MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6e8bb23ac6b68e1d48dd81f6012451d62b292fda9140e6012fe9702ab283732. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6e8bb23ac6b68e1d48dd81f6012451d62b292fda9140e6012fe9702ab283732
SHA3-384 hash: d01aa49914694eec7ef1e263c7454a1ce7e165e9e3f69422087b140c952102c63571ec3376af23893a9f2d3d0be397a6
SHA1 hash: c72f47b7a5c636b6ca58fbcf65a1d5bfeddada3d
MD5 hash: 8a13608bb749ecaead86683f640007ef
humanhash: table-purple-juliet-zulu
File name:AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'122'816 bytes
First seen:2021-09-22 07:44:51 UTC
Last seen:2021-09-23 06:48:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:eXcecnzOiCIknZKLIvYBmGgUb65fy1lZKEkFKr:eXcJzOizEZKLIvYBv5b6w1uTKr
Threatray 1'191 similar samples on MalwareBazaar
TLSH T17335FE394D2682F747EEC66CD48C1BCEDEA6A4837B919F1AC496D7C2025B70FE48845C
Reporter cocaman
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
204
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
Verdict:
Malicious activity
Analysis date:
2021-09-22 07:47:17 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/b0a40505-b751-4bfe-a2e7-c820027b26f4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/190095/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1037-1.UNOFFICIAL
Create hunting rule

Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d7fb30d4-888e-4348-870b-18f73b759f24
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/855401
Signature
.NET source code contains very large strings
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Deletes itself after installation
Detected Remcos RAT
Detected unpacking (creates a PE file in dynamic memory)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Sigma detected: WScript or CScript Dropper
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 487832 Sample: AW QUOTE 21505 HQ1-Scan-068... Startdate: 22/09/2021 Architecture: WINDOWS Score: 100 73 googlehosted.l.googleusercontent.com 2->73 75 github.com 2->75 77 2 other IPs or domains 2->77 87 Malicious sample detected (through community Yara rule) 2->87 89 Multi AV Scanner detection for dropped file 2->89 91 Multi AV Scanner detection for submitted file 2->91 93 15 other signatures 2->93 14 AW QUOTE 21505 HQ1-Scan-068703_PDF.exe 3 2->14         started        18 windows.exe 2 2->18         started        20 windows.exe 2 2->20         started        signatures3 process4 file5 63 AW QUOTE 21505 HQ1...-068703_PDF.exe.log, ASCII 14->63 dropped 111 Injects a PE file into a foreign processes 14->111 22 AW QUOTE 21505 HQ1-Scan-068703_PDF.exe 4 5 14->22         started        signatures6 process7 file8 57 C:\Users\user\AppData\Roaming\...\windows.exe, PE32 22->57 dropped 59 C:\Users\user\...\windows.exe:Zone.Identifier, ASCII 22->59 dropped 61 C:\Users\user\AppData\Local\...\install.vbs, data 22->61 dropped 25 wscript.exe 1 22->25         started        process9 signatures10 109 Deletes itself after installation 25->109 28 cmd.exe 1 25->28         started        process11 process12 30 windows.exe 3 28->30         started        34 conhost.exe 28->34         started        file13 65 C:\Users\user\AppData\...\windows.exe.log, ASCII 30->65 dropped 113 Injects a PE file into a foreign processes 30->113 36 windows.exe 4 1 30->36         started        signatures14 process15 dnsIp16 79 103.156.92.178, 49743, 49752, 49935 TWIDC-AS-APTWIDCLimitedHK unknown 36->79 95 Detected Remcos RAT 36->95 97 Writes to foreign memory regions 36->97 99 Allocates memory in foreign processes 36->99 101 Injects a PE file into a foreign processes 36->101 40 windows.exe 36->40         started        43 windows.exe 36->43         started        45 windows.exe 36->45         started        47 2 other processes 36->47 signatures17 process18 signatures19 103 Tries to steal Instant Messenger accounts or passwords 40->103 105 Tries to steal Mail credentials (via file access) 40->105 107 Tries to harvest and steal browser information (history, passwords, etc) 43->107 49 chrome.exe 47->49         started        52 chrome.exe 47->52         started        process20 dnsIp21 67 192.168.2.1 unknown unknown 49->67 69 192.168.2.4 unknown unknown 49->69 71 239.255.255.250 unknown Reserved 49->71 54 chrome.exe 49->54         started        process22 dnsIp23 81 googlehosted.l.googleusercontent.com 142.250.180.193, 443, 49867 GOOGLEUS United States 54->81 83 clients.l.google.com 142.250.180.206, 443, 49767, 63622 GOOGLEUS United States 54->83 85 8 other IPs or domains 54->85
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e6e8bb23ac6b68e1d48dd81f6012451d62b292fda9140e6012fe9702ab283732/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-22 07:45:07 UTC
AV detection:
15 of 45 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=43ulwi5mnnuodven3apwaesfdvrlfex5veka4yas72lqfkzig4za._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
5f06da67169389577ec237bfb0c3e0e9203833048f48081deed7b6201ad18c27
RemcosRAT
62960caf3d007638be89631e502733f30c42a9ba0269e8c00457c9dec10e9136
RemcosRAT
8cb9b0ac073c398ffc0147a1a84ffa9c2db217df67c5a89f34f4a5fb12be7cc3
RemcosRAT
995f29caf80a4902430611c45e0619adbcd60e3a9f283a562fce6bd7baebc075
RemcosRAT
b1849476d3b8900288d6bf7c9ac229eba5e64d665398302a0842c335259f6560
RemcosRAT
ba4b51ae64c68b32d126322b51b41dce7c300c01faed97aca35ff142e121a914
RemcosRAT
bc6387778b4a0caf34719e4de78d1ea6ecd96ba40a2e1e0997ae91dfe221807e
RemcosRAT
da71644ee66cad527be192aefdfb9e5c70f0977d111d95e3591c8221aca1ccfc
RemcosRAT
ded1412f9509d9fbc0c48687c3611d6cd8356ff0f00a9a2c5836890a5df03925
RemcosRAT
ee3e1ff02ef8c163c2472764b0f380528809ab305de242bd049c0f99c8ffdddd
RemcosRAT
+ 1'181 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost brand:microsoft persistence phishing rat spyware stealer
Link:
https://tria.ge/reports/210922-jld72sbhf3/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Detected potential entity reuse from brand microsoft.
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
103.156.92.178:7006
Unpacked files
SH256 hash:
b559f386275aad8240ea7fc268ac8ce9b737c72882857852c6aac7c2a430faca
MD5 hash:
b5f9ad51cd99b7f3d09625720c773cd0
SHA1 hash:
e49df8d02d1c9d3bdb1fa73a64ac00c86ce44fec
Link:
https://www.unpac.me/results/59951a12-d65e-43fa-9558-c45332417d05/
SH256 hash:
43e38f251dbca9aa20f3470167e5427a7e7a7cdcd25f0b6b045ae8577cd3e345
MD5 hash:
f62ab5d3528d5a3b9e270ea1f9347868
SHA1 hash:
6a74e87711c615adbd9145f829a33f55b7e42dd6
Link:
https://www.unpac.me/results/59951a12-d65e-43fa-9558-c45332417d05/
SH256 hash:
a400418ea401da0c42e261ea4bca53becca2fc4c4d050a726c23235495e536d4
MD5 hash:
ab2972ee014bd12f0c67e43988e1fc09
SHA1 hash:
5fc727a872f1b216d2dab14097883ae4d796dc6d
Detections:
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/59951a12-d65e-43fa-9558-c45332417d05/
SH256 hash:
e6e8bb23ac6b68e1d48dd81f6012451d62b292fda9140e6012fe9702ab283732
MD5 hash:
8a13608bb749ecaead86683f640007ef
SHA1 hash:
c72f47b7a5c636b6ca58fbcf65a1d5bfeddada3d
Link:
https://www.unpac.me/results/59951a12-d65e-43fa-9558-c45332417d05/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/e6e8bb23ac6b68e1d48dd81f6012451d62b292fda9140e6012fe9702ab283732

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

rar 08dea6bb572a7af97d8814d5b65a205f87e4a7e989c90aff99045698053d1a8c

RemcosRAT

Executable exe e6e8bb23ac6b68e1d48dd81f6012451d62b292fda9140e6012fe9702ab283732

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 08dea6bb572a7af97d8814d5b65a205f87e4a7e989c90aff99045698053d1a8c
Cape
Cape
https://www.capesandbox.com/analysis/190095/

Comments