MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b89c5a9c7ae50cdd6825a645c72d8a7009c38f0372db4fe5224c7e2af8200be4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b89c5a9c7ae50cdd6825a645c72d8a7009c38f0372db4fe5224c7e2af8200be4
SHA3-384 hash: 09c9b1d5f1917c6473ff9c7e5a739fa0e9d5fdb044cf88b4530eacc6d5e36069c10b6c202d4f3b6b5e8b6ce10e65c341
SHA1 hash: 7e1263cdfc1038fe0cfcab9bd651330b1e2583f3
MD5 hash: e02a020b9184bc97405f337e6463fb8b
humanhash: paris-sad-finch-august
File name:LauncherPatcher.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:829'440 bytes
First seen:2023-11-01 17:47:46 UTC
Last seen:2023-11-01 19:18:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d1d5c692ee20bbf9340f0575f4c087d4 (1 x RemcosRAT)
ssdeep 12288:EassGvch66hNN0XKCstHcOkh2Saw7biHondcOFcWnuo:EddMbwKllcPowMonlzu
Threatray 2'768 similar samples on MalwareBazaar
TLSH T10205F140A50C5283F1A63B38C8AEE3B72A55AD619EF5880F62D17C3B757D45BBC382D1
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f08e9686dad89ac4 (5 x zgRAT, 4 x PureLogsStealer, 3 x Amadey)
Reporter smica83
Tags:exe RemcosRAT


Avatar
smica83
hxxps://allnato(.)net/news/uploads/chrmap.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
353
Origin country :
HU HU
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/457685/
Detection(s):
SecuriteInfo.com.Win32.BackdoorX-gen.19506.24981.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm packed
Link:
https://www.filescan.io/uploads/65428f5b746262825556e860/reports/591dec60-b205-41cd-aa9d-d5df7152d8cd/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/b89c5a9c7ae50cdd6825a645c72d8a7009c38f0372db4fe5224c7e2af8200be4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c16817d3-eb77-44c7-ac28-680f13a397bf
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1335632
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b89c5a9c7ae50cdd6825a645c72d8a7009c38f0372db4fe5224c7e2af8200be4
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b89c5a9c7ae50cdd6825a645c72d8a7009c38f0372db4fe5224c7e2af8200be4/
Threat name:
Win32.Trojan.Sysdupate
Create hunting rule
Status:
Malicious
First seen:
2023-10-03 11:12:18 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xcofvhd24ugn22bfuzc4olmkoae4hdydolnu7zjcjr7cv6babpsa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
254a8dd46ac13318dce3b79a3dfc79917ffb055a9a97776f52e703416ab7cc91
RemcosRAT
61a3e788d1ae18d12df0bf7198a922c14e998c195b520a5543b43814b8bcbfa0
RemcosRAT
6d69abf704c0ac0c71d7d35cc0eaa5b0ba230b7538ee159ad415b06798143c33
RemcosRAT
70844fa5991d0089d8e76bb510ba8aeaeb1f0f053741c5876b15c4ced5075dc9
RemcosRAT
887171e762ec83f7c3f9d12c11742c7e05e9382db50a9fe3268d266215708bf4
RemcosRAT
9b5e50292aacd6de4d058a7bbf72dd3d0c09dad48c52eb6e43c0fef8259383a1
RemcosRAT
a53d11281e99e8c8a4d0ff272ffd32a43e20e5717e484587788060c71795d9da
RemcosRAT
a8c7f79f118f3ff57bef79b5877355adab4269c99a6c61dfca429a46ff0fb357
RemcosRAT
d7d0ef85103c37670e81e7146a7170a6ca241b830a65e59aacf6407503dbbc39
RemcosRAT
f5d707c704a60d1578d0b00f656477eda9b5dbfa440466660bfd92aff363625d
RemcosRAT
+ 2'758 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:qemu-ga rat
Link:
https://tria.ge/reports/231101-wdevtsbc31/
Behaviour
Suspicious use of SetWindowsHookEx
Remcos
Malware Config
C2 Extraction:
179.61.237.12:443
drivebackupupdate.com:443
secure.cloudproxyserv.com:443
Unpacked files
SH256 hash:
b89c5a9c7ae50cdd6825a645c72d8a7009c38f0372db4fe5224c7e2af8200be4
MD5 hash:
e02a020b9184bc97405f337e6463fb8b
SHA1 hash:
7e1263cdfc1038fe0cfcab9bd651330b1e2583f3
Link:
https://www.unpac.me/results/5656c330-8b98-4d9d-be82-ee2f6d37732c/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b89c5a9c7ae5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b89c5a9c7ae50cdd6825a645c72d8a7009c38f0372db4fe5224c7e2af8200be4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

RemcosRAT

zip 79a4fa2ac4971f669cbcbe4f1573bbc893f05490a9a0d0d9d6b6c1c91bb3a1c4

RemcosRAT

Executable exe b89c5a9c7ae50cdd6825a645c72d8a7009c38f0372db4fe5224c7e2af8200be4

(this sample)

  
X
https://twitter.com/ginkgo_g/status/1711309741773951129?t=kMOydLT0wxLGb2W0ik6RHg&s=19
  
Dropped by
MD5 63085b0b7cc5bb00859aba105cbb40b1
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/457685/
  
Dropped by
SHA256 79a4fa2ac4971f669cbcbe4f1573bbc893f05490a9a0d0d9d6b6c1c91bb3a1c4

Comments