MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8e75ae7b73058c83d8e49afd902e29dbd5dc808017d7ec736a8f1aa0ad88c51. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f8e75ae7b73058c83d8e49afd902e29dbd5dc808017d7ec736a8f1aa0ad88c51
SHA3-384 hash: b605f38869c06d4cc11069f11cfcadc68659ae6fd38fc58a4b4f3cfe7852e48c2d969f51fdc61b5888c97179fef13049
SHA1 hash: 35ec1fce1fd39a8fad37e88ccb25c859fc21b297
MD5 hash: baea8f92a509da346b2785803537713d
humanhash: quebec-washington-uncle-skylark
File name:HBL+BL SHIPPING DOCUMENTS.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:833'536 bytes
First seen:2021-10-20 07:20:50 UTC
Last seen:2021-10-21 06:13:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:3fTHMlxK/70jI/NaXNVh6Xj6Ftopum4UcOm4F296pKeXU1W9qIWogZJuNeGDHFyZ:P50k/NadgHY8QM4eWWkIxgZJw
Threatray 831 similar samples on MalwareBazaar
TLSH T16B05BE9C3650B6DFC857CD76CAA82C60EA6074B7470BD203A05726AD9E0DA9BCF151F3
Reporter GovCERT_CH
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
7
# of downloads :
231
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/198760/
Detection(s):
Sanesecurity.Rogue.0hr.20211020-0805.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
obfuscated packed remcos
Link:
https://www.filescan.io/uploads/616fc362db358dd15ec5b646/reports/2d3dbfea-8763-4a41-b93a-f9190d86a300/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bd7b3fdc-364d-491c-9aa0-4ee8aff06eef
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/873636
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Powershell Defender Exclusion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f8e75ae7b73058c83d8e49afd902e29dbd5dc808017d7ec736a8f1aa0ad88c51/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-10-20 07:21:06 UTC
AV detection:
14 of 44 (31.82%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7dtvvz5xgbmmqpmojgx5saxctw6v3saiaf6x5rzwvdy2ucwyrriq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0bb25dccd5ee69b35f2c03c04b50ec23573929d193739becb1c623d32db64e4a
RemcosRAT
2173a81011be8c709740a74a65674ac9d84510cb93fdc94134d883c4f61642f6
RemcosRAT
4d4ca33cc268361f05552b84f5216a158df5cf89b74ef53e2540c1703594dc79
RemcosRAT
5e1473cb44990bf7a1d8da8ad410642430bc6c5663859bc4e4c738e22b3cc71e
RemcosRAT
6b0ab733e35430a087bff4718cb7446be43dc8484a8669d887f717fd7cece0eb
RemcosRAT
8d99a854713aa68aafd4d6bc5d3b37677e1f1bdd65b0fc8ac459100541ee0415
RemcosRAT
a7f4245d63e1dd21c5af3e0ddf682ac517eda484bf6650f3e0d5d856f4cc68fa
RemcosRAT
cd43f136f1d3221cd64fc792a37744dfa9656a9ea5889e52929275c05eb4e33b
RemcosRAT
f60b6dfcaf466a9cf6b7831fcd74abc70efc16aec11d3b38fdbc7562003ba61b
RemcosRAT
+ 821 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost evasion rat
Link:
https://tria.ge/reports/211020-h6n3bagga9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Remcos
Malware Config
C2 Extraction:
172.94.88.26:3033
Unpacked files
SH256 hash:
28ff4191d59a8241ab055c66ea6dbbf0f0f0a89fd73958acb02e28a1e6db8e4f
MD5 hash:
1d72140911c7e741a623cb3f6cd03e6d
SHA1 hash:
90fd6e13d05ee54cf76ffeea9be939d903fafc85
Detections:
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/83f8dc98-cdb9-4238-8097-b9d14db69226/
Parent samples :
b62b1e316fbcabfe8d88212f7b49ed54c3351187c5ec73f7ff90c7698ea28876
f8e75ae7b73058c83d8e49afd902e29dbd5dc808017d7ec736a8f1aa0ad88c51
SH256 hash:
6fee24a1398bb022d0c5b9059b9b21e7636fc3861866a583d0e49b7d0ca56d58
MD5 hash:
36e2528c3cb3ad299ea481283687cdd6
SHA1 hash:
1981340bc7be1aa8f78f942fc6f0724838e35a87
Link:
https://www.unpac.me/results/83f8dc98-cdb9-4238-8097-b9d14db69226/
SH256 hash:
a3a1a7974b5448ef3b21e19b06bb19b6bf425d04fae634413c210e7bbffeba93
MD5 hash:
ace07a8e79255595a7ece8505b929782
SHA1 hash:
0f8c96a4d0458fc7aa25f9aee1249df5ffeb03ef
Link:
https://www.unpac.me/results/83f8dc98-cdb9-4238-8097-b9d14db69226/
SH256 hash:
f8e75ae7b73058c83d8e49afd902e29dbd5dc808017d7ec736a8f1aa0ad88c51
MD5 hash:
baea8f92a509da346b2785803537713d
SHA1 hash:
35ec1fce1fd39a8fad37e88ccb25c859fc21b297
Link:
https://www.unpac.me/results/83f8dc98-cdb9-4238-8097-b9d14db69226/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f8e75ae7b730/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f8e75ae7b73058c83d8e49afd902e29dbd5dc808017d7ec736a8f1aa0ad88c51

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe f8e75ae7b73058c83d8e49afd902e29dbd5dc808017d7ec736a8f1aa0ad88c51

(this sample)

  
Dropped by
RemcosRAT
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/198760/

Comments