MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1135aff0c127721dd6704747c337ce06abd87852f86cc5d19446c0946c644788. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1135aff0c127721dd6704747c337ce06abd87852f86cc5d19446c0946c644788
SHA3-384 hash: 14bde0195bfe04909427e4efa194c7d1e46c71866c6df271806ec4188e6d8368ab7ec6b2116a5a39219d74c81c81dd7b
SHA1 hash: 960c0a58ed11f236758674d8d77fc5b59f55b8dd
MD5 hash: 4cb0c81e0a65fad12ae7a55db5839cbb
humanhash: west-nevada-tango-failed
File name:4cb0c81e0a65fad12ae7a55db5839cbb
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:7'779'373 bytes
First seen:2024-10-23 08:14:02 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 196608:sMv+L2+8mtYhCsR3tQMxgROqXz9cYoMpx6kGKlKNgHFBl:sMU5mCTOsz9cZ7kGKlTl
TLSH T14D763397E61FDDD268C462114065ECD614E82E5B92CDFFAD069AF3AFC6B3B8605203D0
Magika zip
Reporter zbetcheckin
Tags:RemcosRAT zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
FR FR
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:militaryrespondpro.exe
File size:7'830'528 bytes
SHA256 hash: 0bb66047b9a8fc0ad9312c27166c507b82be23e28441be00b0e09b010068bdb6
MD5 hash: 74538bcd359192ab8a3f3f1bf4e84adb
MIME type:application/x-dosexec
Signature RemcosRAT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.96.23134.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6718b1959e67c24682036a4c
Tags:
Autorun Remcos
Result
Verdict:
Malicious
File Type:
PE File
Link:
https://app.docguard.net/1135aff0c127721dd6704747c337ce06abd87852f86cc5d19446c0946c644788/results/dashboard
Behaviour
BlacklistAPI detected
Gathering data
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/1135aff0c127721dd6704747c337ce06abd87852f86cc5d19446c0946c644788
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/1135aff0c127721dd6704747c337ce06abd87852f86cc5d19446c0946c644788
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Score:
100%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/1135aff0c127721dd6704747c337ce06abd87852f86cc5d19446c0946c644788
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1135aff0c127721dd6704747c337ce06abd87852f86cc5d19446c0946c644788/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2024-10-20 00:58:36 UTC
File Type:
Binary (Archive)
Extracted files:
42
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ce2274gbe5zb3vtqi5d4gn6oa2v5q6cs7bwmlumui3aji3dei6ea._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:build discovery persistence rat
Link:
https://tria.ge/reports/241023-kceynasbmn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Executes dropped EXE
Remcos
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
193.29.13.204:5850
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1135aff0c127721dd6704747c337ce06abd87852f86cc5d19446c0946c644788

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

zip 1135aff0c127721dd6704747c337ce06abd87852f86cc5d19446c0946c644788

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3249721/

Comments


Avatar
zbet commented on 2024-10-23 08:14:03 UTC

url : hxxp://31.15.17.80/mod04/militaryrespondpro.zip