MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1da52d43ea75756d8e52c5056eea7c60a75308145df8afe479799ec30bdb12ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1da52d43ea75756d8e52c5056eea7c60a75308145df8afe479799ec30bdb12ea
SHA3-384 hash: b8c124bfe7588fa2f18267bd503284ed582362b1653c662924d4eb27c2d1fd2f5f5396996e4a5288e270491ed1b29c2a
SHA1 hash: 2eef653f737a2c86c4c9af3d94f748bac9c52a44
MD5 hash: b37259943945d40df757d792def9cba3
humanhash: fruit-mars-apart-lake
File name:TTCOPY_pdf_..exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:533'442 bytes
First seen:2023-07-21 15:03:16 UTC
Last seen:2023-07-22 10:31:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fa8d20faea9ef7b4e2b7fbfe93442593 (17 x RedLineStealer, 4 x CoinMiner, 3 x AgentTesla)
ssdeep 12288:x3DkEGDINi1E0rC845D6LZjK3XRTQOOedxApoUl27bU9U4:ZDkUNi1EYCRDij0RTBlxAmUl27bU9U4
Threatray 467 similar samples on MalwareBazaar
TLSH T12BB4F121B6C08872E9B619341AF1A772AB3DBC300F358ADB57447B6D5F304C1AA39763
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0c16baaaa2ae8614 (1 x RemcosRAT)
Reporter lowmal3
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
345
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TTCOPY_pdf_..exe
Verdict:
Suspicious activity
Analysis date:
2023-07-21 15:06:19 UTC
Tags:
keylogger
Link:
https://app.any.run/tasks/7aa9a0f8-c1ec-46d3-8154-d63ba827035a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/427428/
Detection(s):
Sanesecurity.Foxhole.Zip_pdf.UNOFFICIAL
Create hunting rule

Win.Trojan.Remcos-9841897-0
Create hunting rule

Win.Trojan.Remcos-10002580-0
Create hunting rule

SecuriteInfo.com.Trojan.Uztuby.4.19274.32072.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/1da52d43ea75756d8e52c5056eea7c60a75308145df8afe479799ec30bdb12ea
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4c97a295-2742-4983-aa95-5c1a82a726c4
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1277486
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found malware configuration
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Uses dynamic DNS services
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1da52d43ea75756d8e52c5056eea7c60a75308145df8afe479799ec30bdb12ea/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-07-21 13:11:14 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
28 of 35 (80.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dwss2q7kov2w3dssyucw52t4mctvgcaulx4k7zdzpgpmgc63clva._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0f611b87697a816d5b37f745fa94c89315327ba3458c190fe41efd891ccd5196
RemcosRAT
1297278ef746096841eeadfbd09a124e044a52bee1be093b4484f95af475c2b3
RemcosRAT
4b66b1c337c83ccb79e4862a7a32421fd75a565a59fee1f830d4aae55b64af9a
RemcosRAT
4eaf10beee3ffe3dff4d6bd78c7a8f04c7a1b067c1f7cb6d414a53d56b1dee8e
RemcosRAT
7e9ed4d997f5a2c2d35cb8c49f66625eb37d3711906dc39dfc6e34319ad3a2cc
RemcosRAT
9483e96760c36e3321a8ccba6968aa4c1707f0cf91fd48fbb7d8afca6006e91e
RemcosRAT
979b67124f30f347688897010f34abf0467a67516ba011c9601cf06a14be0432
RemcosRAT
9dcfe4a742d054e152e5e8b1f7c2c88aa5efa7896a5e072ca6af8f723d9c1509
RemcosRAT
a54c57d081e28c09d26a5ef8d3b471af22e6b4ab2f65b1a89bb2a79c23872135
RemcosRAT
+ 457 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost collection rat spyware stealer
Link:
https://tria.ge/reports/230721-sfk8vafb47/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
rwanda1010.duckdns.org:2404
Unpacked files
SH256 hash:
43e42969cc1eb4f92dd1337990095dce80ef5a84fb03f8d7eab019979f270e2d
MD5 hash:
98361b2b44ae9821baed43b815a94fc8
SHA1 hash:
bd883ef1942aae68a57db2a01698e6cc6a477c07
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/e620d71d-668e-4c1c-9724-b4bada191d0f/
SH256 hash:
1da52d43ea75756d8e52c5056eea7c60a75308145df8afe479799ec30bdb12ea
MD5 hash:
b37259943945d40df757d792def9cba3
SHA1 hash:
2eef653f737a2c86c4c9af3d94f748bac9c52a44
Link:
https://www.unpac.me/results/e620d71d-668e-4c1c-9724-b4bada191d0f/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1da52d43ea75/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1da52d43ea75756d8e52c5056eea7c60a75308145df8afe479799ec30bdb12ea

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 1da52d43ea75756d8e52c5056eea7c60a75308145df8afe479799ec30bdb12ea

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/427428/

Comments