MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5349a064403917e3f1c3aa1cb2f18e4a09477242eb9f7bee5a80c724b1a49ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e5349a064403917e3f1c3aa1cb2f18e4a09477242eb9f7bee5a80c724b1a49ab
SHA3-384 hash: 11f05805cf695273684b7a5ef180666f61ed69370eefedd8afb87b8658de63d0cac0ec6b1b45a010445622bd79cad618
SHA1 hash: 82380f52d8318937317fcaacdacf4042f22d4532
MD5 hash: 72eedd184b2467692ddc850ae10edc18
humanhash: uncle-nuts-river-magnesium
File name:SADR LOGIS RFQ 8548097 2013.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'016'320 bytes
First seen:2023-05-25 13:20:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:XETmIt9BEP8Ffzm97uGM6UPymAcAAdMW7qsEUEFkbC2dAT:UTbBe8F787uGqKwdJqsEFkbrdAT
Threatray 3'679 similar samples on MalwareBazaar
TLSH T1CF2523D0A9455704E6A717344065EAF007BBDFAE3AB6E77B2C83E5D5F602B46008372B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f89cb2b02cb9f060 (7 x SnakeKeylogger, 5 x Loki, 3 x Formbook)
Reporter James_inthe_box
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
273
Origin country :
US US
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
SADR LOGIS RFQ 8548097 2013.exe
Verdict:
Malicious activity
Analysis date:
2023-05-25 13:23:26 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/61266d74-d693-498f-80f7-d0c7478fadfd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/391684/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2048.24370.30391.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed remcos
Link:
https://www.filescan.io/uploads/646f60c21d162541e4be9004/reports/bb10565a-82bc-4b9b-a6a1-51bc35f2e764/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/e5349a064403917e3f1c3aa1cb2f18e4a09477242eb9f7bee5a80c724b1a49ab
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e86724a2-288c-45a6-b15b-f284b2684435
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1242649
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 875663 Sample: SADR_LOGIS_RFQ_8548097_2013.exe Startdate: 25/05/2023 Architecture: WINDOWS Score: 100 83 Found malware configuration 2->83 85 Malicious sample detected (through community Yara rule) 2->85 87 Antivirus detection for URL or domain 2->87 89 9 other signatures 2->89 9 SADR_LOGIS_RFQ_8548097_2013.exe 7 2->9         started        13 WacFUXkUzU.exe 5 2->13         started        15 Date.exe 2->15         started        17 2 other processes 2->17 process3 file4 71 C:\Users\user\AppData\...\WacFUXkUzU.exe, PE32 9->71 dropped 73 C:\Users\...\WacFUXkUzU.exe:Zone.Identifier, ASCII 9->73 dropped 75 C:\Users\user\AppData\Local\...\tmp7FFD.tmp, XML 9->75 dropped 77 C:\...\SADR_LOGIS_RFQ_8548097_2013.exe.log, ASCII 9->77 dropped 101 Contains functionality to bypass UAC (CMSTPLUA) 9->101 103 Contains functionality to steal Chrome passwords or cookies 9->103 105 Uses schtasks.exe or at.exe to add and modify task schedules 9->105 113 4 other signatures 9->113 19 SADR_LOGIS_RFQ_8548097_2013.exe 2 4 9->19         started        22 powershell.exe 19 9->22         started        24 powershell.exe 19 9->24         started        26 schtasks.exe 1 9->26         started        107 Multi AV Scanner detection for dropped file 13->107 109 Machine Learning detection for dropped file 13->109 28 schtasks.exe 13->28         started        30 WacFUXkUzU.exe 13->30         started        111 Injects a PE file into a foreign processes 15->111 32 schtasks.exe 15->32         started        34 Date.exe 15->34         started        36 3 other processes 15->36 signatures5 process6 file7 67 C:\ProgramData\Remcos\Date.exe, PE32 19->67 dropped 69 C:\ProgramData\...\Date.exe:Zone.Identifier, ASCII 19->69 dropped 38 Date.exe 19->38         started        41 conhost.exe 22->41         started        43 conhost.exe 24->43         started        45 conhost.exe 26->45         started        47 conhost.exe 28->47         started        49 conhost.exe 32->49         started        process8 signatures9 93 Multi AV Scanner detection for dropped file 38->93 95 Machine Learning detection for dropped file 38->95 97 Adds a directory exclusion to Windows Defender 38->97 99 Injects a PE file into a foreign processes 38->99 51 Date.exe 38->51         started        55 powershell.exe 38->55         started        57 powershell.exe 38->57         started        59 schtasks.exe 38->59         started        process10 dnsIp11 79 212.193.30.230, 2286, 3330, 49714 SPD-NETTR Russian Federation 51->79 81 45.139.105.174, 2210 CMCSUS Italy 51->81 91 Installs a global keyboard hook 51->91 61 conhost.exe 55->61         started        63 conhost.exe 57->63         started        65 conhost.exe 59->65         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e5349a064403917e3f1c3aa1cb2f18e4a09477242eb9f7bee5a80c724b1a49ab/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-05-25 08:27:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
10 of 36 (27.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4u2jubseaoix4py4hkq4wlyy4sqji5zef247ppxfvaghesy2jgvq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
00cf6e9a873007d1f11859d3e30c85bda6f137cfbc53cd0bc9a4ac77a6ad5b04
RemcosRAT
1bdb8590762f40393359ab5a12face2f6affce13834fb427d800e4eb2fdb0e63
RemcosRAT
4229ac95a7cd9cc9eb93d0d77a73c9120aff761dbaf18fd51b23dfa766408137
RemcosRAT
6ddf5058c73b0024c0d43b1b886aa3de7454944643da1f95f1ab52d97510535a
RemcosRAT
9934bdb2357968d6993f6ea0ce78deb44b8f502144057bd3e74977675326a447
RemcosRAT
ab08bdbb5cee3c7c6fe2d7de4c8b7c383316fe7e7dd467f6dfa81dfbe443680b
RemcosRAT
b3fbab4d8090fb6109b890d24c1e457db6e3f6bd5e17c6be2f2cb8448d53d5ab
RemcosRAT
cd3f84c42ebdd57e9b3679216ef581b466aa1a646728156155a41055b070e788
RemcosRAT
da108473566740a4ecd7f86677ee7a22779808be300f3329ca4a6d8877d0fcdf
RemcosRAT
e5a75ed3a164d322279af143c007028a5e94a52c11e4fa674c37a48c79237d27
RemcosRAT
+ 3'669 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat
Link:
https://tria.ge/reports/230525-qlnj2sad37/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
45.139.105.174:2210
212.193.30.230:6320
212.193.30.230:2286
212.193.30.230:3330
Unpacked files
SH256 hash:
c7a696fe8a83f3e23522c16a2b6ad01265c0e4211c26e61409b31aca1215a1c6
MD5 hash:
7cf90bac700d55dbcf30fb58a679f705
SHA1 hash:
9a38a06fc5952900b1bd12747f0f9747354de6c3
Link:
https://www.unpac.me/results/d2d7fecb-872a-49d4-b52f-17274d0bed62/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/d2d7fecb-872a-49d4-b52f-17274d0bed62/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
b2876080a8892ec02a11cc322cc18952d45f9e419c1cb6d4d070860c59fe87eb
MD5 hash:
803e0c67b76960ff5d9ccb360ba9636b
SHA1 hash:
836d339682618638c6b2e3d156ad66a56e4f9ba5
Link:
https://www.unpac.me/results/d2d7fecb-872a-49d4-b52f-17274d0bed62/
SH256 hash:
a0fe91207f830186deb7d2d019a7499a3ab182985a123b5ba95806b1120a16d7
MD5 hash:
302baaa18eb3244a11f2ba51d496f124
SHA1 hash:
50c17e3cdee9086181fb11771db00b4d7964d5af
Link:
https://www.unpac.me/results/d2d7fecb-872a-49d4-b52f-17274d0bed62/
SH256 hash:
e6ecc640876e676a08ee2d1b9e8e06329930dea9c4319fe6502dc5a9c9e14d35
MD5 hash:
be0604a399ab6ba90dd0519e33bd32a8
SHA1 hash:
353f916d2674aa66fe0b06e0b70f42231de3b52d
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/d2d7fecb-872a-49d4-b52f-17274d0bed62/
Parent samples :
814e073523aed94d4433e76ef0d0ecaa94224313fb4e54e6716b26e22f06e5ac
d930e3006b889c13cdebe9004c021ed18ebe31f1504ffce27f10277e439329e0
e5349a064403917e3f1c3aa1cb2f18e4a09477242eb9f7bee5a80c724b1a49ab
a11f84458eb6e2663905a5f98596fb495ae8b813cd28f3cda787377976168453
SH256 hash:
e5349a064403917e3f1c3aa1cb2f18e4a09477242eb9f7bee5a80c724b1a49ab
MD5 hash:
72eedd184b2467692ddc850ae10edc18
SHA1 hash:
82380f52d8318937317fcaacdacf4042f22d4532
Link:
https://www.unpac.me/results/d2d7fecb-872a-49d4-b52f-17274d0bed62/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e5349a064403/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/391684/

Comments