48de-ab74-ec7f13d8373c/

Parent samples :

4f95967b9b1f5532cb570bb1f762328d07ea16c20b6fcf1c4cfde82d06906630
b7cc11f42808bc13ea70def8382654e7c9294eb30c42ed29d5eb9f2d7bbf9514
f78d100a1e6bbffe26180d567355de572e316384aaa95b7b4f2baa6ff331eb58
dd073f23a4b16333eb687e7b994e47c393fd38da8ecee7ac5174e82a50dd2d15

SH256 hash:

44b1ccf3556771af402402bf97a42ea4713e334c9b272736292ce23ffd60e202

MD5 hash:

0c90bfba3361814464cf01351ec585bb

SHA1 hash:

89d444cbfb086f1f62ef12ae116def08a4070c50

Link:

https://www.unpac.me/results/ee657c68-7dd3-48de-ab74-ec7f13d8373c/

SH256 hash:

3ac9f723c0d5b4fefa55ea0eb6aa6f9189bbc6664c1cd82770597385eb19abd6

MD5 hash:

0f159fe350028b9a191af353e6e1ff61

SHA1 hash:

44b4b32da79207c63387bfca3ccd5b7351906b6e

Link:

https://www.unpac.me/results/ee657c68-7dd3-48de-ab74-ec7f13d8373c/

SH256 hash:

9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034

MD5 hash:

93c6391d23c1aa1ed66fb13f82f2ee31

SHA1 hash:

220098c3047c32b51ae13a5cc1e9beeef3da6e18

Link:

https://www.unpac.me/results/ee657c68-7dd3-48de-ab74-ec7f13d8373c/

SH256 hash:

dd073f23a4b16333eb687e7b994e47c393fd38da8ecee7ac5174e82a50dd2d15

MD5 hash:

307b0e1293a53bf74719e8c2ce568073

SHA1 hash:

ff304310be7e584d04bd307d34cab86a27600a91

Link:

https://www.unpac.me/results/ee657c68-7dd3-48de-ab74-ec7f13d8373c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/dd073f23a4b16333eb687e7b994e47c393fd38da8ecee7ac5174e82a50dd2d15

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.