MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f94dbc5795808376e1f58af647fe522762836503be7c601a76a59b538f8e9f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 15

Intelligence 15 IOCs YARA 5 File information Comments

SHA256 hash:	0f94dbc5795808376e1f58af647fe522762836503be7c601a76a59b538f8e9f1
SHA3-384 hash:	0df70a047a3eb03d6c57a0673e3682a0cf510d5d2b4214c6b720f32ecfe53d396246d12f7f031feee013c2b64f2396b0
SHA1 hash:	54980a3ecf2d00cd583a0b496035c5d0df5ea00c
MD5 hash:	c80d2f3ca48ab6ca2ae98951793a91ea
humanhash:	nine-harry-cat-wolfram
File name:	SecuriteInfo.com.W32.AIDetect.malware2.12327.21021
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	732'672 bytes
First seen:	2022-08-08 05:33:01 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	cc1fadbd23c2bfd0a0322aa7e67d1d3f (4 x DBatLoader, 3 x Formbook, 1 x RemcosRAT)
ssdeep	12288:KmhCsMYEubn0UsjX4gaYv+tdqw1xBXEtFSOUHU3PiyMcCd5sY3nk1Hz:xnMYEbTjfaxtdqQVESreixHfk1Hz
Threatray	1'547 similar samples on MalwareBazaar
TLSH	T1E2F49DF1F3C045F6CD22263BD81A9D54EC2ABE102D2D644BABE93DC84B796C1791B187
TrID	28.5% (.SCR) Windows screen saver (13101/52/3) 22.9% (.EXE) Win64 Executable (generic) (10523/12/4) 14.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 9.8% (.EXE) Win32 Executable (generic) (4505/5/1) 6.5% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):
dhash icon	c730f4e4d4d830c7 (5 x DBatLoader, 3 x Formbook, 2 x RemcosRAT)
Reporter	SecuriteInfoCom
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

300

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

SecuriteInfo.com.W32.AIDetect.malware2.12327.21021

Verdict:

Malicious activity

Analysis date:

2022-08-08 05:34:23 UTC

Tags:

rat remcos keylogger

Link:

https://app.any.run/tasks/950e8ebe-c95b-4166-bb9d-798504b88bac

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/297049/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.12327.21021.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Enabling the 'hidden' option for recently created files

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/28344/overview

Behaviour

MalwareBazaar

CheckScreenResolution

CheckCmdLine

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

greyware keylogger packed

Link:

https://www.filescan.io/uploads/62f0a01a8d188266ad39eb10/reports/6e34a2c7-f0fc-4f28-923b-ff046ee756bb/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/35970b34-4858-4ebe-954c-b88bf2de0cf6

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0f94dbc5795808376e1f58af647fe522762836503be7c601a76a59b538f8e9f1/

Threat name:

Win32.Trojan.Injuke

Status:

Malicious

First seen:

2022-08-08 05:34:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

11 of 26 (42.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=b6knxrlzlaedo3q7lcxwi77fej3cqnsqhpt4manhnjm3kohy5hyq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

4cd864cf3d39baff963a023423237dd164ce0e5de001d1397031b74c3b26691e

RemcosRAT

77ed7f099d383a993b3ee6383ec343a3eda6b117f53febd01a1dc10c63cfea09

RemcosRAT

7d237aef354c63c3618c8c8df4718e2c5056edd90702bc77a233944e2c42de9b

RemcosRAT

910d9b435b172c50ad6cde23d820b4e1f07197e82ecdece15a74fbe750584378

RemcosRAT

a6abf72d95dac9ba6e6e4b53d9cbcd013846660a18ac5b9eeacb6cd87c783a2c

RemcosRAT

dfdfddf99781b2553c12dc0eaa764c585279eaa29b70654a11bdc238b6af945e

RemcosRAT

dff9dfa64f1a603197abded9f5942b83efab0c71520a4fe028ba8fb79cfe7b11

RemcosRAT

e7a3522e5f2bea8656f4a586387628402e469f461e23463459c69dc3274c39ae

RemcosRAT

+ 1'537 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:modiloader family:remcos botnet:finally persistence rat trojan

Link:

https://tria.ge/reports/220808-f8wh3adhen/

Behaviour

Adds Run key to start application

ModiLoader, DBatLoader

Remcos

Malware Config

C2 Extraction:

185.62.86.145:42024

Unpacked files

SH256 hash:

dae03f035dca12ffa33f3fee03fa37a5329b6d68c1ea16f1433278e3c192f934

MD5 hash:

d7d31cd80ef706fbdbe0433270949e72

SHA1 hash:

4f5c50829960ce00e7d60ad625a55599e17fce5b

Detections:

win_dbatloader_g1

Link:

https://www.unpac.me/results/d9ac4248-44de-453a-b63d-0db40b81c4dd/

Parent samples :

b7aacc2b12e6e8f89a954e2623b6a53137257e4039ecc45311998caf6cd41cf0
0f94dbc5795808376e1f58af647fe522762836503be7c601a76a59b538f8e9f1
88502779764c4ceacff4b4a39a389bf13389b734f99e76160c865a2da6d21bee
868e3a9f49c41cd1823e765cc8d2e97453ada6baac959e58187e1a337db01b96
1dddbd9bb1c2ed3b0ac846f3dcfbfd99909394f17a813be425b1870ef0f52c5e
e233d86e74d3846be66e323c4850b495c66658ca63cd28ec1a47a3b0c95f7559
5fabffc9eb6177ac29a1e51bf2a8bde55ddd97e2f7c86134eb2512b927f1232e
15e1d48f4ba136aa876c88c4fb16fe160795f40e9850252ce1a4f3a695b4fcb7
663b7bc66499e507ca1f8fad6e42195a54fe242db3cc71bf4762952fe04ce5ee
21d5d5d31a4a17556ceb223272f3e908a352485dcd90dc203c99826638e7cbd9
cd06021301a3677a02936aa5820f303d7aa650f63366266b75e553c669be08f5
35cf771ddfdab8d8f18d4ee2b4841602be4bc77f9d952ecd5f9e870160cfe8f8

SH256 hash:

0f94dbc5795808376e1f58af647fe522762836503be7c601a76a59b538f8e9f1

MD5 hash:

c80d2f3ca48ab6ca2ae98951793a91ea

SHA1 hash:

54980a3ecf2d00cd583a0b496035c5d0df5ea00c

Link:

https://www.unpac.me/results/d9ac4248-44de-453a-b63d-0db40b81c4dd/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0f94dbc57958/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0f94dbc5795808376e1f58af647fe522762836503be7c601a76a59b538f8e9f1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/297049/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample