MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 291755c89bb6d77dd43c74cb0413df8037244debd6bedd2a869edf7dfd090d64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	291755c89bb6d77dd43c74cb0413df8037244debd6bedd2a869edf7dfd090d64
SHA3-384 hash:	93f16ad488b55357b01f2643099333d5dca3864e61985a0801ed82bc59393761e78aeb9fab1d9162dc006075afbb219f
SHA1 hash:	25e53a950c8284167d25f99f171a03f9d6bf9ac5
MD5 hash:	14ac6f908ca2112dae932a9bff75d574
humanhash:	ceiling-carbon-colorado-coffee
File name:	14ac6f908ca2112dae932a9bff75d574.exe
Download:	download sample
Signature	RemcosRAT Alert Create hunting rule
File size:	1'007'104 bytes
First seen:	2023-05-11 15:26:29 UTC
Last seen:	2023-05-11 16:32:44 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'471 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:5Tmv2msrnakLq4TuePtJlKvc0L4wnapV1gccz7LIoJfgPLxIZf2Fz+oub6u:dmaXLjuWtvEL4eQVXyvIoNoKom
Threatray	2'955 similar samples on MalwareBazaar
TLSH	T1D225F18A033FBED1D6541B70264438574B3DB11775F8B0BC791BB888C9AFD218BE8666
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

Intelligence

---

File Origin

# of uploads :

2

# of downloads :

284

Origin country :

NL

Vendor Threat Intelligence

ANY.RUN remcos

Malware family:

remcos

Alert

Create hunting rule

ID:

1

File name:

14ac6f908ca2112dae932a9bff75d574.exe

Verdict:

Malicious activity

Analysis date:

2023-05-11 15:27:47 UTC

Tags:

remcos

Link:

https://app.any.run/tasks/aa8b1a0b-6fcc-452c-9047-27b290130bcf

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox Remcos

Detection:

Remcos

Alert

Create hunting rule

Link:

https://www.capesandbox.com/analysis/388421/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Trojan.Siggen20.47854.20834.18228.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

Setting a keyboard event handler

DNS request

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

barys comodo lokibot packed

Link:

https://www.filescan.io/uploads/645d09491decb4d48feaa44d/reports/cb20b75a-9865-4b15-8941-f2d9e82c74b0/overview

Hybrid Analysis Trojan.Generic

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/291755c89bb6d77dd43c74cb0413df8037244debd6bedd2a869edf7dfd090d64

InQuest UNKNOWN

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer REMCOS

Malware family:

REMCOS

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d025a15e-0dd9-48d3-8849-c99bad198ec6

Joe Sandbox Remcos

Result

Threat name:

Remcos

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1230883

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Contains functionality to bypass UAC (CMSTPLUA)

Contains functionality to modify clipboard data

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Found malware configuration

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/291755c89bb6d77dd43c74cb0413df8037244debd6bedd2a869edf7dfd090d64/

ReversingLabs TitaniumCloud Win32.Backdoor.NanoCore

Threat name:

Win32.Backdoor.NanoCore

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-05-10 21:50:14 UTC

File Type:

PE (.Net Exe)

Extracted files:

8

AV detection:

17 of 36 (47.22%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=felvlse3w3lx3vb4otfqie67qa3sitpl227n2kugt3px37ijbvsa._file

Threatray remcos

Verdict:

malicious

Label(s):

remcos

Alert

Create hunting rule

Similar samples:

11327f3b5123a0f6325b9370d4321bddc00ef1619f6da209503ae1370b24121e

RemcosRAT

1abe11cf0a879b99c092a403e9efedf7ecda8e92c6708c31c799ce36c2da26a8

RemcosRAT

2010a7e1a136a9881ba4db4beb99088ea77ea2997d36e6d1d16fc696b34fda8b

RemcosRAT

2b4c534df5fe4c7ee7a402f384109cb60b54c7f301ef8644e7b1eba397d89f2b

RemcosRAT

32fcd31207c5e310957801fca81578c9dcba9ed3515809f62a7d50d93ad033db

RemcosRAT

3c2ffc42864aba9e07bb8cd494141ea7125a2d24a8717f0cf0a33da8020dbdfb

RemcosRAT

6053c5c3a4202b8c2e6b2f176a99c980233f63024be06b67d3a30e2f0b4470f4

RemcosRAT

aa2caafd9a1d53df2112c9081fb5686e04283be0da13d94bacdfc8c9addf0c34

RemcosRAT

edd0bc79de9c5ecb3d4903d20259b356171aa41af2df2a43aad0bf36bda95c7b

RemcosRAT

+ 2'945 additional samples on MalwareBazaar

Hatching Triage remcos

Result

Malware family:

remcos

Alert

Create hunting rule

Score:

  10/10

Tags:

family:remcos botnet:remotehost rat

Link:

https://tria.ge/reports/230511-svrzyaec23/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Remcos

Malware Config

C2 Extraction:

seanblacin.sytes.net:6110

UnpacMe Remcos win_remcos_auto

Unpacked files

SH256 hash:

3ab1dcc37e7c5c643bf41e9f0f81f816f24974fbddde95e2af52426e3374dd35

MD5 hash:

8a2c496875c0871aecc16aae768b323f

SHA1 hash:

f5423a32125c70b512de301c5616c7b75477e2e7

Link:

https://www.unpac.me/results/53bf8303-5926-4116-9ce0-23b561d06934/

SH256 hash:

341de585604d19cd4ed50de531028c022faba16907cc3adcc2b0f8098ff44b51

MD5 hash:

07ea2e9bb2b95e2cab8e4861a8088189

SHA1 hash:

d8c2d31bf0e1e8db9d780de33effa1893049e23a

Link:

https://www.unpac.me/results/53bf8303-5926-4116-9ce0-23b561d06934/

SH256 hash:

008bf56ee204fa7fdf7b61dbdeaf03e34b9fc881557d81c7722adbcb65da469a

MD5 hash:

261dcd84c0f93e72e5f0c0a8172b3beb

SHA1 hash:

cc926bb45e09abc8f5878bb5bf8dfc96899cfb25

Link:

https://www.unpac.me/results/53bf8303-5926-4116-9ce0-23b561d06934/

SH256 hash:

660a0e60dbd1342b35432a53599a7a1bd6f62d2d350b4de1b48600e7d8d67ad4

MD5 hash:

c4a97d373e8c64e65f316cd487311e6f

SHA1 hash:

b9a60aa1fb129eb2e8cf6022dcc7725349252dd8

Detections:

Remcos

Alert

Create hunting rule

win_remcos_auto

Alert

Create hunting rule

Link:

https://www.unpac.me/results/53bf8303-5926-4116-9ce0-23b561d06934/

Parent samples :

291755c89bb6d77dd43c74cb0413df8037244debd6bedd2a869edf7dfd090d64
14fb2daf697ee302647b7d63c26e94f443c9516a5a707b85952b1158e5ffe12a
f07ddc7c081b1106a27590e5497bec74f0d48f18b8c49d17ea57fa3d7d0704d8
97e54013704e2edc63c7d31ee30dfba3d2bcdbdd91df650ff0a01e560c3e111a
e2c60159ad9908ac2a1ab446c1866dfe5a59b1535ca29f111ae56833996d82b8
a6bf09d8242fd2933426629a504f995a5d624d555bd2f28a49876762ec0a03a6
43c39e05ae59835e16df8bd732cd035292db70bc2c2d6d95ac354622bfa376ec

SH256 hash:

16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d

MD5 hash:

fb4ed205b442f470bbf10913128efdcb

SHA1 hash:

9a0a4c5ae429769e3253a9a3daefa24270b87a5b

Link:

https://www.unpac.me/results/53bf8303-5926-4116-9ce0-23b561d06934/

Parent samples :

ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e

SH256 hash:

291755c89bb6d77dd43c74cb0413df8037244debd6bedd2a869edf7dfd090d64

MD5 hash:

14ac6f908ca2112dae932a9bff75d574

SHA1 hash:

25e53a950c8284167d25f99f171a03f9d6bf9ac5

Link:

https://www.unpac.me/results/53bf8303-5926-4116-9ce0-23b561d06934/

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

exe 291755c89bb6d77dd43c74cb0413df8037244debd6bedd2a869edf7dfd090d64

(this sample)

  

URLhaus

https://urlhaus.abuse.ch/url/2260834/

  

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/388421/