MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26a21ee2a1eb48e763a15cfad8db92148168438b6d74decccc3439a29a4cb951. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26a21ee2a1eb48e763a15cfad8db92148168438b6d74decccc3439a29a4cb951
SHA3-384 hash: 83b34614b23fbd45f6d1b362944cb1a9d11a0bbc4fdeec0c009e87d339ba786a7deadba9dfc61fdf6b5bc4b679b37067
SHA1 hash: 264913b46efa6d7a83532bdcbec01238b53b2a3e
MD5 hash: b9ab2ee5a663f2dc7b4de510a5daa8f4
humanhash: nitrogen-triple-colorado-high
File name:SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.4029.32589
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:596'643 bytes
First seen:2022-10-27 09:19:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 29b61e5a552b3a9bc00953de1c93be41 (174 x Formbook, 82 x AgentTesla, 81 x Loki)
ssdeep 12288:h6dKp8/qO6D7zkoT+lqp/7Iu/O2ybZx9Y9rl7jjGH8:h6dZqZlT+lQTD/O3BArRCH8
Threatray 281 similar samples on MalwareBazaar
TLSH T11AC401C6FA4054A1ED2A97711A37DA318A637C7D81B0252D2FCE7E7B3EBF4924811487
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d4c4c4d8ccd4f0c4 (63 x Formbook, 23 x AgentTesla, 8 x RemcosRAT)
Reporter SecuriteInfoCom
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
251
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.4029.32589
Verdict:
Malicious activity
Analysis date:
2022-10-27 09:21:20 UTC
Tags:
autoit remcos
Link:
https://app.any.run/tasks/c3619a36-5995-4af6-8f92-e5e99ddbde94

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/324799/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.4029.32589.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Setting a keyboard event handler
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/45917/overview
Behaviour
MalwareBazaar
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LockBit Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/335fe637-7ca5-4c7a-9332-34711089ff3b
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1099149
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Detected Remcos RAT
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found stalling execution ending in API Sleep call
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/26a21ee2a1eb48e763a15cfad8db92148168438b6d74decccc3439a29a4cb951/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-10-27 06:19:17 UTC
File Type:
PE (Exe)
Extracted files:
32
AV detection:
20 of 41 (48.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e2rb5yvb5neooy5blt5nrw4scsawqq4lnv2n5tgmgq42fgsmxfiq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
4ae67a52de5f2bcaea6c9158b4b2dfd3b2953885c34063547b736a4a1096fcb2
RemcosRAT
51571264ea17f6eb11267797cfd17a462c408580ecbfd10587dd8f848a79e15f
RemcosRAT
594d61a4bcbcc6503743aae78c47f798557492ba9c0704c3aa188f528b50c5e3
RemcosRAT
7e8cb2531d08a6c664969bcbecbdb946fd7e3088ee8a3b4dab805536bf026571
RemcosRAT
8c631258f16b062dbbc3c6de1c5d27b727e5c7375fdff993a252fdc98814376a
RemcosRAT
8fe933e8bf76350e1a991f00cb12b9071ba17f5586a001e17da49e6892ac34f5
RemcosRAT
a0aac3dc5832026a3d12d50f3c39e988a334d87ea2fc8fbcd1ff33484606d2d3
RemcosRAT
d5edadd969395a3c5fd2a2cf9832684b11680480b5ca75b464988cff244a6d6d
RemcosRAT
dc6132f9c63cd966c76790f0761299f92c31684197e40a949c4e1eb9a539bfc8
RemcosRAT
+ 271 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/221027-larp4sbff3/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/80588708-fd9d-45a0-87eb-d489c1e34228
Unpacked files
SH256 hash:
833f5ab8c3149d64200252aecf1cc0f5ed992293dc89d25fc5d15c87f1a94edd
MD5 hash:
16aeb45113c6c1783c740cdd8207bd55
SHA1 hash:
90296cf788e60e6ca883581656a2f40d5b0ed6ff
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/4a1c9dc8-eee4-4d36-8fbb-3992295f8ff3/
SH256 hash:
595f8e51fbe326d278c78011343470ce97f5d655ad657023a4ba5edc79006a4d
MD5 hash:
afd61ed83d724ee7e4459b7526109c2f
SHA1 hash:
458f66512e5ba13b3777266528767935fa57028e
Link:
https://www.unpac.me/results/4a1c9dc8-eee4-4d36-8fbb-3992295f8ff3/
SH256 hash:
26a21ee2a1eb48e763a15cfad8db92148168438b6d74decccc3439a29a4cb951
MD5 hash:
b9ab2ee5a663f2dc7b4de510a5daa8f4
SHA1 hash:
264913b46efa6d7a83532bdcbec01238b53b2a3e
Link:
https://www.unpac.me/results/4a1c9dc8-eee4-4d36-8fbb-3992295f8ff3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.88
Link:
https://yomi.yoroi.company/submissions/26a21ee2a1eb48e763a15cfad8db92148168438b6d74decccc3439a29a4cb951

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/324799/

Comments