MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d594311e4d7dae3812674927df0fdf132fb5ab2d9613b445777282f7a3ee170. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d594311e4d7dae3812674927df0fdf132fb5ab2d9613b445777282f7a3ee170
SHA3-384 hash: 149a43d47b24c984c78a828a44c14376afe6af7a3b7b0035604d19689c630f8239b528e2cc1015de0702a625aaec1d32
SHA1 hash: 4eb590a80040770589aaa7cf5e7471a2faa13745
MD5 hash: 85bc862552f7d952a65d7a06e7731116
humanhash: burger-saturn-undress-west
File name:85BC862552F7D952A65D7A06E7731116.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'217'134 bytes
First seen:2023-12-09 17:25:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 75e9596d74d063246ba6f3ac7c5369a0 (8 x DCRat, 5 x PythonStealer, 4 x CoinMiner)
ssdeep 24576:DBkVdlYAQQ3u+DA5KaXelwaqBzQyhu1+snYa:lsvx3u+D0Alwn0HRX
Threatray 3'126 similar samples on MalwareBazaar
TLSH T18A451202BAC140B2F1722A325A7A9B219A7FBC500B3587DF439C496D6F735C19631BB7
TrID 76.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
16.5% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
3.0% (.EXE) Win64 Executable (generic) (10523/12/4)
1.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f2eeaad4ca529ca2 (1 x njrat, 1 x RemcosRAT)
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
217.76.59.48:24251

Intelligence

File Origin
# of uploads :
1
# of downloads :
350
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/464029/
Detection(s):
Win.Packed.Babar-10012967-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Launching a process
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process with a hidden window
Running batch commands
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process by context flags manipulation
Launching a file downloaded from the Internet
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm lolbin overlay packed remcos replace setupapi shdocvw shell32
Link:
https://www.filescan.io/uploads/6574a32b855eb2633d64d7ee/reports/8641e71f-cde3-4ffe-a669-3081d82cb19e/overview
Verdict:
Malicious
Labled as:
Fragtor.Generic
Link:
https://www.hybrid-analysis.com/sample/1d594311e4d7dae3812674927df0fdf132fb5ab2d9613b445777282f7a3ee170
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e4cbb164-d841-48ea-b8e6-777a09d72e8a
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1356964
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops VBS files to the startup folder
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Remcos
Snort IDS alert for network traffic
Suspicious powershell command line found
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1356964 Sample: z36uXBbxHN.exe Startdate: 09/12/2023 Architecture: WINDOWS Score: 100 130 mr24251.duckdns.org 2->130 132 542199235l.com 2->132 164 Snort IDS alert for network traffic 2->164 166 Multi AV Scanner detection for domain / URL 2->166 168 Found malware configuration 2->168 172 14 other signatures 2->172 13 z36uXBbxHN.exe 3 9 2->13         started        16 wscript.exe 2->16         started        19 wscript.exe 2->19         started        21 5 other processes 2->21 signatures3 170 Uses dynamic DNS services 130->170 process4 dnsIp5 120 C:\Users\user\AppData\Local\Temp\1rsfx.exe, PE32 13->120 dropped 24 1rsfx.exe 6 13->24         started        28 Acrobat.exe 75 13->28         started        138 Suspicious powershell command line found 16->138 140 Wscript starts Powershell (via cmd or directly) 16->140 142 Windows Scripting host queries suspicious COM object (likely to drop second stage) 16->142 30 powershell.exe 16->30         started        32 powershell.exe 19->32         started        136 127.0.0.1 unknown unknown 21->136 34 powershell.exe 21->34         started        36 powershell.exe 21->36         started        38 powershell.exe 21->38         started        file6 signatures7 process8 file9 114 C:\ProgramData\CustomLogFiles\1r.exe\1r.exe, PE32 24->114 dropped 174 Multi AV Scanner detection for dropped file 24->174 176 Machine Learning detection for dropped file 24->176 40 1r.exe 4 9 24->40         started        44 AcroCEF.exe 28->44         started        178 Suspicious powershell command line found 30->178 180 Found suspicious powershell code related to unpacking or dynamic code loading 30->180 46 powershell.exe 30->46         started        48 conhost.exe 30->48         started        50 powershell.exe 32->50         started        52 conhost.exe 32->52         started        54 2 other processes 34->54 56 2 other processes 36->56 58 2 other processes 38->58 signatures10 process11 file12 116 C:\Users\user\AppData\Local\...\liAaMsfx.exe, PE32 40->116 dropped 118 C:\Users\user\AppData\Local\Temp\MRREM.vbs, Unicode 40->118 dropped 182 Multi AV Scanner detection for dropped file 40->182 184 Machine Learning detection for dropped file 40->184 60 wscript.exe 1 40->60         started        63 liAaMsfx.exe 8 40->63         started        66 AcroCEF.exe 44->66         started        69 cmd.exe 46->69         started        71 RegAsm.exe 46->71         started        186 Writes to foreign memory regions 50->186 188 Injects a PE file into a foreign processes 50->188 73 4 other processes 50->73 75 2 other processes 54->75 77 2 other processes 56->77 79 2 other processes 58->79 signatures13 process14 dnsIp15 200 Suspicious powershell command line found 60->200 202 Wscript starts Powershell (via cmd or directly) 60->202 204 Windows Scripting host queries suspicious COM object (likely to drop second stage) 60->204 81 powershell.exe 7 60->81         started        122 C:\Users\user\AppData\Local\Temp\liAaM.exe, PE32 63->122 dropped 206 Multi AV Scanner detection for dropped file 63->206 208 Machine Learning detection for dropped file 63->208 84 liAaM.exe 63->84         started        134 23.202.144.132, 443, 49742 CWVodafoneGroupPLCEU United States 66->134 86 schtasks.exe 69->86         started        88 schtasks.exe 73->88         started        90 schtasks.exe 75->90         started        92 schtasks.exe 77->92         started        94 schtasks.exe 79->94         started        file16 signatures17 process18 signatures19 144 Suspicious powershell command line found 81->144 146 Drops VBS files to the startup folder 81->146 148 Found suspicious powershell code related to unpacking or dynamic code loading 81->148 96 powershell.exe 81->96         started        101 conhost.exe 81->101         started        150 Multi AV Scanner detection for dropped file 84->150 152 Contains functionality to bypass UAC (CMSTPLUA) 84->152 154 Contains functionalty to change the wallpaper 84->154 156 7 other signatures 84->156 103 liAaM.exe 84->103         started        process20 dnsIp21 124 542199235l.com 92.205.1.71, 49736, 49744, 49751 GD-EMEA-DC-SXB1DE Germany 96->124 126 91.213.50.74, 49732, 49743, 49750 ASBAXETNRU unknown 96->126 112 C:\Users\user\AppData\...\MR_WINDWOS.vbs, Unicode 96->112 dropped 158 Writes to foreign memory regions 96->158 160 Injects a PE file into a foreign processes 96->160 105 RegAsm.exe 96->105         started        108 cmd.exe 96->108         started        128 mr24251.duckdns.org 217.76.59.48, 24251, 49729, 49753 SVNET-SE-ASSverigeNetMedianetworkiHalmstadABSE Sweden 103->128 162 Installs a global keyboard hook 103->162 file22 signatures23 process24 signatures25 190 Contains functionality to bypass UAC (CMSTPLUA) 105->190 192 Contains functionalty to change the wallpaper 105->192 194 Contains functionality to steal Chrome passwords or cookies 105->194 198 3 other signatures 105->198 196 Uses schtasks.exe or at.exe to add and modify task schedules 108->196 110 schtasks.exe 108->110         started        process26
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1d594311e4d7dae3812674927df0fdf132fb5ab2d9613b445777282f7a3ee170
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1d594311e4d7dae3812674927df0fdf132fb5ab2d9613b445777282f7a3ee170/
Threat name:
Win32.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2023-12-07 06:52:00 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
23 of 37 (62.16%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dvmugepe27nohajgosjh34h56ezpwwvs3fqtwrcxo4uc66r64fya._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0e25b5299c3df59e05d296b1478d43094d5d81e1a5b8706fd355b36388244326
RemcosRAT
1c9708a7c1cca2ffb1fb6711828553521a81c313bd3dcefba441e546d2457e5d
RemcosRAT
3c7c946ab9bd9f728928c817d648b9808eb7783b4ca73710050093f0c46d5f61
RemcosRAT
5323dc8bea28e435e02e60851888f0bec221a2e89128443f985a3adc1ff12353
RemcosRAT
56a8aeac60e96feb740c5b5e1e5d08a33f340094fe2db71af960d4921158b325
RemcosRAT
+ 3'116 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:dicc05 rat
Link:
https://tria.ge/reports/231209-vzt17sbbh8/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Remcos
Malware Config
C2 Extraction:
mr24251.duckdns.org:24251
Dropper Extraction:
http://91.213.50.74/GREEN/RX/nuevadll.txt
Unpacked files
SH256 hash:
80615402967d426e407ba23a7d348129bda099daee3f950edbb267ebaf5492b1
MD5 hash:
82127507ee706d76bb1b36e1f6b84ecd
SHA1 hash:
756a2b0f8add66edd580fda522015a2989256c39
Link:
https://www.unpac.me/results/54afb568-26eb-4dd9-8f6b-08287755cc87/
SH256 hash:
57f431c98c67de2e91db5fdf2871ca1ab9265548c5e7db44f33e25eca57b49a7
MD5 hash:
123fbadb000d176521e431026851290a
SHA1 hash:
862bf80f61d9ab314c6a1775251d0a30b3dce7e8
Detections:
win_xorist_auto
Create hunting rule
Link:
https://www.unpac.me/results/54afb568-26eb-4dd9-8f6b-08287755cc87/
SH256 hash:
a03b70e26284111d1d47bf162cd6d13bd49477597e9d3a2498583849f151ff91
MD5 hash:
89151e783d5f5021c380c428d28a96cc
SHA1 hash:
d44b112d8221f28303d66535041aefd14d7fb5e8
Detections:
Remcos
Create hunting rule
win_remcos_w0
Create hunting rule
win_remcos_auto
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
win_remcos_rat_unpacked
Create hunting rule
Link:
https://www.unpac.me/results/54afb568-26eb-4dd9-8f6b-08287755cc87/
SH256 hash:
1d594311e4d7dae3812674927df0fdf132fb5ab2d9613b445777282f7a3ee170
MD5 hash:
85bc862552f7d952a65d7a06e7731116
SHA1 hash:
4eb590a80040770589aaa7cf5e7471a2faa13745
Link:
https://www.unpac.me/results/54afb568-26eb-4dd9-8f6b-08287755cc87/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1d594311e4d7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1d594311e4d7dae3812674927df0fdf132fb5ab2d9613b445777282f7a3ee170

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.
Rule name:win_remcos_w0
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:yarahub_win_remcos_rat_unpacked_aug_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/464029/

Comments