MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f897d81306f66056722829d7fbeac088ff40b156cc0aa9dd0ee1995da512faa8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f897d81306f66056722829d7fbeac088ff40b156cc0aa9dd0ee1995da512faa8
SHA3-384 hash: c946b5e30d0377538f299b8a84c04fbbd0efb0fb16389096e5622fe71cc04e6b86468d5e969456c2cdf309c5442791bd
SHA1 hash: 49ec8c2cc12cff8f26a8915438b1229bab7397d4
MD5 hash: bcd7db6837b9e2bd5ac2418c74923e54
humanhash: illinois-yellow-vegan-solar
File name:Urgent quotation HV0123.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'937'408 bytes
First seen:2023-01-23 08:15:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:dKMBxIF/T8ypXxeyh5Rll+FhiP1VaLE4csz/oQDL+hQXpGNUy8uArh2Wi+f0lKN7:g7NTqo1Zb+Rpu76ELOs
Threatray 2'908 similar samples on MalwareBazaar
TLSH T15495D0710A47FEEBE2675E54D00829159C2F1C47AF38D7A4BA8834AF51F4678BB9C930
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 00870d1848c4cc20 (27 x RemcosRAT, 6 x Formbook, 1 x NanoCore)
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
91.231.84.41:52651

Intelligence

File Origin
# of uploads :
1
# of downloads :
190
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Urgent quotation HV0123.exe
Verdict:
Malicious activity
Analysis date:
2023-01-23 08:17:39 UTC
Tags:
rat remcos trojan
Link:
https://app.any.run/tasks/6c5ca551-2bca-4229-84d7-a0d0ade96e76

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
zgRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/355779/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed warp
Link:
https://www.filescan.io/uploads/63ce42452b351a3d0ea7d9e1/reports/b4d9016d-2c86-4d34-8a90-5e041b7a885a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e7dd92a2-db7d-441d-be4a-fa212dc611a3
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1156778
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected Remcos RAT
Encrypted powershell cmdline option found
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Snort IDS alert for network traffic
Yara detected Costura Assembly Loader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 789510 Sample: Urgent  quotation HV0123.exe Startdate: 23/01/2023 Architecture: WINDOWS Score: 100 48 Snort IDS alert for network traffic 2->48 50 Multi AV Scanner detection for domain / URL 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 12 other signatures 2->54 7 Urgent  quotation HV0123.exe 1 7 2->7         started        11 Nlaazis.exe 4 2->11         started        13 Nlaazis.exe 3 2->13         started        process3 file4 40 C:\Users\user\AppData\Roaming\...40laazis.exe, PE32 7->40 dropped 42 C:\Users\user\...42laazis.exe:Zone.Identifier, ASCII 7->42 dropped 44 C:\Users\...\Urgent  quotation HV0123.exe.log, ASCII 7->44 dropped 56 Encrypted powershell cmdline option found 7->56 58 Injects a PE file into a foreign processes 7->58 15 Urgent  quotation HV0123.exe 2 7->15         started        18 powershell.exe 15 7->18         started        60 Antivirus detection for dropped file 11->60 62 Multi AV Scanner detection for dropped file 11->62 64 Machine Learning detection for dropped file 11->64 20 powershell.exe 11 11->20         started        22 Nlaazis.exe 11->22         started        24 Nlaazis.exe 11->24         started        26 powershell.exe 13 13->26         started        28 Nlaazis.exe 13->28         started        30 Nlaazis.exe 13->30         started        32 2 other processes 13->32 signatures5 process6 dnsIp7 46 91.231.84.41, 49700, 52651 UKRNAMES-ASUA Ukraine 15->46 34 conhost.exe 18->34         started        36 conhost.exe 20->36         started        38 conhost.exe 26->38         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f897d81306f66056722829d7fbeac088ff40b156cc0aa9dd0ee1995da512faa8/
Threat name:
Win32.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2023-01-23 06:31:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
19 of 39 (48.72%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7cl5qeyg6zqfm4rifhl7x2ward7ubmkwzqfktxio4gmv3jis7kua._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
02d7ab6afcf9f15fba169e0d8491499cf27a87fba17a3afd80bd6e5873a9338f
RemcosRAT
34ff7d92c1c335d251ad12780ccc8fb3a10430fc20cfbb0ff55c40128ffe9a81
RemcosRAT
43833d212601474a32c2ea1f5920850c4011bec08a3c2df565231f87043a8318
RemcosRAT
6f40d67d72b406df5af87f9fde49179e16304d31f818502c91258577b9f7548f
RemcosRAT
d1b9ccdfb42f24d794afbb5b46bbbd429eec29255e1f4f8007b0105024c58cad
RemcosRAT
d828a844f0248f23b180fe4810ac43f49168e2c232f6874b0c33e411586dd4f4
RemcosRAT
+ 2'898 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:smashhh persistence rat
Link:
https://tria.ge/reports/230123-j55t4seb2w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
91.231.84.41:52651
127.0.0.1:52651
10.5.175.21:52651
Unpacked files
SH256 hash:
9729c0c01507ffb6d32a698e86525709ca5945379cd15da64a65829cf527eca7
MD5 hash:
43dffc0bf4b3ab7c78e4f6f3bf6abd50
SHA1 hash:
2f7a82b3c44967f8049338b948ec797de818c944
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/1bfc131f-4c89-48c6-93e2-c1d715edeeda/
SH256 hash:
ff8c24bce1eb009f0d5c47a09b96caf02726c285cea0d635082ad4da27e63d1b
MD5 hash:
9d6ec6072ee1814a4a01d1eb3fb67ba1
SHA1 hash:
d0b416de1c900b6bcb35dc182b2e8744f16c3289
Link:
https://www.unpac.me/results/1bfc131f-4c89-48c6-93e2-c1d715edeeda/
SH256 hash:
6292c89cdbccb15f043940e253c47ed65d4153c320e4b7f79ad1fceaec1451c2
MD5 hash:
8ddf4379f5d8d0c4c666b51af64ad540
SHA1 hash:
c842360b64d97fa0b83037716ff556693cd00b81
Link:
https://www.unpac.me/results/1bfc131f-4c89-48c6-93e2-c1d715edeeda/
SH256 hash:
f897d81306f66056722829d7fbeac088ff40b156cc0aa9dd0ee1995da512faa8
MD5 hash:
bcd7db6837b9e2bd5ac2418c74923e54
SHA1 hash:
49ec8c2cc12cff8f26a8915438b1229bab7397d4
Link:
https://www.unpac.me/results/1bfc131f-4c89-48c6-93e2-c1d715edeeda/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f897d81306f6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f897d81306f66056722829d7fbeac088ff40b156cc0aa9dd0ee1995da512faa8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:malware_Remcos_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:pe_imphash
Create hunting rule
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_VBS_Wscript_Shell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the definition of 'Wscript.Shell' which is often used by Malware, FPs are possible and commmon
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/355779/

Comments