MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f2244ccbe6c3cde3824c8b801a300393bebd9c9aa1c4538be0b67a5e761f075. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1f2244ccbe6c3cde3824c8b801a300393bebd9c9aa1c4538be0b67a5e761f075
SHA3-384 hash: b5c21d337fef2c611921cac51540431616a571fa7acec32df1b0a013992031403849728151301b97dba1c3c7e7994fa0
SHA1 hash: 29b47295801378189b842715da51f31c12a3331b
MD5 hash: d29616351ef9a129027188527865b943
humanhash: maryland-winter-asparagus-lactose
File name:P04562345.bat
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'101'320 bytes
First seen:2024-10-09 12:22:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:VeYzaZsWKMgptI3AeFGuD+x5ou+qxzc0xh276F6+E9:MZDYptCAef17A2O09
Threatray 4'485 similar samples on MalwareBazaar
TLSH T15235D01476948F53CA3587F57872E07113F81F6EA42EE2655EC26EEBB9A1F008960F43
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter Anonymous
Tags:bat exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
408
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://awesomeoutrageousgames.com/P04562345.zip
Verdict:
Malicious activity
Analysis date:
2024-10-09 09:58:52 UTC
Tags:
arch-exec
Link:
https://app.any.run/tasks/d08b4e0a-1239-4a42-b55d-efbc32e131c6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Dropper.Nanocore-10025638-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=670675aff936b5621b0bd1d0
Tags:
Powershell Remcos
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
invalid-signature masquerade overlay packed remcos signed
Link:
https://www.filescan.io/uploads/670675b14f53598f14939c4d/reports/1a48a521-cc6c-4cc6-8296-34679221a2e8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/1f2244ccbe6c3cde3824c8b801a300393bebd9c9aa1c4538be0b67a5e761f075
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2781df90-3b4d-447e-ae6f-d4450b2ef6a9
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1529920
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1529920 Sample: P04562345.bat.exe Startdate: 09/10/2024 Architecture: WINDOWS Score: 100 31 geoplugin.net 2->31 39 Suricata IDS alerts for network traffic 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 10 other signatures 2->45 8 P04562345.bat.exe 4 2->8         started        signatures3 process4 file5 27 C:\Users\user\...\P04562345.bat.exe.log, ASCII 8->27 dropped 47 Contains functionality to bypass UAC (CMSTPLUA) 8->47 49 Contains functionalty to change the wallpaper 8->49 51 Contains functionality to steal Chrome passwords or cookies 8->51 53 5 other signatures 8->53 12 P04562345.bat.exe 3 15 8->12         started        17 powershell.exe 22 8->17         started        19 P04562345.bat.exe 8->19         started        21 P04562345.bat.exe 8->21         started        signatures6 process7 dnsIp8 33 154.216.17.185, 49712, 6902 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 12->33 35 127.0.0.1 unknown unknown 12->35 37 geoplugin.net 178.237.33.50, 49714, 80 ATOM86-ASATOM86NL Netherlands 12->37 29 C:\ProgramData\remcos\logs.dat, data 12->29 dropped 55 Detected Remcos RAT 12->55 57 Installs a global keyboard hook 12->57 59 Loading BitLocker PowerShell Module 17->59 23 WmiPrvSE.exe 17->23         started        25 conhost.exe 17->25         started        file9 signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1f2244ccbe6c3cde3824c8b801a300393bebd9c9aa1c4538be0b67a5e761f075
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1f2244ccbe6c3cde3824c8b801a300393bebd9c9aa1c4538be0b67a5e761f075/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2024-10-09 09:39:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
29
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d4rejtf6nq6n4obezc4adiyahe56xwojvioekof6bnt2lz3b6b2q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
unknown_loader_037
Create hunting rule
Similar samples:
36a22cbcec85d96aec5d2d078668d6f04e76407bd350969f9960e5f20a932717
RemcosRAT
b8f10c23448f6d30808e7e74322ebd4121cf2c589c86cc3b0b57df6c705a867e
RemcosRAT
c3a3e14fe23932fae3b25d5845274b981ca64a465ec56fe2f042dbfe05568d16
RemcosRAT
d3a32f2258bd5eff952576259dd78a6e73f56d52d07783d4fbc3ffd966549950
RemcosRAT
d81847976ea210269bf3c98c5b32d40ed9daf78dbb1a9ce638ac472e501647d2
RemcosRAT
error
RemcosRAT
+ 4'475 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost discovery execution rat
Link:
https://tria.ge/reports/241009-pkg57syemg/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Remcos
Malware Config
C2 Extraction:
127.0.0.1:3000
154.216.17.185:6902
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2337a42e-6c24-48f7-adc6-70593e522f45
Unpacked files
SH256 hash:
f272d60f383f23eac3aeeb62a83d2d9488bd8b77db12b686710a042d4b4ee63f
MD5 hash:
22dd76025045b3ff4830e89023f62e0b
SHA1 hash:
6b1a7e7f404b8502693a2a134fe798df627418e7
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/4c832d78-6192-43e4-a8ce-cc98db536aef/
SH256 hash:
352ec951669e2067e296f5cd89b97480219bc6e42ef46b69db062c4476f8acf0
MD5 hash:
3b9e94324980dbd59dc718991c7a3b56
SHA1 hash:
5747104cebd6571cebe336c3b2f7e95eb066b706
Link:
https://www.unpac.me/results/4c832d78-6192-43e4-a8ce-cc98db536aef/
SH256 hash:
a44a8db556aeabfcea65507b1668827fc628981d657efa20203936ac7ff449dc
MD5 hash:
b283acba0a5390e063b11a0a75fe0b7e
SHA1 hash:
3cedd86279d1c2811123e89e9e06a4812b934d85
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
win_remcos_w0
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
win_remcos_rat_unpacked
Create hunting rule
Link:
https://www.unpac.me/results/4c832d78-6192-43e4-a8ce-cc98db536aef/
SH256 hash:
682c261fcd08c676ef231f46eac1c054c8df17522846b9e4adbafb62e8482dab
MD5 hash:
5a6cead6de3340dd9e0b16d599e5d1f5
SHA1 hash:
00e25f93284ff0d2493c6df3a596891d0848399e
Link:
https://www.unpac.me/results/4c832d78-6192-43e4-a8ce-cc98db536aef/
SH256 hash:
5ca35eef8d3edb723c03a746ad6c923b82001fe04096578a189f5d8e719b9316
MD5 hash:
f30c79e19c6784ba101d124b8a824b85
SHA1 hash:
7d301917f3456029be6015ceaf2c8705eddafd85
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
win_remcos_w0
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
win_remcos_rat_unpacked
Create hunting rule
Link:
https://www.unpac.me/results/4c832d78-6192-43e4-a8ce-cc98db536aef/
SH256 hash:
cd55987925ac1caa25d5991a4796622ac9b17fb32fadc3260f33f6263f776cd2
MD5 hash:
eb737ced874f049d2d2c5244e90892b3
SHA1 hash:
9b537bf3ad4cf8dc56f8812d26d79a33b58ee408
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
win_remcos_w0
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
win_remcos_rat_unpacked
Create hunting rule
Link:
https://www.unpac.me/results/4c832d78-6192-43e4-a8ce-cc98db536aef/
SH256 hash:
1f2244ccbe6c3cde3824c8b801a300393bebd9c9aa1c4538be0b67a5e761f075
MD5 hash:
d29616351ef9a129027188527865b943
SHA1 hash:
29b47295801378189b842715da51f31c12a3331b
Detections:
INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Link:
https://www.unpac.me/results/4c832d78-6192-43e4-a8ce-cc98db536aef/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1f2244ccbe6c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1f2244ccbe6c3cde3824c8b801a300393bebd9c9aa1c4538be0b67a5e761f075

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments