MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3e4dd541766cd7a3af91ef964b91ded632f13ebe69bd4fb5eadd563c0207059. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f3e4dd541766cd7a3af91ef964b91ded632f13ebe69bd4fb5eadd563c0207059
SHA3-384 hash: f604b52eec57cd16d9402b24f015d33bf125561d5be25f50480cdb429b6dad32fdde64f82ce23d945034c21667c2541c
SHA1 hash: 8b4844157d313775e1d08ef00254665a6dc2c39b
MD5 hash: 5156850b1a68f4643b8fd4d59b6b0b75
humanhash: hamper-arkansas-undress-mirror
File name:Confirmation transfer MT103 Ref_002735672.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'132'544 bytes
First seen:2023-03-31 23:17:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 24576:dAVZ9OiCs4UpxfaZuBkHdK6Cgd68Q/ZiyDB2+MW9p64Hiz:+3Ys4UpMuGHdI8QL4/W9p3H
Threatray 2'432 similar samples on MalwareBazaar
TLSH T1FA352246EA514622C37F83BA14A18941C7BCB2D7AB01E38ADE4CA8D71CF53D04E1F59B
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 32c29292b2e88e82 (7 x Formbook, 6 x RemcosRAT, 2 x AgentTesla)
Reporter Anonymous
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
264
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Confirmation transfer MT103 Ref_002735672.exe
Verdict:
Malicious activity
Analysis date:
2023-03-31 23:18:38 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/db0489e7-57b9-410c-b91d-4c089c2f05ab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/379110/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64276a2bd1b7f0d264f972fd/reports/fd6e718f-fff5-49be-8494-73d29e317593/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/f3e4dd541766cd7a3af91ef964b91ded632f13ebe69bd4fb5eadd563c0207059
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5952b3ae-28c1-421c-a4de-934d3e00ab8c
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1206164
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 839080 Sample: Confirmation_transfer_MT103... Startdate: 01/04/2023 Architecture: WINDOWS Score: 100 78 Multi AV Scanner detection for domain / URL 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 Sigma detected: Scheduled temp file as task from temp location 2->82 84 8 other signatures 2->84 9 Confirmation_transfer_MT103_Ref_002735672.exe 7 2->9         started        13 SfXstPVdvOAUd.exe 3 2->13         started        15 remcos.exe 2->15         started        17 2 other processes 2->17 process3 file4 66 C:\Users\user\AppData\...\SfXstPVdvOAUd.exe, PE32 9->66 dropped 68 C:\...\SfXstPVdvOAUd.exe:Zone.Identifier, ASCII 9->68 dropped 70 C:\Users\user\AppData\Local\...\tmp23EE.tmp, XML 9->70 dropped 72 Confirmation_trans...f_002735672.exe.log, ASCII 9->72 dropped 94 Contains functionality to bypass UAC (CMSTPLUA) 9->94 96 Contains functionalty to change the wallpaper 9->96 98 Contains functionality to steal Chrome passwords or cookies 9->98 106 4 other signatures 9->106 19 Confirmation_transfer_MT103_Ref_002735672.exe 2 4 9->19         started        22 powershell.exe 21 9->22         started        24 schtasks.exe 1 9->24         started        100 Multi AV Scanner detection for dropped file 13->100 102 Machine Learning detection for dropped file 13->102 104 Injects a PE file into a foreign processes 15->104 26 schtasks.exe 15->26         started        28 remcos.exe 15->28         started        34 2 other processes 15->34 30 schtasks.exe 17->30         started        32 schtasks.exe 17->32         started        36 3 other processes 17->36 signatures5 process6 file7 62 C:\ProgramData\Remcos\remcos.exe, PE32 19->62 dropped 64 C:\ProgramData\...\remcos.exe:Zone.Identifier, ASCII 19->64 dropped 38 remcos.exe 5 19->38         started        41 conhost.exe 22->41         started        43 conhost.exe 24->43         started        45 conhost.exe 26->45         started        47 conhost.exe 30->47         started        49 conhost.exe 32->49         started        process8 signatures9 86 Multi AV Scanner detection for dropped file 38->86 88 Machine Learning detection for dropped file 38->88 90 Adds a directory exclusion to Windows Defender 38->90 92 Injects a PE file into a foreign processes 38->92 51 remcos.exe 38->51         started        54 powershell.exe 38->54         started        56 schtasks.exe 38->56         started        process10 dnsIp11 74 fresh03.ddns.net 103.169.34.187, 34110, 49698 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe unknown 51->74 76 geoplugin.net 178.237.33.50, 49699, 80 ATOM86-ASATOM86NL Netherlands 51->76 58 conhost.exe 54->58         started        60 conhost.exe 56->60         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f3e4dd541766cd7a3af91ef964b91ded632f13ebe69bd4fb5eadd563c0207059/
Threat name:
Win32.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2023-03-28 05:56:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6psn2vaxm3gxuoxzd34wjoi55vrs6e7l42n5j626vxkwhqbaobmq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
02ced6da9cf24901681948deae308d36975cb623dcc6735f2142f4252bc7e197
RemcosRAT
0771775f6646f28170c196d4ddba3ecdd1b0ada28c15dcc5b85f5c374c7b6987
RemcosRAT
0f8c7d288333c8d1c5d450abeaf869de3d58eb5e8d16138c52b0391cf7a645cc
RemcosRAT
37ebb9622d13e5e8db8d9fa58aef6cfe9278877a18357a91a65022130892f8a6
RemcosRAT
3ba0e0a20d46ffeda99975fbbb27d535a5cbc149b6b8ee30c66c690e1a71c627
RemcosRAT
7e09b162052fa0f01f2d48609446e1cc66fea01afa412d5aee4cca9afa98fe52
RemcosRAT
c9ec59e23695adca831f06aca398c511cac81f2fd65c7353f14b4725791ab80a
RemcosRAT
f3c280a30bfcb13a09179451fc8a2885ea9a95258ee5b52bfd24a1caf7896e54
RemcosRAT
+ 2'422 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:upgraded001 persistence rat
Link:
https://tria.ge/reports/230331-299b7sec78/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Remcos
Malware Config
C2 Extraction:
fresh03.ddns.net:34110
Unpacked files
SH256 hash:
b4b190818a658f0b64f5aa6d39e901e9d731bf1f58fa072b4c73120a96489bdb
MD5 hash:
3c6f8b2e78f5ebf58c4f170b30c04607
SHA1 hash:
c0ee09a1a9d1c673ad7eadabab7de44ebe0ff765
Link:
https://www.unpac.me/results/7ab66483-5ce0-4b34-87ff-5e3342db27b7/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/7ab66483-5ce0-4b34-87ff-5e3342db27b7/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
aac2dfe5a88232dae083f91bbdedbcabe2b1f0347dd45a0b8eec7a85e3533fd3
MD5 hash:
404e6ea93dae2be3dc3c7f2d98e138b2
SHA1 hash:
822e1b96d240b5a7266dad702e153284eb4954f5
Link:
https://www.unpac.me/results/7ab66483-5ce0-4b34-87ff-5e3342db27b7/
SH256 hash:
fb7c6bf77b21c2532c3ef2fb01b263b1d6aa632bce4bf1c98560b4ecc389d1de
MD5 hash:
fe7aede46d12391c2ca7244799ababfe
SHA1 hash:
5c304786eb80db5e59b6cfe4473171698df9535c
Link:
https://www.unpac.me/results/7ab66483-5ce0-4b34-87ff-5e3342db27b7/
SH256 hash:
eb99b9052fb1b154c9731f36fca6c148da71b530f530994427e8886e36f8dffe
MD5 hash:
5d9356dc1909e3385a1b77a1032fecd0
SHA1 hash:
052ee55ae083fe331d00ea3335cd3f68cd08ffdc
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/7ab66483-5ce0-4b34-87ff-5e3342db27b7/
Parent samples :
28c32f08c1471496052f517ee43313f86c38f74bdf0194707735574157a2d55c
3d1a75579ef0717708782f63318b36e8dc0356fc477370ad9c69feac793a6a95
50ca98ba2d54858b97cbbfff758edf7f81a29a8a4884a4319ae994cb8a434de3
f3e4dd541766cd7a3af91ef964b91ded632f13ebe69bd4fb5eadd563c0207059
2e4c6cc30705e1398ea19d064bd7cfba58448798a81f3c89b86fa66750904a7b
SH256 hash:
f3e4dd541766cd7a3af91ef964b91ded632f13ebe69bd4fb5eadd563c0207059
MD5 hash:
5156850b1a68f4643b8fd4d59b6b0b75
SHA1 hash:
8b4844157d313775e1d08ef00254665a6dc2c39b
Link:
https://www.unpac.me/results/7ab66483-5ce0-4b34-87ff-5e3342db27b7/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f3e4dd541766/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f3e4dd541766cd7a3af91ef964b91ded632f13ebe69bd4fb5eadd563c0207059

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe f3e4dd541766cd7a3af91ef964b91ded632f13ebe69bd4fb5eadd563c0207059

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/379110/

Comments