MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10cae0676fcf60dbbb56266448fff13a2ed236753243fea28d41f3902863e053. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 37 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 10cae0676fcf60dbbb56266448fff13a2ed236753243fea28d41f3902863e053
SHA3-384 hash: a5c42e6a56e8bdd8d8c0a3b2daa6d9031e689a9bb110612114d4bae197ffcdb7f13e0c8818b569bee3c92cb3d1c74401
SHA1 hash: 5be3521c8376b5c32f859c9fc85f4049ccc1c3a3
MD5 hash: 65ae2a6c5538d0dcd50c3c264587bb04
humanhash: fish-stairway-montana-grey
File name:10cae0676fcf60dbbb56266448fff13a2ed236753243f.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:25'426'944 bytes
First seen:2023-12-31 16:30:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a9c887a4f18a3fede2cc29ceea138ed3 (33 x CoinMiner, 17 x AsyncRAT, 15 x BlankGrabber)
ssdeep 393216:Iq5sSGlBxjWhyw34/3Lk14ygJKYAJqhRUTPgD4djECKEdbFAq2oYCiqe88DN0063:RTGlBdI34/YDZcEPoS4MYCT+N0brJJj
Threatray 3'272 similar samples on MalwareBazaar
TLSH T1174733FF0B0E42E2F703A4B868C1B1B9708BD752FA1C9C0946A67DF599F5D528885C93
TrID 45.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.4% (.EXE) Win32 Executable (generic) (4505/5/1)
5.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
5.6% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 30cce8714dcc6430 (1 x RemcosRAT)
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
15.235.3.1:443

Intelligence

File Origin
# of uploads :
1
# of downloads :
439
Origin country :
NL NL
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Launching cmd.exe command interpreter
Creating a file
Enabling the 'hidden' option for recently created files
Launching a process
Sending a custom TCP request
Creating a window
Running batch commands
Creating a file in the Windows subdirectories
Creating a service
Launching a service
Setting a keyboard event handler
Searching for synchronization primitives
Deleting a system file
Creating a file in the Program Files subdirectories
DNS request
Sending an HTTP GET request
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking the User Account Control
Enabling autorun for a service
Enabling autorun
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed remcos
Link:
https://www.filescan.io/uploads/659197496b1c246046128be1/reports/a9c5901c-73d7-469b-8577-a7ec68bb1706/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/10cae0676fcf60dbbb56266448fff13a2ed236753243fea28d41f3902863e053
Result
Verdict:
MALICIOUS
Result
Threat name:
Remcos, AsyncRAT, DcRat, Discord Token S
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1368401
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to modify clipboard data
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Delayed program exit found
Disables UAC (registry)
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the hosts file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Remcos
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Yara detected DcRat
Yara detected Discord Token Stealer
Yara detected Orcus RAT
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1368401 Sample: 10cae0676fcf60dbbb56266448f... Startdate: 31/12/2023 Architecture: WINDOWS Score: 100 137 www.cloudflare.com 2->137 139 raw.githubusercontent.com 2->139 141 discord.com 2->141 145 Snort IDS alert for network traffic 2->145 147 Multi AV Scanner detection for domain / URL 2->147 149 Found malware configuration 2->149 151 16 other signatures 2->151 12 10cae0676fcf60dbbb56266448fff13a2ed236753243f.exe 6 2->12         started        16 svchost.exe 2->16         started        19 WindowsInput.exe 2->19         started        21 3 other processes 2->21 signatures3 process4 dnsIp5 119 C:\Users\user\AppData\...\Scannerbuilder.exe, PE32 12->119 dropped 121 C:\Users\user\AppData\Local\...\Scandlls.exe, PE32+ 12->121 dropped 123 C:\Users\user\AppData\...\ScanCompiler.exe, PE32 12->123 dropped 125 2 other malicious files 12->125 dropped 205 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->205 23 Scandlls.exe 130 12->23         started        27 ScanCompiler.exe 6 4 12->27         started        29 Scannerbuilder.exe 12->29         started        31 3 other processes 12->31 129 127.0.0.1 unknown unknown 16->129 file6 signatures7 process8 file9 101 C:\Users\...\_quoting_c.cp310-win_amd64.pyd, PE32+ 23->101 dropped 103 C:\Users\user\AppData\Local\...\win32ui.pyd, PE32+ 23->103 dropped 105 C:\Users\user\AppData\...\win32trace.pyd, PE32+ 23->105 dropped 115 82 other malicious files 23->115 dropped 167 Antivirus detection for dropped file 23->167 169 Multi AV Scanner detection for dropped file 23->169 171 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->171 33 Scandlls.exe 23->33         started        107 C:\ProgramDatabehaviorgraphooglebehaviorgraphoogleData.exe, PE32 27->107 dropped 173 Creates an undocumented autostart registry key 27->173 175 Contains functionalty to change the wallpaper 27->175 177 Machine Learning detection for dropped file 27->177 187 6 other signatures 27->187 38 wscript.exe 1 27->38         started        40 cmd.exe 1 27->40         started        109 C:\Windows\SysWOW64\WindowsInput.exe, PE32 29->109 dropped 111 C:\Program Files (x86)\...\Updt.exe, PE32 29->111 dropped 179 Drops executables to the windows directory (C:\Windows) and starts them 29->179 42 Updt.exe 29->42         started        44 WindowsInput.exe 29->44         started        113 C:\Users\user\AppData\...\WinUpdater.exe, PE32 31->113 dropped 117 2 other malicious files 31->117 dropped 181 Protects its processes via BreakOnTermination flag 31->181 183 Uses powercfg.exe to modify the power settings 31->183 185 Modifies the hosts file 31->185 189 2 other signatures 31->189 46 cmd.exe 31->46         started        48 cmd.exe 31->48         started        50 cmd.exe 31->50         started        52 13 other processes 31->52 signatures10 process11 dnsIp12 131 raw.githubusercontent.com 185.199.111.133 FASTLYUS Netherlands 33->131 133 www.cloudflare.com 104.16.123.96 CLOUDFLARENETUS United States 33->133 135 discord.com 162.159.128.233 CLOUDFLARENETUS United States 33->135 97 C:\Users\user\AppData\Roaming\...\dat.txt, PE32+ 33->97 dropped 153 Tries to harvest and steal browser information (history, passwords, etc) 33->153 54 cmd.exe 33->54         started        155 Windows Scripting host queries suspicious COM object (likely to drop second stage) 38->155 56 cmd.exe 38->56         started        157 Uses cmd line tools excessively to alter registry or file data 40->157 58 reg.exe 1 40->58         started        61 conhost.exe 40->61         started        99 C:\Users\user\AppData\Roaming\svchosts.exe, PE32 42->99 dropped 159 Protects its processes via BreakOnTermination flag 42->159 161 Creates multiple autostart registry keys 42->161 163 Installs a global keyboard hook 42->163 63 svchosts.exe 42->63         started        65 3 other processes 46->65 165 Uses schtasks.exe or at.exe to add and modify task schedules 48->165 67 2 other processes 48->67 69 2 other processes 50->69 71 12 other processes 52->71 file13 signatures14 process15 signatures16 73 conhost.exe 54->73         started        75 GoogleData.exe 56->75         started        80 conhost.exe 56->80         started        201 Disables UAC (registry) 58->201 82 svchosts.exe 63->82         started        203 Protects its processes via BreakOnTermination flag 65->203 84 Conhost.exe 65->84         started        86 Conhost.exe 69->86         started        process17 dnsIp18 143 15.235.3.1 HP-INTERNET-ASUS United States 75->143 127 C:\ProgramData\BootData\logs.dat, data 75->127 dropped 207 Antivirus detection for dropped file 75->207 209 Multi AV Scanner detection for dropped file 75->209 211 Contains functionalty to change the wallpaper 75->211 213 8 other signatures 75->213 88 svchost.exe 75->88         started        91 cmd.exe 75->91         started        file19 signatures20 process21 signatures22 191 Found evasive API chain (may stop execution after checking mutex) 88->191 193 Contains functionalty to change the wallpaper 88->193 195 Contains functionality to steal Chrome passwords or cookies 88->195 199 3 other signatures 88->199 197 Uses cmd line tools excessively to alter registry or file data 91->197 93 conhost.exe 91->93         started        95 reg.exe 91->95         started        process23
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/10cae0676fcf60dbbb56266448fff13a2ed236753243fea28d41f3902863e053
Gathering data
Threat name:
Win32.Backdoor.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2023-12-30 19:17:00 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
27 of 36 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cdfoaz3pz5qnxo2wezser77rhixnentvgjb75iunihzzakdd4bjq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
083e029e90f71ad347e5e0ee5f1ce9fd9befc9c697c8d17c683d14b9a0be107b
RemcosRAT
31edb5c9a0590d100f941cfcb0c142abf141fba4a90c6bddb6c7fc59b4475f28
RemcosRAT
4abdfcd240b09c5e1d8cd90d780c3db8f4f3d892be71d7b307d44051e0c15670
RemcosRAT
4b3b8c9037168a82409fbe027ecf77ba5b1b9262960b07dde8e15acfb1e3a5df
RemcosRAT
8e7d1931cfe215a12acad3beb975cd78099a295a721069b35c05b469e2f703f9
RemcosRAT
9d724226a2a3c8676d4a58b64b636d9dcc178c1d40fcf321309afa14505cf285
RemcosRAT
a0a124777df35d015c84f61af9a8e4d0dba82120a30fa031b73b885a13d88214
RemcosRAT
b45dbf75dd0de5a62cb362bcc26b59cdd6a7adae8a74c71c30e7db9c36b20265
RemcosRAT
e7a7431b7c5f7d73f80f8474e5d62a3620a639c762ea78b0266ff867c048a153
RemcosRAT
+ 3'262 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:orcus family:remcos family:xmrig botnet:telagay botnet:tlg evasion miner persistence pyinstaller rat spyware stealer trojan upx
Link:
https://tria.ge/reports/231231-t1dj6safcr/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Detects Pyinstaller
Enumerates physical storage devices
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Adds policy Run key to start application
Creates new service(s)
Drops file in Drivers directory
Stops running service(s)
Async RAT payload
Orcurs Rat Executable
XMRig Miner payload
AsyncRat
Orcus
Orcus main payload
Remcos
UAC bypass
xmrig
Malware Config
C2 Extraction:
15.235.3.1:2000
15.235.3.1:443
127.0.0.1:2001
15.235.3.1:2001
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/10cae0676fcf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/10cae0676fcf60dbbb56266448fff13a2ed236753243fea28d41f3902863e053

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MacOS_Cryptominer_Generic_333129b7
Create hunting rule
Author:Elastic Security
Rule name:MacOS_Cryptominer_Xmrig_241780a1
Create hunting rule
Author:Elastic Security
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_CoinMiner02
Create hunting rule
Author:ditekSHen
Description:Detects coinmining malware
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:MAL_XMR_Miner_May19_1_RID2E1B
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:Mimikatz_Generic
Create hunting rule
Author:Still
Description:attempts to match all variants of Mimikatz
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:rig_win64_xmrig_6_13_1_xmrig
Create hunting rule
Author:yarGen Rule Generator
Description:rig_win64 - file xmrig.exe
Reference:https://github.com/Neo23x0/yarGen
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shad0w_beacon_16June
Create hunting rule
Author:SBousseaden
Description:Shad0w beacon compressed
Reference:https://github.com/bats3c/shad0w
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.
Rule name:win_remcos_w0
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:XMRIG_Monero_Miner
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Monero mining software
Reference:https://github.com/xmrig/xmrig/releases
Rule name:yarahub_win_remcos_rat_unpacked_aug_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments