MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eaeecfd412b020ab4748982eb74492d9d0e176911d76ea0298773d1e8f2fd4ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eaeecfd412b020ab4748982eb74492d9d0e176911d76ea0298773d1e8f2fd4ac
SHA3-384 hash: e97f5ace31570f5f4281c291e6f6833d2a1b8040ae3a2dc7f6009b0d510a5761d9ad5e19c6fd4a8079c4d8a1fa120a2b
SHA1 hash: 855d9c4836f9cacfcc8697cc5df13a1ab1cb1cc8
MD5 hash: bfb8a6623ef181008368187face7cfe3
humanhash: early-alabama-golf-berlin
File name:ORDER SHEET NSCE20221122.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'253'376 bytes
First seen:2022-11-26 15:17:47 UTC
Last seen:2022-11-28 08:41:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:1M+L74mBfNUstzo93r8JNRbCZjkBZBMfdepjIMRtQV/a3IRuhz8b9JuScUwugIyT:eIVCuB3OIV/w/a3Iw98b9JuScdu9U
Threatray 7'975 similar samples on MalwareBazaar
TLSH T19E459D4F2B7FDDF0EB245CFB221457039D3652DABA8ACAB843984BC660F261C5B70564
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter Anonymous
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
290
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
ORDER SHEET NSCE20221122.exe
Verdict:
Malicious activity
Analysis date:
2022-11-26 15:20:54 UTC
Tags:
trojan rat remcos stealer keylogger
Link:
https://app.any.run/tasks/e3246224-3351-4e55-b81f-476d1e03e85a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/338803/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1681.32169.31346.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63822e2c090ea3f049349dfb/reports/318a46d4-d6a3-4e53-b761-26c80903a1ef/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1879eff0-e7ba-4e34-9c17-65bf4739cd0b
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1121628
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 754345 Sample: ORDER SHEET NSCE20221122.exe Startdate: 26/11/2022 Architecture: WINDOWS Score: 100 42 Snort IDS alert for network traffic 2->42 44 Multi AV Scanner detection for domain / URL 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 12 other signatures 2->48 8 ORDER SHEET NSCE20221122.exe 3 2->8         started        process3 file4 32 C:\Users\...\ORDER SHEET NSCE20221122.exe.log, ASCII 8->32 dropped 11 ORDER SHEET NSCE20221122.exe 2 17 8->11         started        16 ORDER SHEET NSCE20221122.exe 8->16         started        process5 dnsIp6 38 valvesco.duckdns.org 85.31.46.94, 49700, 49703, 5050 CLOUDCOMPUTINGDE Germany 11->38 40 geoplugin.net 178.237.33.50, 49704, 80 ATOM86-ASATOM86NL Netherlands 11->40 34 C:\ProgramData\remcos\logs.dat, data 11->34 dropped 56 Maps a DLL or memory area into another process 11->56 58 Installs a global keyboard hook 11->58 18 ORDER SHEET NSCE20221122.exe 1 11->18         started        21 ORDER SHEET NSCE20221122.exe 1 11->21         started        23 ORDER SHEET NSCE20221122.exe 11->23         started        25 21 other processes 11->25 file7 signatures8 process9 dnsIp10 50 Tries to steal Instant Messenger accounts or passwords 18->50 52 Tries to steal Mail credentials (via file / registry access) 18->52 36 192.168.2.1 unknown unknown 25->36 54 Tries to harvest and steal browser information (history, passwords, etc) 25->54 28 WerFault.exe 25->28         started        30 WerFault.exe 25->30         started        signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eaeecfd412b020ab4748982eb74492d9d0e176911d76ea0298773d1e8f2fd4ac/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-11-22 02:05:44 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
27 of 41 (65.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5lxm7vaswaqkwr2itaxlores3hioc5urdv3ouauyo46r5dzp2swa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
4bd1f385e71c2b0c8bb27ce271cfd26c696e3049e3e92cd150ba62666bc6221f
RemcosRAT
4c26268e01117b5cf41d2f14689452912d708e64af0040ed75a40c94b0a943ea
RemcosRAT
592f15fec50eda79baadcb6bc5c4cb79de60e5bb285f20fb8e8927477495f065
RemcosRAT
7f89f38c1c2a3e42e7fe2d1c286816361fe77aa49d1d474de200df6eb2dbda81
RemcosRAT
9d724226a2a3c8676d4a58b64b636d9dcc178c1d40fcf321309afa14505cf285
RemcosRAT
ad87f3ad6fb14d2b79d7b7aac1b38bc04fd20757460da0f02cac139408df9969
RemcosRAT
e1eb708f47303b831f6eb0ddc846e21782e8f727dcb0088fcb997c3bf0d4dbd3
RemcosRAT
e68ebc948356b0560fee06f52939504005fd848a93ccc41b4840c1db318a5409
RemcosRAT
+ 7'965 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:auto collection rat spyware stealer
Link:
https://tria.ge/reports/221126-splkzagc3w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Reads user/profile data of web browsers
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
valvesco.duckdns.org:5050
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6412ec38-3c30-4028-a91d-4c35aa5851aa
Unpacked files
SH256 hash:
714466cd06683ee6c11ed36a27efce3d8adff7093938ad28eae58a2d9541cbbf
MD5 hash:
d65c0c00f5484a12f830b644cc30c43c
SHA1 hash:
bee1502b957dcd6f92053a4dd0e603d61ed2a5d1
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/fb32bb0d-92e2-47ae-9b3d-ddd9a000d4ec/
Parent samples :
dad8d517b4d8c9c237085ebd5c4e36a964eb8a10f723c92799241572a146f409
32c43439c840febd8ee477a50e80745068c13a938654ca9bd786cb6f74a49558
68d44e1e8d9f36a90db840802afc7b45b08a982431c1b9355771c39e8904f9c7
eaeecfd412b020ab4748982eb74492d9d0e176911d76ea0298773d1e8f2fd4ac
ca241f16b1ac84b101cdfcd8aa9afea521636dba24a5ffe08316c5da4bd68390
SH256 hash:
7d50a3e0ecc373e93b6256bf07a823ee4658a0f69677d3cb74e711870a2dd439
MD5 hash:
9ed0199ae1040ac841265d50d4cad946
SHA1 hash:
b6208604281353887bb2dc720f9d748a24633992
Link:
https://www.unpac.me/results/fb32bb0d-92e2-47ae-9b3d-ddd9a000d4ec/
SH256 hash:
00e235f40a9e794b9d6cb9fb9244e321a4e632951bdb809044b0e2af07b98d35
MD5 hash:
48c6f000da9a80f92b48ef6099fa8a37
SHA1 hash:
9b43df5e56005d1ee03f16ff02f26e76272aca7c
Link:
https://www.unpac.me/results/fb32bb0d-92e2-47ae-9b3d-ddd9a000d4ec/
SH256 hash:
b6c4b34aee6177f4eee8c5bbd342057c39d16c6d9f80e56ee88008ea82973628
MD5 hash:
20270d92c1f927024e662a2b421e1fe4
SHA1 hash:
57850374b5519822c068c08adaf0ee395c612c41
Link:
https://www.unpac.me/results/fb32bb0d-92e2-47ae-9b3d-ddd9a000d4ec/
SH256 hash:
31b663b91f11b8f7da1d8bd87f8532e563f301754b1ca2c0a97c2f358ad116dd
MD5 hash:
ba1868faf5de09265b89c44732c1ab3d
SHA1 hash:
38997e35e0c68866a2a6e4a7356252e1f252e2e5
Link:
https://www.unpac.me/results/fb32bb0d-92e2-47ae-9b3d-ddd9a000d4ec/
SH256 hash:
eaeecfd412b020ab4748982eb74492d9d0e176911d76ea0298773d1e8f2fd4ac
MD5 hash:
bfb8a6623ef181008368187face7cfe3
SHA1 hash:
855d9c4836f9cacfcc8697cc5df13a1ab1cb1cc8
Link:
https://www.unpac.me/results/fb32bb0d-92e2-47ae-9b3d-ddd9a000d4ec/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/eaeecfd412b0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/eaeecfd412b020ab4748982eb74492d9d0e176911d76ea0298773d1e8f2fd4ac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe eaeecfd412b020ab4748982eb74492d9d0e176911d76ea0298773d1e8f2fd4ac

(this sample)

  
Dropped by
RemcosRAT
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/338803/

Comments