MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 236295fb5aef2564336196bce9faa74a2887ce6b5a7c28fe2709700d0abd0a42. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 236295fb5aef2564336196bce9faa74a2887ce6b5a7c28fe2709700d0abd0a42
SHA3-384 hash: e39c1c369d5bb9aef5113af4b197280c4245e4cc8c22f755f1d0d01d70fa125a2d8d8dc8efa594e37527d3d8f7c96038
SHA1 hash: 7d254a33b731a2cb7a92b793e245dc39c695931b
MD5 hash: b6f5d4008f742b9ec7efc477ed765e17
humanhash: tennessee-massachusetts-wyoming-paris
File name:SecuriteInfo.com.Trojan.PackedNET.1603.24519.5449
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:14'848 bytes
First seen:2022-10-05 20:36:03 UTC
Last seen:2022-10-06 08:31:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 384:Fan1+5Dc8WnXq8LsRMqGLdL/veR/hSoKsBwFmArXa:u1+5oxn58MBl+1hvLCXa
Threatray 1'099 similar samples on MalwareBazaar
TLSH T1AA621820D78F1AF6ED3A037FA893EFC4C275A251596EFA9ED89430877D13E02CA61541
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter SecuriteInfoCom
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
327
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/317028/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1603.24519.5449.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Сreating synchronization primitives
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/633deaef78d4acb349f4d79a/reports/a215a454-abdb-4b31-bbd8-548f45c3cdb9/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/207bec44-10c3-4736-a76a-6192e71fc35f
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1084460
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Encrypted powershell cmdline option found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 717021 Sample: SecuriteInfo.com.Trojan.Pac... Startdate: 05/10/2022 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus detection for URL or domain 2->47 49 7 other signatures 2->49 7 SecuriteInfo.com.Trojan.PackedNET.1603.24519.5449.exe 16 7 2->7         started        12 Bghqgoa.exe 14 3 2->12         started        14 Bghqgoa.exe 3 2->14         started        process3 dnsIp4 41 195.178.120.62, 49701, 49706, 49707 HEXAGLOBE-ASFR unknown 7->41 31 C:\Users\user\AppData\Roaming\...\Bghqgoa.exe, PE32 7->31 dropped 33 C:\Users\user\...\Bghqgoa.exe:Zone.Identifier, ASCII 7->33 dropped 35 SecuriteInfo.com.T....24519.5449.exe.log, ASCII 7->35 dropped 51 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->51 53 Encrypted powershell cmdline option found 7->53 55 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 7->55 16 SecuriteInfo.com.Trojan.PackedNET.1603.24519.5449.exe 2 14 7->16         started        19 powershell.exe 16 7->19         started        57 Multi AV Scanner detection for dropped file 12->57 59 Machine Learning detection for dropped file 12->59 21 powershell.exe 11 12->21         started        23 powershell.exe 14->23         started        file5 signatures6 process7 dnsIp8 37 45.155.165.117, 40004, 49704 AGROSVITUA Russian Federation 16->37 39 geoplugin.net 178.237.33.50, 49705, 80 ATOM86-ASATOM86NL Netherlands 16->39 25 conhost.exe 19->25         started        27 conhost.exe 21->27         started        29 conhost.exe 23->29         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/236295fb5aef2564336196bce9faa74a2887ce6b5a7c28fe2709700d0abd0a42/
Threat name:
ByteCode-MSIL.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-10-05 18:26:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=enrjl62254swim3bs26ot6vhjiuipttllj6cr7rhbfya2cv5bjba._file
Verdict:
malicious
Similar samples:
580a1bcb7cc0927db546f56a360dc9378bf443bbe3777c243934d62627dd8539
RemcosRAT
61bbac79c7d461b83943fdc0320d01430deb4b81cc294e2f07ae45e55ab52fa8
RemcosRAT
64dc20de06878b88c91f6bd86256d4724418b7f6483ebd69247e6b1bd3f6c04f
RemcosRAT
7ef24f6499dd9fc7809783a98febc44c2dc25a3f74d02c9bf8ddbae0d3b781c6
RemcosRAT
9f3b0574ee8ea34114c6de2ed4f351552400569e42d4032a2ec5dcff3107af1c
RemcosRAT
b5de0c74c3c5e35b578d47b4e146d338982940f8bd0f213bc5548143db78079d
RemcosRAT
df4e59b22b91c69afdd19354ac0a21393799a3b9b0c3dc8aef521b2a034611b4
RemcosRAT
f8104df0ceb9c7436cbf11637dc18947d64799a4fd58a85238c522363763122c
RemcosRAT
+ 1'089 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:40004 collection persistence rat spyware stealer
Link:
https://tria.ge/reports/221005-zdlj6afgfj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Checks computer location settings
Reads user/profile data of web browsers
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
45.155.165.117:40004
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e4ad435f-ad56-41d8-bfea-523d429b9c7a
Unpacked files
SH256 hash:
236295fb5aef2564336196bce9faa74a2887ce6b5a7c28fe2709700d0abd0a42
MD5 hash:
b6f5d4008f742b9ec7efc477ed765e17
SHA1 hash:
7d254a33b731a2cb7a92b793e245dc39c695931b
Link:
https://www.unpac.me/results/b74d2c67-6bf1-4be2-8f0c-bcbf950a25f0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/236295fb5aef/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/236295fb5aef2564336196bce9faa74a2887ce6b5a7c28fe2709700d0abd0a42

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/317028/

Comments