MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e96aed97b899d7cfc37b229f045f6b87623f9abd97b15256fa6322685cb2c5f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e96aed97b899d7cfc37b229f045f6b87623f9abd97b15256fa6322685cb2c5f0
SHA3-384 hash: 7ab19b6688afb61fd1e7c396dc1811bce78b90370716b9fdb9bee6dcd4665ca79c1581ea243857b9cd52949246ff0555
SHA1 hash: fd92ca627cc15e4ed350478fa5aa575ef39adacf
MD5 hash: cd4bacd0528a0f7efdea9be27414c6e7
humanhash: saturn-potato-hamper-arizona
File name:Arrival notice.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:955'392 bytes
First seen:2023-04-04 22:18:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:I4stXCxGE7FyfV3RuK7EmImLu6krd2ks1v2bZ4OQN2EjWPPtiUQ+8+t5pX5PO9PD:IBtXkGEiVMcENmL1aeOQDoi+pX5eoHw
Threatray 1'788 similar samples on MalwareBazaar
TLSH T1C815221CABAD7616C7BE4F75C073260183711829BE72F76E1EC868A60E32754D952BC3
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 4c3c6e6ce4a0c044 (5 x AgentTesla, 4 x Loki, 2 x SnakeKeylogger)
Reporter Anonymous
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
267
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Arrival notice.exe
Verdict:
Malicious activity
Analysis date:
2023-04-04 22:19:43 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/e1daf12e-4b6d-450e-baaa-13f99a881243

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/380136/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.10051.12933.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Creating a process with a hidden window
Running batch commands
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/642ca25719388fad3c37f7c2/reports/5ec6b54f-bcc5-476a-a4ca-af37d9965388/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/e96aed97b899d7cfc37b229f045f6b87623f9abd97b15256fa6322685cb2c5f0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3fa84f5c-7ec8-4683-9b0d-9005ed2f778e
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1208452
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Uses dynamic DNS services
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 841364 Sample: Arrival_notice.exe Startdate: 05/04/2023 Architecture: WINDOWS Score: 100 64 Multi AV Scanner detection for domain / URL 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 Antivirus detection for dropped file 2->68 70 8 other signatures 2->70 10 Arrival_notice.exe 3 2->10         started        14 oos.exe 2->14         started        16 oos.exe 2 2->16         started        18 oos.exe 2 2->18         started        process3 file4 54 C:\Users\user\...\Arrival_notice.exe.log, CSV 10->54 dropped 76 Contains functionality to steal Chrome passwords or cookies 10->76 78 Contains functionality to inject code into remote processes 10->78 80 Contains functionality to steal Firefox passwords or cookies 10->80 82 Delayed program exit found 10->82 20 Arrival_notice.exe 5 4 10->20         started        23 oos.exe 14->23         started        25 oos.exe 14->25         started        27 oos.exe 16->27         started        29 oos.exe 18->29         started        signatures5 process6 file7 48 C:\Users\user\AppData\Roaming\oos.exe, PE32 20->48 dropped 50 C:\Users\user\...\oos.exe:Zone.Identifier, ASCII 20->50 dropped 52 C:\Users\user\AppData\Local\...\install.vbs, data 20->52 dropped 31 wscript.exe 1 20->31         started        process8 dnsIp9 62 192.168.2.1 unknown unknown 31->62 34 cmd.exe 1 31->34         started        process10 process11 36 oos.exe 3 34->36         started        39 conhost.exe 34->39         started        signatures12 72 Multi AV Scanner detection for dropped file 36->72 74 Machine Learning detection for dropped file 36->74 41 oos.exe 2 16 36->41         started        46 oos.exe 36->46         started        process13 dnsIp14 58 xpremcuz300622.ddns.net 109.206.243.117, 3542, 49696 AWMLTNL Germany 41->58 60 geoplugin.net 178.237.33.50, 49697, 80 ATOM86-ASATOM86NL Netherlands 41->60 56 C:\ProgramData\remcos\logs.dat, data 41->56 dropped 84 Installs a global keyboard hook 41->84 file15 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e96aed97b899d7cfc37b229f045f6b87623f9abd97b15256fa6322685cb2c5f0/
Threat name:
Win32.Adware.RedCap
Create hunting rule
Status:
Malicious
First seen:
2023-04-04 12:07:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
15 of 24 (62.50%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5fvo3f5ythl47q33ekpqix3lq5rd7gv5s6yvevx2mmrgqxfsyxya._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
4cd864cf3d39baff963a023423237dd164ce0e5de001d1397031b74c3b26691e
RemcosRAT
51cd8a9f4c1a4ef234ad2b69e36415377a4f73afa08f9b69d85f7bdc30d17bb8
RemcosRAT
910d9b435b172c50ad6cde23d820b4e1f07197e82ecdece15a74fbe750584378
RemcosRAT
dfdfddf99781b2553c12dc0eaa764c585279eaa29b70654a11bdc238b6af945e
RemcosRAT
dff9dfa64f1a603197abded9f5942b83efab0c71520a4fe028ba8fb79cfe7b11
RemcosRAT
e93e5b0f594a010610642083421a9609b380eed335cba10a1138ca31e44c4166
RemcosRAT
f10c2bbc2319e72bc4dee452a2de176573d88eafecc30e97748b5dd087f4ea1f
RemcosRAT
fb1947ffed6c5538fc714caa887ad1ef47185a1e76fac318cd7b7a8216561619
RemcosRAT
+ 1'778 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:xp persistence rat
Link:
https://tria.ge/reports/230404-18g1wsad36/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Remcos
Malware Config
C2 Extraction:
xpremcuz300622.ddns.net:3542
Unpacked files
SH256 hash:
e5db62eb9602eb4e7b1d2eda848b5f65f1ac35bc90e9127f4777b09493f1fcec
MD5 hash:
9705fef6bfdfbb7e9546fb9a9d1e4afc
SHA1 hash:
e74765ab9298b57cbad7927d693261c78075169d
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/36d48c11-a36e-40a3-8d72-7ce71765b8f7/
Parent samples :
703b4d505cd05c228e0cf681a542262dc98211cf2e4eb26102283b5b7efa29ee
4fb64a4a1e0876e8cdd9afcd6c62c908f1b2441692dcd83c430b4606272689d9
3639a796055969929b98a8a34fde77d9a0f79242ec6f012fea2dc14a98752a32
0d8783b653d2a02641f6b7684378b57a5cc6e1cf72521c0a0f378b1c6e74e618
00233105478fa8030ed5921ce8bd12897acf1e713f76b0cb335afb3df76d8aae
b893cb34f5bdccee94379aed6977ed09b939716cb1e982fb9a88a6ca1e4c1029
d4efc7df4617d7aa2c8d0c1fb399706c3ca1820d84ddd51d7b59df21141aa773
8b5f51bac1e86642f29d33ce68e4ca56edecb6c76c39d936309e6b4c1d1e8554
72c3d2d704faab4352ac7a4dd9a7b21501e07aa8a6f9fa9f1ea7f4d0849cedda
be9fe1cd741c239b0ce1b3edc3fb8f87445acf71ab2fb5346197e50c2da66968
fccf5521a09be0f003c6415ee7c87cd98cd109511ef7f79990e4386fcca0ae25
43cb616356d0ad88a91a7beef82159db1e2345df33e0ad8cf4ce80a7cf1c277c
42aa64afaf836bf9a44554d469c52d65cb987edfbe66300cd92663d8f31a188c
4fb5476bfc11cb3da1feffa767cc7abb70040bd0b11c0e26a7e4d2bdc2d5e049
d35305729959edc2c2f6821a1460ea8b1680ad5083a649080df614221c02492e
99d28200203baac82a7253419526711f38d7ecb1a6098f243c8656adc72ef6d8
bf5a377899f6233ee48281997d6c23ae42f78319f6368e946ffa78de01fa307d
0a52296b98cc01f0fd275dda6fb76f1f4193647528d1ea62f3cbc605a97af553
51cd8a9f4c1a4ef234ad2b69e36415377a4f73afa08f9b69d85f7bdc30d17bb8
32c38d159ca596fc6f8696c7462299312a8b243dd4ea75086946494f5c5cd801
f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa
ad3a4db849a64ea07922d63153d3381798b4450f28d8db82c95393a5f6aaa569
cd53007fc79e7078155fef915142ca15d695c3a1ba6494d3027365cf24157f5a
6f156a6c661f4b68eb1be00e5a1be53fb80f05af516ef4dcdd7d3e937a1db580
e96aed97b899d7cfc37b229f045f6b87623f9abd97b15256fa6322685cb2c5f0
SH256 hash:
3c507afadbb1c31a9ebdd24baac5739d47576159e01c5e84f973c951885100aa
MD5 hash:
e79bf0e7e9d52d398e0b23b352394c68
SHA1 hash:
682325763a0ec77e0fd475ea3a4021b4651eceac
Link:
https://www.unpac.me/results/36d48c11-a36e-40a3-8d72-7ce71765b8f7/
SH256 hash:
a06d486fe542903c94502597d35b1672d113c00b38cf6542701ca995dc2d47a8
MD5 hash:
bbd742c483c584d4e666ffd60435144e
SHA1 hash:
3bf8b7c289a313cecb4933d5cdaf58cfb2980b98
Link:
https://www.unpac.me/results/36d48c11-a36e-40a3-8d72-7ce71765b8f7/
SH256 hash:
280493266d0e70151c206fc4c497f4c4abef9400a1f90ac775c0931e35e3db68
MD5 hash:
0a0f2270afa1f7eb98c42d7467b1bee1
SHA1 hash:
22a923ed5a9a3ba8cfc2928202aa8ba28edbdf3e
Link:
https://www.unpac.me/results/36d48c11-a36e-40a3-8d72-7ce71765b8f7/
SH256 hash:
4066770f764759528bbba7e735adddef68d4d2da95361f4c3226d9c90a54ddb4
MD5 hash:
d75432b85284002e26663a8f7da2a527
SHA1 hash:
0020692f9f8420f0852493c2133e0cc97dfa187b
Link:
https://www.unpac.me/results/36d48c11-a36e-40a3-8d72-7ce71765b8f7/
SH256 hash:
e96aed97b899d7cfc37b229f045f6b87623f9abd97b15256fa6322685cb2c5f0
MD5 hash:
cd4bacd0528a0f7efdea9be27414c6e7
SHA1 hash:
fd92ca627cc15e4ed350478fa5aa575ef39adacf
Link:
https://www.unpac.me/results/36d48c11-a36e-40a3-8d72-7ce71765b8f7/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e96aed97b899/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.84
Link:
https://yomi.yoroi.company/submissions/e96aed97b899d7cfc37b229f045f6b87623f9abd97b15256fa6322685cb2c5f0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Suspicious_Macro_Presence
Create hunting rule
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe e96aed97b899d7cfc37b229f045f6b87623f9abd97b15256fa6322685cb2c5f0

(this sample)

  
Dropped by
RemcosRAT
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/380136/

Comments