MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4ce923736204d90865aa3b2191addd02b3e9336dc53840fcbde2d4ebe81fcf3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4ce923736204d90865aa3b2191addd02b3e9336dc53840fcbde2d4ebe81fcf3
SHA3-384 hash: 76e8ec1da2b73c5494cd90335100b3b95a70cfce295c1f967967dedd63cf84fd66716a2cc598c54ec01e56c523d14801
SHA1 hash: cec95371613e8f2320fd025d60d1b5795e5edd69
MD5 hash: de56ad4f194896549575970ba22988d4
humanhash: glucose-seventeen-purple-fish
File name:commercial invoice.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:779'264 bytes
First seen:2022-06-14 08:13:25 UTC
Last seen:2022-06-14 08:56:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 12288:0uLxGoBLZTOiTydTd4cXY8XXbSEuAHE9mnGY7ooFDc:0voBlbTmp4j8XXbS9/9AGYzJ
Threatray 2'153 similar samples on MalwareBazaar
TLSH T19BF40227BFABCE4AC1A95B35C6E550100374AB82E613E75F3ACE13194D133EA4D89787
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter lowmal3
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
236
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
commercial invoice.exe
Verdict:
Malicious activity
Analysis date:
2022-06-15 00:39:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/05f10da0-a854-4b5f-b9f2-a51b2f07ceb7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/279660/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.30425.11947.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Running batch commands
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/62a8435173b91c38f68d49af/reports/9da33e9c-051b-46ac-86ee-313a984431ea/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2607d5a1-09fc-4b48-95ae-e9362114f5cc
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1012665
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected unpacking (creates a PE file in dynamic memory)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 645163 Sample: commercial invoice.exe Startdate: 14/06/2022 Architecture: WINDOWS Score: 100 119 Malicious sample detected (through community Yara rule) 2->119 121 Antivirus detection for dropped file 2->121 123 Multi AV Scanner detection for dropped file 2->123 125 14 other signatures 2->125 13 commercial invoice.exe 7 2->13         started        18 vlc.exe 2->18         started        20 vlc.exe 2->20         started        process3 dnsIp4 117 192.168.2.1 unknown unknown 13->117 101 C:\Users\user\AppData\...\dGShdvrNtzXP.exe, PE32 13->101 dropped 103 C:\Users\user\AppData\Local\...\tmp244D.tmp, XML 13->103 dropped 105 C:\Users\user\...\commercial invoice.exe.log, ASCII 13->105 dropped 147 Adds a directory exclusion to Windows Defender 13->147 149 Injects a PE file into a foreign processes 13->149 22 commercial invoice.exe 4 5 13->22         started        25 powershell.exe 24 13->25         started        27 powershell.exe 25 13->27         started        29 schtasks.exe 1 13->29         started        31 powershell.exe 18->31         started        33 powershell.exe 18->33         started        35 schtasks.exe 18->35         started        37 vlc.exe 18->37         started        file5 signatures6 process7 file8 95 C:\Users\user\AppData\Roaming\vlc\vlc.exe, PE32 22->95 dropped 97 C:\Users\user\...\vlc.exe:Zone.Identifier, ASCII 22->97 dropped 99 C:\Users\user\AppData\Local\...\install.vbs, data 22->99 dropped 39 wscript.exe 22->39         started        41 conhost.exe 25->41         started        43 conhost.exe 27->43         started        45 conhost.exe 29->45         started        47 conhost.exe 31->47         started        49 conhost.exe 33->49         started        51 conhost.exe 35->51         started        process9 process10 53 cmd.exe 39->53         started        process11 55 vlc.exe 53->55         started        58 conhost.exe 53->58         started        signatures12 131 Multi AV Scanner detection for dropped file 55->131 133 Detected unpacking (creates a PE file in dynamic memory) 55->133 135 Adds a directory exclusion to Windows Defender 55->135 137 Injects a PE file into a foreign processes 55->137 60 vlc.exe 55->60         started        64 powershell.exe 55->64         started        66 powershell.exe 55->66         started        68 schtasks.exe 55->68         started        process13 dnsIp14 115 rambolastblood.ddns.net 185.140.53.132, 49773, 49774, 49775 DAVID_CRAIGGG Sweden 60->115 139 Writes to foreign memory regions 60->139 141 Allocates memory in foreign processes 60->141 143 Installs a global keyboard hook 60->143 145 Injects a PE file into a foreign processes 60->145 70 vlc.exe 60->70         started        73 vlc.exe 60->73         started        75 svchost.exe 60->75         started        83 3 other processes 60->83 77 conhost.exe 64->77         started        79 conhost.exe 66->79         started        81 conhost.exe 68->81         started        signatures15 process16 signatures17 127 Tries to steal Instant Messenger accounts or passwords 70->127 129 Tries to steal Mail credentials (via file / registry access) 70->129 85 chrome.exe 75->85         started        88 chrome.exe 75->88         started        process18 dnsIp19 107 239.255.255.250 unknown Reserved 85->107 90 chrome.exe 85->90         started        93 chrome.exe 88->93         started        process20 dnsIp21 109 part-0032.t-0009.fbs1-t-msedge.net 13.107.219.60, 443, 49800 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 90->109 111 part-0017.t-0009.t-msedge.net 13.107.246.45, 443, 49797, 49811 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 90->111 113 9 other IPs or domains 90->113
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f4ce923736204d90865aa3b2191addd02b3e9336dc53840fcbde2d4ebe81fcf3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-14 08:14:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6thjenzwebgzbbs2uozbsgw52avt5ezw3rjyid6l3ywu5pub7tzq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
4d1cfc06d50c33a02572d8d32f34c277bb89bad8d2932c4e0549409d98d5ddda
RemcosRAT
58d5e6849f56a08355256394531c49e55e2539e61c56da5ee0594cecd80a0142
RemcosRAT
6a182d41a2d215552343174e699a7dba2d6282136f338a88826ac5eac8f0e7f6
RemcosRAT
6ea16cb1cf48e7eaec58a6f2aa22119b3753adff7782d5ce96282ba99e6ffa42
RemcosRAT
a1b385afa0592f1fc9e0eaacd751beb5e15ff4151f2ac98e0166f29955690b9c
RemcosRAT
a439a0f9a25819c7b124965c1d48eff1f981aa3d6190c3f24239c97ec39b2c39
RemcosRAT
a5235adab75f69fd47b814a81ed89fe195e9a37e59c742e42363379742fc3b43
RemcosRAT
f4b96c1a853a6bdc9a811511c4338262e8a33311d21cea5690c74daa1d2dae32
RemcosRAT
fa7229938d7109be9b5947f67058cb3cab1d366ababae65b83786b80584a160a
RemcosRAT
+ 2'143 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost brand:microsoft collection persistence phishing rat spyware stealer
Link:
https://tria.ge/reports/220614-j4zxgaghh8/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Detected potential entity reuse from brand microsoft.
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
rambolastblood.ddns.net:6327
Unpacked files
SH256 hash:
76406f5178af7beb92d8ccc360ae5b26714d2addba122267db4a940108facf93
MD5 hash:
60e935a1044d3368aea3c8be556f0c90
SHA1 hash:
6857c370d2546a8a735680cf6305e29cd4d743b0
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/c38425e1-1093-404a-912b-24cb9e3a1896/
SH256 hash:
b5a6783b825387763ada05fe7a10dace428c283c30962f7813da1f68267433b9
MD5 hash:
cf417c6a9eb4ebb010a6b33f243a2776
SHA1 hash:
5f20bfb0346c635a178157ed05b8997ebe9eb69c
Link:
https://www.unpac.me/results/c38425e1-1093-404a-912b-24cb9e3a1896/
SH256 hash:
2fe9852668ae6b7715a5c6f8764744f9cb2ef3163adf0f360728f628d42ce916
MD5 hash:
26bfda201145c515616dbb9243785084
SHA1 hash:
4133e7329a79766bbe670a398fdfb442eb70487d
Link:
https://www.unpac.me/results/c38425e1-1093-404a-912b-24cb9e3a1896/
SH256 hash:
fa92c3552f9abe2a6817c18ec7a986e2aaa3699954afdce6c109480a4c242567
MD5 hash:
cc69c649b7c80c094d81c8005d9abf58
SHA1 hash:
1f7957bfa27441023358d1628f1bb371000e196e
Link:
https://www.unpac.me/results/c38425e1-1093-404a-912b-24cb9e3a1896/
SH256 hash:
f4ce923736204d90865aa3b2191addd02b3e9336dc53840fcbde2d4ebe81fcf3
MD5 hash:
de56ad4f194896549575970ba22988d4
SHA1 hash:
cec95371613e8f2320fd025d60d1b5795e5edd69
Link:
https://www.unpac.me/results/c38425e1-1093-404a-912b-24cb9e3a1896/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f4ce92373620/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f4ce923736204d90865aa3b2191addd02b3e9336dc53840fcbde2d4ebe81fcf3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe f4ce923736204d90865aa3b2191addd02b3e9336dc53840fcbde2d4ebe81fcf3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/279660/

Comments