MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f05ac4628bc3cc7da752894e47479c2f8532ed5c485943b7abb680a79d4dba9c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f05ac4628bc3cc7da752894e47479c2f8532ed5c485943b7abb680a79d4dba9c
SHA3-384 hash: 66dced5bb7ad9186a843f7eb870607e6355ddd0976f785f306836a04804a4ececaccc778c9335606bb2a72c34a085403
SHA1 hash: 8fb4067bf05ffeb0c16b9ac9ea38507889ca07b0
MD5 hash: 4b08b3e2d346591d2f805256c63a8875
humanhash: william-maine-twenty-social
File name:INVB0987678000090000.BAT
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:925'696 bytes
First seen:2023-12-12 13:57:42 UTC
Last seen:2023-12-12 15:28:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:7pItSAdsBeO/ECXs95roy+qdi3E4RPrgjizt:9tpekEGs9DdEkjiz
Threatray 569 similar samples on MalwareBazaar
TLSH T19D15231032BEA355EEB647F610A50568A3FE7BAB3422CB0C5ED471CD6D75F821112AE3
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter cocaman
Tags:bat exe QUOTATION RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
259
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
INVB0987678000090000.BAT
Verdict:
Malicious activity
Analysis date:
2023-12-12 13:58:20 UTC
Tags:
rat remcos stealer keylogger
Link:
https://app.any.run/tasks/0e8afd23-03af-4d27-8a17-bf6d3d97ac1c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/466406/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.MulDrop24.32075.19887.27060.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Setting a keyboard event handler
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed remcos
Link:
https://www.filescan.io/uploads/657866f156d08f7811af70de/reports/0864e045-672c-429c-8494-9574d601c96e/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/f05ac4628bc3cc7da752894e47479c2f8532ed5c485943b7abb680a79d4dba9c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/97103018-e759-459a-b697-82a83316ab3b
Result
Threat name:
Remcos, zgRAT
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1360182
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1360182 Sample: INVB0987678000090000.BAT.exe Startdate: 12/12/2023 Architecture: WINDOWS Score: 100 52 geoplugin.net 2->52 62 Snort IDS alert for network traffic 2->62 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 12 other signatures 2->68 8 INVB0987678000090000.BAT.exe 7 2->8         started        12 okDinu.exe 5 2->12         started        signatures3 process4 file5 46 C:\Users\user\AppData\Roaming\okDinu.exe, PE32 8->46 dropped 48 C:\Users\user\AppData\Local\Temp\tmpD.tmp, XML 8->48 dropped 70 Tries to steal Mail credentials (via file registry) 8->70 72 Uses schtasks.exe or at.exe to add and modify task schedules 8->72 74 Contains functionality to modify clipboard data 8->74 82 2 other signatures 8->82 14 INVB0987678000090000.BAT.exe 3 15 8->14         started        19 powershell.exe 22 8->19         started        21 powershell.exe 22 8->21         started        23 schtasks.exe 1 8->23         started        76 Contains functionality to bypass UAC (CMSTPLUA) 12->76 78 Contains functionalty to change the wallpaper 12->78 80 Machine Learning detection for dropped file 12->80 84 4 other signatures 12->84 25 schtasks.exe 12->25         started        27 okDinu.exe 12->27         started        signatures6 process7 dnsIp8 54 107.175.229.139, 49706, 49708, 8087 AS-COLOCROSSINGUS United States 14->54 56 geoplugin.net 178.237.33.50, 49709, 80 ATOM86-ASATOM86NL Netherlands 14->56 50 C:\ProgramData\remcos\logs.dat, data 14->50 dropped 58 Maps a DLL or memory area into another process 14->58 60 Installs a global keyboard hook 14->60 29 INVB0987678000090000.BAT.exe 14->29         started        32 INVB0987678000090000.BAT.exe 14->32         started        34 INVB0987678000090000.BAT.exe 2 14->34         started        44 3 other processes 14->44 36 conhost.exe 19->36         started        38 conhost.exe 21->38         started        40 conhost.exe 23->40         started        42 conhost.exe 25->42         started        file9 signatures10 process11 signatures12 86 Tries to steal Instant Messenger accounts or passwords 29->86 88 Tries to steal Mail credentials (via file / registry access) 29->88 90 Tries to harvest and steal browser information (history, passwords, etc) 32->90
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f05ac4628bc3cc7da752894e47479c2f8532ed5c485943b7abb680a79d4dba9c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f05ac4628bc3cc7da752894e47479c2f8532ed5c485943b7abb680a79d4dba9c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-12-11 23:15:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
25
AV detection:
19 of 37 (51.35%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6bnmiyulypgh3j2srfheor44f6ctf3k4jbmuhn5lw2akphknxkoa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1acf4214e296a724d9f3de5a07c317dc9d3e2eb5e065fc4500201c86bc6c61da
RemcosRAT
1ff764ec5a79ed2072a558af6de49b863e9e5683e63b3c070e86c9d1b7814f4d
RemcosRAT
3c876330813f7eb05337936087aded09bf2519c7fae432d92604df346fe7b352
RemcosRAT
9c0346e08a28cec8ab5be231e650450bbf64ebc42a14169e755ed9badef3b630
RemcosRAT
cd10c10c18af02c84db0cfc309c6357897bb6b07f987ba38a3eb83781ca63f24
RemcosRAT
+ 559 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:remcos family:zgrat botnet:remotehost rat
Link:
https://tria.ge/reports/231212-q9te7sdhgr/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Detect ZGRat V1
Remcos
ZGRat
Malware Config
C2 Extraction:
107.175.229.139:8087
Unpacked files
SH256 hash:
d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5
MD5 hash:
579197d4f760148a9482d1ebde113259
SHA1 hash:
cf6924eb360c7e5a117323bebcb6ee02d2aec86d
Link:
https://www.unpac.me/results/61666593-66b9-4664-8db0-a6ef5ddb1234/
SH256 hash:
783074a4e3ea1f0977f02f8e8457ab7cb35340f31f686071fc08d378b1182138
MD5 hash:
f0401eb8fb4f3d96231bd8f9f7b0b58d
SHA1 hash:
b961f05f985fb210d4889af3b8cef6fdc646f7a7
Link:
https://www.unpac.me/results/61666593-66b9-4664-8db0-a6ef5ddb1234/
SH256 hash:
1d5d05f977665e72d96f0cfa60de530d7912a51f44464e805c468b73f53eaf11
MD5 hash:
229284f8cddfa43ac54a0e60196e709b
SHA1 hash:
27bc5b44cc9c2689482a4f622a092beb94bbda8c
Detections:
malware_windows_remcos_rat
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
win_remcos_rat_unpacked
Create hunting rule
Link:
https://www.unpac.me/results/61666593-66b9-4664-8db0-a6ef5ddb1234/
Parent samples :
03e1b46d2f7cd22416f24a7d5f4eabc8dd2b3de80b8b8cdc8d360f02ed1d931f
9c365f7df9b2bb958a53890dc80a258de1f5ea0781155f7c2b3741b9dd593867
fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd
2db991b9ae725ec59f9a29654e4c5f8d2bf363662cfa8d271a8692fea4883744
dfd724316cb0edbf1212cbf5e71f007d22b7a38e7860d96d4d4bedf17eaa85ea
f05ac4628bc3cc7da752894e47479c2f8532ed5c485943b7abb680a79d4dba9c
3de39937dbba16980b665dcf03505af8bd11a77a9f09d8e5ca69837932a9340e
cf14c5b8ca5ad71f9ca5b37e4784001d9128b161958f6daf5807540eca4ffcc4
SH256 hash:
7d968ee2ec1bf4c1bf9228f8f2794675de987ac83bac5f8c608963526a435ed3
MD5 hash:
1845455753429aeee7c7762ef407d8ea
SHA1 hash:
050f55f9458f419c8fec7b31cf80542849d33a76
Link:
https://www.unpac.me/results/61666593-66b9-4664-8db0-a6ef5ddb1234/
SH256 hash:
f05ac4628bc3cc7da752894e47479c2f8532ed5c485943b7abb680a79d4dba9c
MD5 hash:
4b08b3e2d346591d2f805256c63a8875
SHA1 hash:
8fb4067bf05ffeb0c16b9ac9ea38507889ca07b0
Link:
https://www.unpac.me/results/61666593-66b9-4664-8db0-a6ef5ddb1234/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f05ac4628bc3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f05ac4628bc3cc7da752894e47479c2f8532ed5c485943b7abb680a79d4dba9c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip 0432cb3a657e9bbc9d6ab246cba8191af7a85bae164488f1e680947c8c377e3a

RemcosRAT

Executable exe f05ac4628bc3cc7da752894e47479c2f8532ed5c485943b7abb680a79d4dba9c

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 0432cb3a657e9bbc9d6ab246cba8191af7a85bae164488f1e680947c8c377e3a
Cape
Cape
https://www.capesandbox.com/analysis/466406/
  
Dropped by
MD5 08571874c5e7e72fac33591d8f0a0e18

Comments