MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27c81964a136a6fc9125ae45ed9873402303c116db13ec14b65cbdd60606eb89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 16

Intelligence 16 IOCs YARA 7 File information Comments

SHA256 hash:	27c81964a136a6fc9125ae45ed9873402303c116db13ec14b65cbdd60606eb89
SHA3-384 hash:	ac9b5e75bcdcabc5cb6d5bb38f2b398990d86cdefc76c446090a48f69cf14d7353ef55e3c86117fb407914cce9663ab0
SHA1 hash:	902ffe23521976b6ce6a1bb6347a309ec359ffea
MD5 hash:	ed298d3727507724a544adec1a931f72
humanhash:	hotel-bluebird-sink-twenty
File name:	file
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	941'106 bytes
First seen:	2023-06-13 14:20:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	488044b0bdd29fffe63ba8ab8da70aab (1 x RemcosRAT)
ssdeep	24576:lXkjAAPhiVB0UHJMwk8Ar2NPPrFwhN1QRbZPRtc5eD5Vl:JqPhif0UHiwk8NNPPrFwhkbZZi5o/l
Threatray	2'027 similar samples on MalwareBazaar
TLSH	T1DF15AE33DA60310AF92788706CB565AA25266C3A6454AD07F781BF4C60729C7FDF632F
TrID	77.2% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8) 6.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.2% (.EXE) Win32 Executable (generic) (4505/5/1) 1.9% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	009b9b9bbaa69a00 (2 x RemcosRAT, 1 x DCRat)
Reporter	jstrosch
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

280

Origin country :

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-06-13 14:27:26 UTC

Tags:

rat remcos keylogger

Link:

https://app.any.run/tasks/192a2284-daec-4486-b461-c1335d51e426

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/398437/

Detection(s):

SecuriteInfo.com.Trojan.Heur.5m3@bj5gL8ji.11680.18262.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Launching a process

Searching for synchronization primitives

DNS request

Launching the default Windows debugger (dwwin.exe)

Creating a file

Searching for the window

Sending a custom TCP request

Sending an HTTP GET request

Unauthorized injection to a recently created process by context flags manipulation

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

evasive lolbin overlay packed

Link:

https://www.filescan.io/uploads/64887b52c6414862d206ea3e/reports/068003d3-07a9-4b32-b5ac-876bfbfb8d88/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/357d1b80-6efe-47aa-aec8-e84d9539a811

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1253763

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Contains functionality to bypass UAC (CMSTPLUA)

Contains functionality to modify clipboard data

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Writes to foreign memory regions

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/27c81964a136a6fc9125ae45ed9873402303c116db13ec14b65cbdd60606eb89/

Threat name:

Win32.Trojan.InjectorX

Status:

Malicious

First seen:

2023-06-13 14:21:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 35 (65.71%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=e7ebszfbg2tpzejfvzc63gdtiarqhqiw3mj6yffwls65mbqg5oeq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

3d4ffcd1cd594f452ad1c374933eea8dd36d21a6d01372cc7f1afc636d26fa72

RemcosRAT

538b607c03aa2d0960c396529399921f957f421a3ca084d140316e2ee21889cc

RemcosRAT

76005c1982c2d4df1995d8ba0e2163ac84b5009823466b9e043a5a017e15c9cd

RemcosRAT

818bd67db5fe30f5cfdab861f996f30fa20427e3e1aa65ffe6d98f6c7af7558d

RemcosRAT

a4da37e92ca54c8851ad144fba875b61e2018f69bbe43b11926d8f8d831b56f0

RemcosRAT

b5ca34b966549dfee1a824ab645c66b17217aadda4ccea96731b8cb0cfb03a27

RemcosRAT

de33fd9d4c89f8d5ffad69cb7743922d8d22f54890f9ca69161edce001cba9ad

RemcosRAT

e970fdbbcd35127388ad909820df33fbe5d0a7bd4b52ccde011c5782edfe03fc

RemcosRAT

+ 2'017 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:millon rat

Link:

https://tria.ge/reports/230613-rn1g3agf25/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Remcos

Malware Config

C2 Extraction:

uribetc.con-ip.com:1883

Unpacked files

SH256 hash:

c01b2d3fdf08741f95afe78d894a2302bb377f971dbd85358fc7298dd5a368d2

MD5 hash:

ab645a71c7298da7b8f6aebe6a2421d4

SHA1 hash:

151221cf937d6f920c9376101d72cd2bbb935cc6

Detections:

Remcos

win_remcos_auto

Link:

https://www.unpac.me/results/6c325578-3323-4c19-8aec-504df93de017/

SH256 hash:

27c81964a136a6fc9125ae45ed9873402303c116db13ec14b65cbdd60606eb89

MD5 hash:

ed298d3727507724a544adec1a931f72

SHA1 hash:

902ffe23521976b6ce6a1bb6347a309ec359ffea

Link:

https://www.unpac.me/results/6c325578-3323-4c19-8aec-504df93de017/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/27c81964a136/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/27c81964a136a6fc9125ae45ed9873402303c116db13ec14b65cbdd60606eb89

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	iexplorer_remcos Create hunting rule
Author:	iam-py-test
Description:	Detect iexplorer being taken over by Remcos

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM Create hunting rule
Author:	ditekSHen
Description:	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	Windows_Trojan_Remcos_b296e965 Create hunting rule
Author:	Elastic Security

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

exe 27c81964a136a6fc9125ae45ed9873402303c116db13ec14b65cbdd60606eb89

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/398437/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample