MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1aee775c13151f0853c02dbd804ad25f1ea6b3c5db6312760d67af89e689845a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1aee775c13151f0853c02dbd804ad25f1ea6b3c5db6312760d67af89e689845a
SHA3-384 hash: 1cee01e1aec40dc581f7f9315ee6296a9e19901780e945b188e4dbd69796814b4159bf14a3c11da80c70c2c5af7fa831
SHA1 hash: 0b24163987dad8512a65a7b14a48ead7dc24d0be
MD5 hash: 0b4132af023dbf62c1e1189d1d64a34d
humanhash: solar-fillet-batman-yellow
File name:0B4132AF023DBF62C1E1189D1D64A34D.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'249'779 bytes
First seen:2023-10-04 16:30:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (389 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 24576:dTbBv5rUDkeIdB6jfx40ULKYb7qUdcOT64v0hX55wXMYDRAq0pl0wx:3B9vdce0UmS2gcOTtva5EMMAq0L
Threatray 3'246 similar samples on MalwareBazaar
TLSH T1F7451202BEC188B2D4721D714E366711A57DBC201FA5CFCFA3D4265EDA722C1E6317AA
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 009aa6a39abcbca6 (1 x RemcosRAT)
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
95.214.27.6:2409

Intelligence

File Origin
# of uploads :
1
# of downloads :
340
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a UDP request
Creating a file
Enabling the 'hidden' option for recently created files
Setting a keyboard event handler
DNS request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/651d934a9b16696e9f90021c/reports/e91e095d-e120-4da5-a643-988bc330e439/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/1aee775c13151f0853c02dbd804ad25f1ea6b3c5db6312760d67af89e689845a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/dcb052d5-219c-49bc-88b5-269aa497d88a
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1319630
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found API chain indicative of sandbox detection
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ipconfig to lookup or modify the Windows network settings
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected AntiVM autoit script
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1319630 Sample: 7URSDOIMPL.exe Startdate: 04/10/2023 Architecture: WINDOWS Score: 100 66 lestfuckinggoon.broke-it.net 2->66 68 grosjeangerard.hopto.org 2->68 70 geoplugin.net 2->70 78 Snort IDS alert for network traffic 2->78 80 Found malware configuration 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 7 other signatures 2->84 10 7URSDOIMPL.exe 3 76 2->10         started        14 fwwcnta.mp3.exe 1 1 2->14         started        16 fwwcnta.mp3.exe 2->16         started        18 fwwcnta.mp3.exe 2->18         started        signatures3 process4 file5 56 C:\Users\user\AppData\Local\...\fwwcnta.mp3, PE32 10->56 dropped 96 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->96 20 wscript.exe 2 1 10->20         started        58 c:\tmve\fwwcnta.mp3.exe.exe (copy), PE32 14->58 dropped 60 c:\tmve\fwwcnta.mp3.exe (copy), PE32 14->60 dropped 62 c:\tmve\fwwcnta.mp3 (copy), PE32 14->62 dropped 64 C:\tmve\fwwcnta.mp3.exe.exe, PE32 14->64 dropped 98 Multi AV Scanner detection for dropped file 14->98 100 Found API chain indicative of sandbox detection 14->100 102 Writes to foreign memory regions 14->102 104 Contains functionality to modify clipboard data 14->104 23 RegSvcs.exe 14->23         started        106 Allocates memory in foreign processes 16->106 108 Injects a PE file into a foreign processes 16->108 25 RegSvcs.exe 16->25         started        27 RegSvcs.exe 18->27         started        signatures6 process7 signatures8 94 Windows Scripting host queries suspicious COM object (likely to drop second stage) 20->94 29 cmd.exe 1 20->29         started        32 cmd.exe 1 20->32         started        process9 signatures10 110 Uses ipconfig to lookup or modify the Windows network settings 29->110 34 fwwcnta.mp3 1 74 29->34         started        38 conhost.exe 29->38         started        40 conhost.exe 32->40         started        42 ipconfig.exe 1 32->42         started        process11 file12 48 C:\tmve\fwwcnta.mp3.exe, PE32 34->48 dropped 50 C:\tmve\fwwcnta.mp3, PE32 34->50 dropped 52 C:\Users\user\AppData\...\fwwcnta.mp3.exe, PE32 34->52 dropped 54 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 34->54 dropped 86 Multi AV Scanner detection for dropped file 34->86 88 Found API chain indicative of sandbox detection 34->88 90 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 34->90 92 4 other signatures 34->92 44 RegSvcs.exe 3 16 34->44         started        signatures13 process14 dnsIp15 72 lestfuckinggoon.broke-it.net 212.193.30.230, 2409 SPD-NETTR Russian Federation 44->72 74 grosjeangerard.hopto.org 95.214.27.6, 2409, 49774 CMCSUS Germany 44->74 76 geoplugin.net 178.237.33.50, 49776, 80 ATOM86-ASATOM86NL Netherlands 44->76 112 Contains functionality to bypass UAC (CMSTPLUA) 44->112 114 Contains functionalty to change the wallpaper 44->114 116 Contains functionality to steal Chrome passwords or cookies 44->116 118 5 other signatures 44->118 signatures16
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1aee775c13151f0853c02dbd804ad25f1ea6b3c5db6312760d67af89e689845a/
Threat name:
Win32.Trojan.ScarletFlash
Create hunting rule
Status:
Malicious
First seen:
2023-10-01 18:43:51 UTC
File Type:
PE (Exe)
Extracted files:
102
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dlxhoxatcupqqu6afw6yaswsl4pknm6f3nrre5qnm6xytzujqrna._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1d8ffbf2a386718acac9f307a0b0315be1831b7a3407aeed7cd4b510db02a72c
RemcosRAT
252477ddf7161822a10afaca4c4322246669041ebef55db41b148694f0cce6ed
RemcosRAT
475355b8bf2f2a68293c808cf959de00a8e04d6f48871a5a1fccaf9d318570fa
RemcosRAT
55eebc888e9151e28295587ff7c12c40f8b7ae5f23d29bac79c6444277940a6a
RemcosRAT
658d5f23cc2d33d6d5883e6dbe0e43f80fe93983c53943e8067d18ae161c119d
RemcosRAT
7076d5e0459c068bc798fb168a91c4f33f2895e52356946da3f7617b7fc28b57
RemcosRAT
c48c1d65bf3e58d5dc4b9876db6da4d90e93ca74b4b51cd35c7b7400d691c182
RemcosRAT
fcd6b40df9fe59d0322697bb4c2dc465f64e664e58846227e32ea7c6f11252e8
RemcosRAT
+ 3'236 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:cliencours persistence rat
Link:
https://tria.ge/reports/231004-t1c9eada51/
Behaviour
Gathers network information
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Remcos
Malware Config
C2 Extraction:
lestfuckinggoon.broke-it.net:2409
grosjeangerard.hopto.org:2409
allonsy.hopto.org:2409
Unpacked files
SH256 hash:
7fe4074b11ee2074847a908907aec8c62248ac8a7b6e2a9024d66c0d2d7d85d4
MD5 hash:
57de23344d8dbd18f0946ccc0837a25a
SHA1 hash:
c5fd961ec74436db5a93bf0bb36eff3b47c59492
Link:
https://www.unpac.me/results/bb1612f3-82b7-4dc8-a774-847216425801/
SH256 hash:
b51db8f5ee9cc6239e6025a08ac1e145687d131c1db24383f6d7e28853e6b1fb
MD5 hash:
a3ce38ee43c05ca56ec7f781ba0e5228
SHA1 hash:
215d69bd829ec31b8149f7a60c3d9041fcddc3e1
Link:
https://www.unpac.me/results/bb1612f3-82b7-4dc8-a774-847216425801/
SH256 hash:
1aee775c13151f0853c02dbd804ad25f1ea6b3c5db6312760d67af89e689845a
MD5 hash:
0b4132af023dbf62c1e1189d1d64a34d
SHA1 hash:
0b24163987dad8512a65a7b14a48ead7dc24d0be
Link:
https://www.unpac.me/results/bb1612f3-82b7-4dc8-a774-847216425801/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1aee775c1315/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1aee775c13151f0853c02dbd804ad25f1ea6b3c5db6312760d67af89e689845a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_rat_unpacked
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments