MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 14537704270b4f5374035799ad456b43bd9c003a4f705f37a6aee9f3a80a03f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 13

Intelligence 13 IOCs YARA 1 File information Comments

SHA256 hash:	14537704270b4f5374035799ad456b43bd9c003a4f705f37a6aee9f3a80a03f8
SHA3-384 hash:	5741f46ed3c6c1ecd3e71db19f6e36d4a895335ba10d45d617cfb87009c313e5046c4986bac6d9d508a304d31b771c2e
SHA1 hash:	18769b8a6fc43887d259ec3fcde5ab24b8a64fb6
MD5 hash:	cb7347e9baffc20010abac62c1836095
humanhash:	alpha-lima-four-football
File name:	SecuriteInfo.com.Win64.Malware-gen.61.18834
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	12'399'616 bytes
First seen:	2023-06-30 18:45:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 71 x LummaStealer, 62 x Rhadamanthys)
ssdeep	196608:kJYFLMxbuvuicV+wFjkCJB8Nw7GjMtBoeLN7X2WpNU757vM07VJ2rJCN90XlVL4u:1vvuSCjD8MGYtBoiGWkbM07DtNaXlVL/
Threatray	30 similar samples on MalwareBazaar
TLSH	T1CFC633091AD83269FCA06777E4E6190359F47C5E4335EEBF1E9244158E23BA42B3B32D
TrID	83.0% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 6.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 4.4% (.EXE) Win64 Executable (generic) (10523/12/4) 2.1% (.EXE) Win16 NE executable (generic) (5038/12/1) 0.8% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter	SecuriteInfoCom
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

283

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/404477/

Detection(s):

SecuriteInfo.com.Win64.Malware-gen.61.18834.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

Сreating synchronization primitives

Sending a custom TCP request

Creating a file

Setting a keyboard event handler

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/94395/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

advpack CAB control explorer installer lolbin packed rundll32 setupapi shell32

Link:

https://www.filescan.io/uploads/649f22f91a035eeff9b3964e/reports/02220096-fb11-4a7e-b987-dc56788859f2/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/14537704270b4f5374035799ad456b43bd9c003a4f705f37a6aee9f3a80a03f8

Result

Verdict:

MALICIOUS

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/bd6ff825-3525-4e3c-b7ac-8ee41d0d540b

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1264177

Signature

C2 URLs / IPs found in malware configuration

Downloads files with wrong headers with respect to MIME Content-Type

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/14537704270b4f5374035799ad456b43bd9c003a4f705f37a6aee9f3a80a03f8/

Threat name:

ByteCode-MSIL.Trojan.Generic

Status:

Suspicious

First seen:

2023-06-30 15:03:31 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

17 of 37 (45.95%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=crjxobbhbnhvg5adk6m22rllio6zyab2j5yf6n5gv3u7hkakap4a._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

0f0760eb43d1a3ed16b4842b25674e4d6d1239766243bac1d4c19341bb37d5b8

RemcosRAT

326e9ddf345c6128976b27ddab85e060e612b5977fc733448b5c0d7d5fa64c8b

RemcosRAT

32fcd31207c5e310957801fca81578c9dcba9ed3515809f62a7d50d93ad033db

RemcosRAT

b219506b8c5418d07c30c49b40ba373e2f21100fe529d79ff675941441b5a02f

RemcosRAT

de0859dc256e79ebcf1787589be8826e08c775ceb8e40f45e55f86bb3b648725

RemcosRAT

ec786af55576e020a5cd63cefc5458b46868055b6222e255d35b4ec4689cbfd6

RemcosRAT

ef7534cbfb9701ec011fa5354837d6504aa36631e67ee7e328e33e2b751ba413

RemcosRAT

+ 20 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:work persistence rat

Link:

https://tria.ge/reports/230630-xenpssfd31/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Executes dropped EXE

Loads dropped DLL

Remcos

Malware Config

C2 Extraction:

141.98.83.15:5750

Unpacked files

SH256 hash:

14537704270b4f5374035799ad456b43bd9c003a4f705f37a6aee9f3a80a03f8

MD5 hash:

cb7347e9baffc20010abac62c1836095

SHA1 hash:

18769b8a6fc43887d259ec3fcde5ab24b8a64fb6

Link:

https://www.unpac.me/results/3fe92ea8-4761-4a7b-9136-723a4dd91987/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/14537704270b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/14537704270b4f5374035799ad456b43bd9c003a4f705f37a6aee9f3a80a03f8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	detect_Redline_Stealer Create hunting rule
Author:	Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/404477/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample