MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ce96a0eb6a0a1c3b3a995bd955d1ba4dad1f452d761fa7dd978aec9e7965031. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 15

Intelligence 15 IOCs YARA 1 File information Comments

SHA256 hash:	1ce96a0eb6a0a1c3b3a995bd955d1ba4dad1f452d761fa7dd978aec9e7965031
SHA3-384 hash:	9d1133eca7a3cc29699f293d5f78284037959998aa57870e546f0d01be904a73bb4c7d16560d9b6d20f2654f393c1cb1
SHA1 hash:	0ef62f41167da3e66f8a99010442f42818312d25
MD5 hash:	e73ae25fc0adaafd0b7e6adbdc06683f
humanhash:	uncle-finch-nineteen-summer
File name:	e73ae25fc0adaafd0b7e6adbdc06683f.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	421'376 bytes
First seen:	2023-06-01 10:40:45 UTC
Last seen:	2023-06-01 13:31:18 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:M38GnCBfDq5bl3eOBWTtZSGSODTBCLzLdNBkI2:+blODijLfdNl2
Threatray	2 similar samples on MalwareBazaar
TLSH	T1FA94F19AB507B5CEC956D1B7CA9A0C249760F6A36317C107684B236EDE0E7A7CF104E3
TrID	56.5% (.EXE) Win64 Executable (generic) (10523/12/4) 11.0% (.ICL) Windows Icons Library (generic) (2059/9) 10.9% (.EXE) OS/2 Executable (generic) (2029/13) 10.7% (.EXE) Generic Win/DOS Executable (2002/3) 10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter	abuse_ch
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

252

Origin country :

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

e73ae25fc0adaafd0b7e6adbdc06683f.exe

Verdict:

Malicious activity

Analysis date:

2023-06-01 10:48:18 UTC

Tags:

remcos stealer

Link:

https://app.any.run/tasks/cf9babae-b517-46b3-a770-04cda8642cee

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/394345/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.1268.14308.9446.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

confuserex packed packed remcos

Link:

https://www.filescan.io/uploads/647875bf8c539ae218a0ab08/reports/85d2b6f6-d791-4785-9404-2fddb043cb45/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/1ce96a0eb6a0a1c3b3a995bd955d1ba4dad1f452d761fa7dd978aec9e7965031

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0f2a0b60-8ee1-406a-95bc-d48ed8b9c240

Result

Threat name:

Remcos

Detection:

malicious

Classification:

phis.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1246715

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to modify clipboard data

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Yara detected WebBrowserPassView password recovery tool

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/1ce96a0eb6a0a1c3b3a995bd955d1ba4dad1f452d761fa7dd978aec9e7965031/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-06-01 10:41:05 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dtuwudvwucq4hm5jsw6zkxi3utnnd5cs25q7u7ozpcxmtz4wkayq._file

Verdict:

unknown

RemcosRAT

cb5f2d567ac857027fbcd749e58536691551abe07d18db0a378c1ac6134f6a61

RemcosRAT

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost rat

Link:

https://tria.ge/reports/230601-mq4v2sec5y/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Remcos

Malware Config

C2 Extraction:

127.0.0.1:55433
185.65.134.166:55433
10.11.0.5:55433
45.128.234.54:55433

Unpacked files

SH256 hash:

1ce96a0eb6a0a1c3b3a995bd955d1ba4dad1f452d761fa7dd978aec9e7965031

MD5 hash:

e73ae25fc0adaafd0b7e6adbdc06683f

SHA1 hash:

0ef62f41167da3e66f8a99010442f42818312d25

Link:

https://www.unpac.me/results/d697609d-ee21-4756-b41b-bb83d22493cb/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1ce96a0eb6a0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1ce96a0eb6a0a1c3b3a995bd955d1ba4dad1f452d761fa7dd978aec9e7965031

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.