MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e68ebc948356b0560fee06f52939504005fd848a93ccc41b4840c1db318a5409. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	e68ebc948356b0560fee06f52939504005fd848a93ccc41b4840c1db318a5409
SHA3-384 hash:	57c07437eced945eef3fb89a98687ede05a195b079c2fb85c713a36210b89a2584b774db4893f36284d2e3de09f9a8e4
SHA1 hash:	610655c1b9ece833c5a625fc6db19d42e26e77bd
MD5 hash:	d2d3c3eff80cfd8a49e5edbf0f76d5d2
humanhash:	kitten-batman-lamp-white
File name:	Request For Quotation 01.300.TRGVH.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'182'208 bytes
First seen:	2022-10-24 08:04:58 UTC
Last seen:	2022-10-24 10:52:50 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	24576:eg1eSzjOGWoU+jcEWE1S3rLP8eJBS2ONntbNeN868:egh9TUgobLEeJqNtN1
Threatray	3'565 similar samples on MalwareBazaar
TLSH	T1CC459CB622D51627E42972B59483E5F326FBAE406041E5C365D30F6FBC841BBD62338B
TrID	69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.9% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	lowmal3
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

209

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

Request For Quotation 01.300.TRGVH.exe

Verdict:

Malicious activity

Analysis date:

2022-10-24 08:05:25 UTC

Tags:

rat remcos keylogger

Link:

https://app.any.run/tasks/ab1b8a22-3877-4ddb-8996-b56019ab48d2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/323295/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d6a74c91-cdf2-422c-853b-c8d9fd1ae42d

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1096303

Signature

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e68ebc948356b0560fee06f52939504005fd848a93ccc41b4840c1db318a5409/

Threat name:

ByteCode-MSIL.Trojan.Taskun

Status:

Malicious

First seen:

2022-10-22 14:09:41 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=42hlzfedk2yfmd7oa32ssokqiac73bekspgmig2iida5wmmkkqeq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

2f152a8da309e2878e0414477e27d6d041237de92c90f15e371c26ed9344cc40

RemcosRAT

35285d5b859dd9b900b3fa09955edb78f80e7c707f4d3c2afb8c23de379fb37b

RemcosRAT

440cf58dc6b8e4724c669e148969ecd8d424c9bf6dbdec6e358fdca7e72b3734

RemcosRAT

56bc72f3b4276309ba8b16991e1534895eb11195fe2fdb4ae9d9afb8aafe43db

RemcosRAT

61a576cbf239d8e25ba3ea9109f42c1579287514f1a0921ae53c386c649dad67

RemcosRAT

881c36d477296d428586f4dbb755fe83e9f4a2555d5f7f3cb463c63703c101f7

RemcosRAT

90aad12150ce71c784cb7e091100e33bd37c4572d7a93b88fb9d6d08f96200a0

RemcosRAT

bf9b6173d2867c122cabed33c022cc71fa6a5bdf9be0fd09af88a9dde5ccac36

RemcosRAT

+ 3'555 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost rat

Link:

https://tria.ge/reports/221024-jyt42afdb4/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Remcos

Malware Config

C2 Extraction:

51.75.209.245:2404

Unpacked files

SH256 hash:

1459ade80dd19b04b8d0037ce88f8f020b6c9d730e39fca181465355562f4b15

MD5 hash:

2c8b1b939947b35d647eb87373316fcb

SHA1 hash:

ec7b924e02076e3f6f1ba70d6990f7946c661d27

Detections:

Remcos

win_remcos_auto

Link:

https://www.unpac.me/results/0007f4c6-b4dd-4096-8917-d234321481c8/

Parent samples :

e68ebc948356b0560fee06f52939504005fd848a93ccc41b4840c1db318a5409
733ec6405b43d9ac4a266a3bfae9df34185cbd8147819f17851dd9d13c3b733b
b9a0c1222bea7c7a90eb111e5101dd2ca3355966af79dbd7a490498a8f3d6a58
bdb57463a45449889f971cc8f16abf66f695b00dabf917280ec6e7389916a0a2
f5758ccee5820f19251721999da1f927572f00bc472113638f2fb134d6599b68
8f6954e1834b49a24b8e937ff093f1e534f89691ce805ce2f14553315a18e651
8f2f7e3c4fdafd040879abd0e8fc0bcd7c4055217a4fac63e348ff391da62878
238e7b87bd6d152fce3ae3dbe8ea4a9f3b56c883944cb93695c58fdc20aad6e8
dfca7ce647ee8994cba9317516ce7f58b2b175f815fd5336dbfed34ccad5c4de
6af23878112166b4f2b99b4a7af53cf8c71ee4d0e27eead7eba335832e9449b4
d299c8e1864ae2089e28301ed127b86d92c3aeac935f35822479a018b025da59
f7ac248e39e55ccbf0b79fbfd3bbad23f00dd3e595d6f58166a70dfd82adb951
734e077ffd2beb5e2808ce5bf2d27f03757257d133794acad69bf80bee2e7348
c1cc5ad08f2796e777ab3006a88c3cfa5dc84b0d0bc5f95cb72cb73436220b4c
83d297c0de9846ebf9db06df45c0b09dd2751bbb2e487d9d6df1128a29da6d47
ff4eaf31a3a0f4f99fd9c71caa01388cd50a9917fc16625d549c470cf23cd68f
fff14d27cfcfd3a46729a41bd6dcbb09e667f894e2c85b4e7eb5098faccfa6ab
9bbad0b231f56f22855746de8883bb11d5cfc3b0888760ab47620d0538af8962
123b988cf46a721c113799db30e360848a05941032871f87d1ea6a12bd8e7f0f
f306fefee8114c023ad5056b16a490a82466e8bbf50296f2ecdac6a75123bd2d
fdc9196c194b31f7b221c487affe3d815775a436b1c26133fa6b1e8a9c252a51
4713512f84ba1fbb43666e1e0c5ef8f02d681c0fef3c469a13759d51018d1f0f
aa512df0ca1a0462046446c14ca5aaaa5255dc12b6aa06ea7662aff9d1b2eb41
a6655fefe6b0b32d5c94627d3b83a0d446fa329b162ac7f8409a1b8827b63abc
679f0dec60e8ac08f75b8e2731c1689544b9ae1d08a26e9c6607a7bad3941ebb
a84ffc6423f9efc057fcffadbf537056debc6b79d3d81a7dc4b16bd61a87b6ba
7001538a3316bf0f86e9730d0a38992357f4669d3a4a85e77f1ec42293499ff5
c8ce7d7a1b3511466f838f2b09f1a644ac2ceaa09f508a81a601cc5c576e18d4
df5e690e3853c11de2a42d9a958ed8ca923c704b3ccf320c3c6c154377b3bd38
5251517c9a5cc925e00988f3d9aa30706271cfd0bd6d33d3794e03a92b13b946
8758be9f226102217b3f28ffc1d6093dac1c9d5e8b3de32d85d150204169c10d
f34b65f828707e189c6197c3605e4b25bcd493e93bdb498bc91eeee6ac349d0b
da6d125701d41e2b9d6d9931b4747bbf6b3b4a6c0ca26311c7983fad94e22ef5
98479f2d5e3f5147ddd504bcc7bd1a2b0a3b06ff5525f313a55ce81efc67fc28

SH256 hash:

5701595245aa28b0399854bf6dfd307435fed8de83108a963536724db6871761

MD5 hash:

3da401fbfab7a2bdd9f2caf29f660ef6

SHA1 hash:

12ef0feee0f7be9e9dc30ef6f40864b141640b22

Link:

https://www.unpac.me/results/0007f4c6-b4dd-4096-8917-d234321481c8/

SH256 hash:

161903f7d5633a0cdc5d416c229e1af16ad3f5a6d11dbe8d500aa9151a273f62

MD5 hash:

b460e7cd67e88a80f0b65f65d28b1c4c

SHA1 hash:

fef017687483cf2b5b9d5f8061b6f0645fdcf779

Link:

https://www.unpac.me/results/0007f4c6-b4dd-4096-8917-d234321481c8/

SH256 hash:

e7627a1470a58723ef9990e5ade2faf39982fb6cf264002f17b934e2f2e3d40b

MD5 hash:

8d557c40522361ea290d68a08df307ab

SHA1 hash:

339943a4d2e9d649edb8e71b0f6a576a8cecf755

Link:

https://www.unpac.me/results/0007f4c6-b4dd-4096-8917-d234321481c8/

SH256 hash:

678d527fc01a0eaa1be366ca97b0ad5a3fe890b1ef8267d2fc981ff43c4d08e5

MD5 hash:

2da433d67db4775d8f02a8fed4b31bf3

SHA1 hash:

235fe8f2076f3b5cfffacc574825550cee8e61e9

Link:

https://www.unpac.me/results/0007f4c6-b4dd-4096-8917-d234321481c8/

SH256 hash:

e68ebc948356b0560fee06f52939504005fd848a93ccc41b4840c1db318a5409

MD5 hash:

d2d3c3eff80cfd8a49e5edbf0f76d5d2

SHA1 hash:

610655c1b9ece833c5a625fc6db19d42e26e77bd

Link:

https://www.unpac.me/results/0007f4c6-b4dd-4096-8917-d234321481c8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e68ebc948356b0560fee06f52939504005fd848a93ccc41b4840c1db318a5409

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

exe e68ebc948356b0560fee06f52939504005fd848a93ccc41b4840c1db318a5409

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/323295/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample