MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0af76f2897158bf752b5ee258053215a6de198e8910458c02282c2d4d284add5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 17

Intelligence 17 IOCs YARA 13 File information Comments

SHA256 hash:	0af76f2897158bf752b5ee258053215a6de198e8910458c02282c2d4d284add5
SHA3-384 hash:	30e321d006964b3e2e750875a702f829cdf25bce1a8ae3f6e2fce9e4b37fc2dc901643933c42d8f2285a3e13b8794abd
SHA1 hash:	d5ed640efe39c52ed9a08841837654979f38b384
MD5 hash:	f6118a965e44ee55e708edf7adcdc1df
humanhash:	fillet-mars-washington-neptune
File name:	F6118A965E44EE55E708EDF7ADCDC1DF.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	494'592 bytes
First seen:	2024-01-21 16:05:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	8d5087ff5de35c3fbb9f212b47d63cad (170 x RemcosRAT)
ssdeep	6144:8XIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZsAX4cNA5Gv:8X7tPMK8ctGe4Dzl4h2QnuPs/ZsBcv
Threatray	3'322 similar samples on MalwareBazaar
TLSH	T17BB49E01BAD1C072D57524300D3AF776EAB8BD2018364A7B73D61D5BFE31190B62AAB7
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	c4d48eaa8ad4d4f8 (1'000 x RemcosRAT, 1 x Worm.Ramnit, 1 x Vjw0rm)
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

abuse_ch

RemcosRAT C2:
163.5.64.15:57844

Intelligence

File Origin

# of uploads :

# of downloads :

352

Origin country :

Vendor Threat Intelligence

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/472073/

Detection(s):

Win.Trojan.Remcos-9841897-0

Win.Trojan.Remcos-10002580-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Setting a keyboard event handler

DNS request

Connecting to a non-recommended domain

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

crypto evasive exploit explorer fingerprint fingerprint hook keylogger lolbin remcos shell32

Link:

https://www.filescan.io/uploads/65ad40ec68f6c896b6d3ff3e/reports/6cbecf9d-8c07-4870-a0a1-99144c1dfdbb/overview

Verdict:

Malicious

Labled as:

Remcos.Generic

Link:

https://www.hybrid-analysis.com/sample/0af76f2897158bf752b5ee258053215a6de198e8910458c02282c2d4d284add5

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c109d645-6112-457d-b1a5-cbf2561984c5

Result

Threat name:

Remcos

Detection:

malicious

Classification:

rans.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1378305

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to bypass UAC (CMSTPLUA)

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Found malware configuration

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Uses dynamic DNS services

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/0af76f2897158bf752b5ee258053215a6de198e8910458c02282c2d4d284add5

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/0af76f2897158bf752b5ee258053215a6de198e8910458c02282c2d4d284add5/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2024-01-15 15:52:04 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 24 (100.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=bl3w6kexcwf7ouvv5ysyauzbljw6dghisecfrqbcqlbnjuuevxkq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

412c4f354965eb514a79001b512c70e8d36e1d443fe599aca0916893eab369ef

RemcosRAT

4138dc6d4ea9f822aa3bac00c6304b9675c13b140fadb75736f21dd33e8dcba6

RemcosRAT

6778fea0bea7bd311fbda7b2f6257a7826733a664199d8073c878e401ba20a33

RemcosRAT

7c81d05dd82233e0278c83ca0b1a3b3ad9f0fa4b8b56bef98bba964752369754

RemcosRAT

a0c4a547b08cd4669362420f9c50b04f084e0174f13911f4e8b95cec7ba12cd8

RemcosRAT

a739f75be90696d11429b7b5003af6ae0318009bdabdecdcd49b18d80c60d946

RemcosRAT

+ 3'312 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:zynova

Link:

https://tria.ge/reports/240121-tj267sefa2/

Behaviour

Suspicious use of SetWindowsHookEx

Unpacked files

SH256 hash:

0af76f2897158bf752b5ee258053215a6de198e8910458c02282c2d4d284add5

MD5 hash:

f6118a965e44ee55e708edf7adcdc1df

SHA1 hash:

d5ed640efe39c52ed9a08841837654979f38b384

Detections:

Remcos

win_remcos_w0

win_remcos_auto

malware_windows_remcos_rat

INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Link:

https://www.unpac.me/results/3de7c680-4b88-4502-825b-5a46c8fa3157/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0af76f289715/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Remcos

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/0af76f2897158bf752b5ee258053215a6de198e8910458c02282c2d4d284add5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	iexplorer_remcos Create hunting rule
Author:	iam-py-test
Description:	Detect iexplorer being taken over by Remcos

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM Create hunting rule
Author:	ditekSHen
Description:	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Windows_Trojan_Remcos_b296e965 Create hunting rule
Author:	Elastic Security

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.remcos.

Rule name:	win_remcos_rat_unpacked Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detects strings present in remcos rat Samples.

Rule name:	win_remcos_w0 Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detects strings present in remcos rat Samples.

Rule name:	yarahub_win_remcos_rat_unpacked_aug_2023 Create hunting rule
Author:	Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/472073/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample