MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 093211c83f13bdaa0ab037352beee293ce3d1e2c023d865c87bd86b61509f3f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 16

Intelligence 16 IOCs YARA 6 File information Comments

SHA256 hash:	093211c83f13bdaa0ab037352beee293ce3d1e2c023d865c87bd86b61509f3f4
SHA3-384 hash:	242fc71831f0066b4f74d46f322eba3c571965b517c85555bdc7787505f5d4f5332ccef24d180b40108889186c0d9195
SHA1 hash:	72a903d9427c3bc62aa37c77347c95c69f51b15b
MD5 hash:	6bf4305d2a9bdfe2372013639ea3a8ef
humanhash:	tango-aspen-ceiling-bakerloo
File name:	M7R56195.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	489'984 bytes
First seen:	2023-05-25 07:38:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3f3d4ba55ce3e8f736704310c56bf5aa (12 x RemcosRAT)
ssdeep	6144:K1EwL0xQk9VdeLuVnQs8QLgt8cBvnkCX/3Rde+A+DdsAOZZiXXPcNy2OhX:K1EZT90uNQzYgScBvnn/XpTs/ZiuOhX
Threatray	1'943 similar samples on MalwareBazaar
TLSH	T1A6A4BF01B9C1C072D57261300D2AF775DAB9BD212926497BB3DA1D9BFE30190B63A7B3
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	c4d48eaa8ad4d4f8 (1'000 x RemcosRAT, 1 x Worm.Ramnit, 1 x Vjw0rm)
Reporter	Neiki
Tags:	RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

111

Origin country :

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

M7R56195.exe

Verdict:

Malicious activity

Analysis date:

2023-05-25 07:50:33 UTC

Tags:

rat remcos keylogger

Link:

https://app.any.run/tasks/0a20df42-1cad-4410-a932-b7c73b64a37a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/391441/

Detection(s):

Win.Trojan.Remcos-9841897-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Setting a keyboard event handler

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

cmd.exe evasive exploit explorer.exe fingerprint greyware keylogger lolbin rat shell32.dll

Link:

https://www.filescan.io/uploads/646f10989621774aa98ee8b2/reports/b416cb4b-0f61-4dfd-9300-e093c1347f72/overview

Verdict:

Malicious

Labled as:

Remcos.Generic

Link:

https://www.hybrid-analysis.com/sample/093211c83f13bdaa0ab037352beee293ce3d1e2c023d865c87bd86b61509f3f4

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e39f210e-0e1e-499f-89c1-324ec7281660

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1242395

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Contains functionality to bypass UAC (CMSTPLUA)

Contains functionality to modify clipboard data

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Found malware configuration

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Snort IDS alert for network traffic

Uses dynamic DNS services

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/093211c83f13bdaa0ab037352beee293ce3d1e2c023d865c87bd86b61509f3f4/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2023-05-25 07:39:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bezbdsb7co62ucvqg42sx3xcsphd2hrmai6ymxehxwdlmfij6p2a._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

2e4c6cc30705e1398ea19d064bd7cfba58448798a81f3c89b86fa66750904a7b

RemcosRAT

3d1a75579ef0717708782f63318b36e8dc0356fc477370ad9c69feac793a6a95

RemcosRAT

4b923765825c934c252ec1734636bd366b1b3e739716ad3ae31f29f13a0b6864

RemcosRAT

50ca98ba2d54858b97cbbfff758edf7f81a29a8a4884a4319ae994cb8a434de3

RemcosRAT

52062e748f2857bf6bc3161cdfade85ec042d45093673514ca1787f7216a70f3

RemcosRAT

6856d48b94e263e7add9845cdb9077a9bfeb01f6e35f1a1bcacaf5ecba2f6a86

RemcosRAT

98e8a76487a5811e1dd8574c08a8b66dc39506044045fc8c994e5d0e533a663c

RemcosRAT

c9ec59e23695adca831f06aca398c511cac81f2fd65c7353f14b4725791ab80a

RemcosRAT

d930e3006b889c13cdebe9004c021ed18ebe31f1504ffce27f10277e439329e0

RemcosRAT

+ 1'933 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:mitsrers 2

Link:

https://tria.ge/reports/230525-jgzcesgg28/

Behaviour

Suspicious use of SetWindowsHookEx

Malware Config

C2 Extraction:

misterios140.duckdns.org:1520

Unpacked files

SH256 hash:

093211c83f13bdaa0ab037352beee293ce3d1e2c023d865c87bd86b61509f3f4

MD5 hash:

6bf4305d2a9bdfe2372013639ea3a8ef

SHA1 hash:

72a903d9427c3bc62aa37c77347c95c69f51b15b

Detections:

Remcos

win_remcos_auto

Link:

https://www.unpac.me/results/609d6d94-f814-43b1-9f39-c40e12afd506/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/093211c83f13/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	iexplorer_remcos Create hunting rule
Author:	iam-py-test
Description:	Detect iexplorer being taken over by Remcos

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM Create hunting rule
Author:	ditekSHen
Description:	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	Windows_Trojan_Remcos_b296e965 Create hunting rule
Author:	Elastic Security

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/391441/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample