MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 289266f50512ab914e578d5ce34352d297983fe303edd7b211521e94e4db7ca7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 289266f50512ab914e578d5ce34352d297983fe303edd7b211521e94e4db7ca7
SHA3-384 hash: 4fbe4936a1b5e20691f75ff3a94183d06ba1d81dd7ee0c3c7c024c10ab202b6ac2dbfe4f7b8d3904c176b20b73beab7b
SHA1 hash: 911195edb41cd320d5538fa5560f0bd18eb6c11f
MD5 hash: 5bac811249b2f91a6d769cd4af4154e2
humanhash: alpha-uranus-hamper-crazy
File name:Predictor7.117.msi
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:3'032'064 bytes
First seen:2025-01-30 19:59:51 UTC
Last seen:2025-01-30 21:25:41 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:kwfjkMo27Epq0n8Toc4Ug8r6F5mCmR+w+TzMShkkcr4u12X8ecau3aLSQlq8HoBu:lYn8ToBo6bqrnbecauKLO8IG/d
Threatray 4'543 similar samples on MalwareBazaar
TLSH T127E5DF21B2C7C522C16D0277E969FE1E5538BE730B3045E7B7F4399E49B08C1A27AB52
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter aachum
Tags:HIjackLoader msi RemcosRAT


Avatar
iamaachum
https://www.youtube.com/watch?v=dbU_gpWdiaI => https://www.youtube.com/channel/UCzKSBEKzHE93-RW2jOTEiyg/community?lb=UgkxlYv6lHtTTlM9m1z4rwWrdn_Q6PTgyRrj => https://app.box.com/s/qulsz9aubfz07k4rz85i7ld4jz6nr4i0

Remcos C2: 185.157.162.126:1995

Intelligence

File Origin
# of uploads :
2
# of downloads :
166
Origin country :
ES ES
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=679bdb1a6d96a8d7e4cd39de
Tags:
shellcode dropper virus
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
adaptive-context cmd fingerprint lolbin msiexec remote wix
Link:
https://www.filescan.io/uploads/679bda421a307f36ba167317/reports/6763260e-f9af-4ddf-8932-4fc34e826b31/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/289266f50512ab914e578d5ce34352d297983fe303edd7b211521e94e4db7ca7
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/289266f50512ab914e578d5ce34352d297983fe303edd7b211521e94e4db7ca7
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1603331
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Potential malicious VBS script found (suspicious strings)
Switches to a custom stack to bypass stack traces
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1603331 Sample: Predictor7.117.msi Startdate: 30/01/2025 Architecture: WINDOWS Score: 100 106 185.157.162.126 OBE-EUROPEObenetworkEuropeSE Sweden 2->106 108 raw.githubusercontent.com 2->108 110 github.com 2->110 120 Found malware configuration 2->120 122 Malicious sample detected (through community Yara rule) 2->122 124 Antivirus detection for dropped file 2->124 126 7 other signatures 2->126 12 msiexec.exe 23 45 2->12         started        16 msiexec.exe 17 40 2->16         started        18 EHttpSrv.exe 1 2->18         started        21 2 other processes 2->21 signatures3 process4 dnsIp5 112 github.com 140.82.121.3, 443, 49810 GITHUBUS United States 12->112 114 raw.githubusercontent.com 185.199.108.133, 443, 49815 FASTLYUS Netherlands 12->114 90 C:\Windows\Installer\MSI2D16.tmp, PE32 12->90 dropped 92 C:\Windows\Installer\MSI2BAE.tmp, PE32 12->92 dropped 94 C:\Windows\Installer\MSI2B5F.tmp, PE32 12->94 dropped 102 5 other files (3 malicious) 12->102 dropped 23 EHttpSrv.exe 1 12->23         started        26 msiexec.exe 12->26         started        96 C:\Windows\Installer\MSI803B.tmp, PE32 16->96 dropped 98 C:\Windows\Installer\MSI7F9E.tmp, PE32 16->98 dropped 100 C:\Windows\Installer\MSI7F3F.tmp, PE32 16->100 dropped 104 5 other malicious files 16->104 dropped 28 cmd.exe 1 16->28         started        30 msiexec.exe 16->30         started        116 Maps a DLL or memory area into another process 18->116 32 cmd.exe 2 18->32         started        118 Potential malicious VBS script found (suspicious strings) 21->118 35 cmd.exe 1 21->35         started        file6 signatures7 process8 file9 138 Maps a DLL or memory area into another process 23->138 37 cmd.exe 4 23->37         started        41 cscript.exe 2 28->41         started        43 conhost.exe 28->43         started        45 chcp.com 1 28->45         started        47 svchost.exe 30->47 injected 86 C:\Users\user\AppData\Local\...\xdijvkfhcpp, PE32 32->86 dropped 140 Writes to foreign memory regions 32->140 49 EHttpSrv.exe 32->49         started        51 conhost.exe 32->51         started        53 conhost.exe 35->53         started        signatures10 process11 file12 88 C:\Users\user\AppData\...\fbtwwedapapqlm, PE32 37->88 dropped 128 Writes to foreign memory regions 37->128 130 Found hidden mapped module (file has been removed from disk) 37->130 132 Maps a DLL or memory area into another process 37->132 134 Switches to a custom stack to bypass stack traces 37->134 55 EHttpSrv.exe 37->55         started        58 conhost.exe 37->58         started        60 wscript.exe 1 41->60         started        136 Found direct / indirect Syscall (likely to bypass EDR) 49->136 signatures13 process14 signatures15 142 Found direct / indirect Syscall (likely to bypass EDR) 55->142 144 Windows Scripting host queries suspicious COM object (likely to drop second stage) 60->144 146 Wscript called in batch mode (surpress errors) 60->146 62 cmd.exe 1 60->62         started        64 cmd.exe 1 60->64         started        66 cmd.exe 1 60->66         started        68 wscript.exe 1 60->68         started        process16 process17 70 WMIC.exe 1 62->70         started        72 conhost.exe 62->72         started        74 taskkill.exe 1 64->74         started        76 conhost.exe 64->76         started        78 taskkill.exe 1 66->78         started        80 conhost.exe 66->80         started        82 msiexec.exe 1 68->82         started        process18 84 WmiPrvSE.exe 1 70->84         started       
Score:
83%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/289266f50512ab914e578d5ce34352d297983fe303edd7b211521e94e4db7ca7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/289266f50512ab914e578d5ce34352d297983fe303edd7b211521e94e4db7ca7/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fcjgn5ifckvzctsxrvoogq2s2klzqp7dapw5pmqrkipjjzg3pstq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
23723f9b4239194a21bf0df559f9e9df8aec1399899346311c09cdcd91a9f1b0
RemcosRAT
6ed0c218b751ec93293b5922e783b7a9b147a3c7cd6070022cd707050108d321
RemcosRAT
7422bc2c77e70c2e90c27d030a13eb3adf0bcfc1ef2bc55b62871181af5cd955
RemcosRAT
a1333650518e3e435421e28233c84f8a5a1ca03607c5289a01da3f86e4046565
RemcosRAT
bdb79800e4177b59b3830ae7cc996a41fc2b560593e7b51e02408c062f8d4449
RemcosRAT
e483ca3bc78e49f0ceef3406ea963101fe1d2b08b4bace6945ac9298222b8c37
RemcosRAT
error
RemcosRAT
f5dfa6b5d19d9334c69d24dd98f13cb30badacb6403b03afc47af4e267cbe0c2
RemcosRAT
+ 4'533 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader family:remcos botnet:v2 discovery loader persistence privilege_escalation rat
Link:
https://tria.ge/reports/250130-yqyvks1mhz/
Behaviour
Kills process with taskkill
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Suspicious use of SetThreadContext
Blocklisted process makes network request
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Use of msiexec (install) with remote resource
Detects HijackLoader (aka IDAT Loader)
HijackLoader
Hijackloader family
Remcos
Remcos family
Malware Config
C2 Extraction:
185.157.162.126:1995
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ae241855-9d29-4052-aca5-0f05f0837638
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/289266f50512ab914e578d5ce34352d297983fe303edd7b211521e94e4db7ca7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_LATAM_MSI_Banker
Create hunting rule
Rule name:Suspicious_Latam_MSI_and_ZIP_Files
Create hunting rule
Author:eremit4, P4nd3m1cb0y
Description:Detects suspicious .msi and .zip files used in Latam banking trojan campaigns.
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Microsoft Software Installer (MSI) msi 289266f50512ab914e578d5ce34352d297983fe303edd7b211521e94e4db7ca7

(this sample)

RemcosRAT

Microsoft Software Installer (MSI) msi d03d7ea5956a5d9ca6c1b1af800350b6ef400815b452f69a886f4156ba1a3ec5

  
Link
https://tria.ge/250130-ym62sa1mbx/
  
Delivery method
Distributed via web download
  
Dropping
SHA256 d03d7ea5956a5d9ca6c1b1af800350b6ef400815b452f69a886f4156ba1a3ec5
  
Dropping
MD5 8e31046891c36ca794fb01262cd890d9

Comments