MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2bd5ab52fbb3957e4ec4b1c7bb5368548d9b8a2672ea9b0ff43d896801ae8337. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2bd5ab52fbb3957e4ec4b1c7bb5368548d9b8a2672ea9b0ff43d896801ae8337
SHA3-384 hash: d1088c575634c132e770172ef23438fa8e28fcee84c6f6d63670bebc64ae9f60943cd8433d6f25ee4cf16a162716baec
SHA1 hash: 63f194288320094781eda977fe17dab4f40075ce
MD5 hash: 25021f46eac2729d7ebc852929d1cd47
humanhash: one-cola-queen-diet
File name:2bd5ab52fbb3957e4ec4b1c7bb5368548d9b8a2672ea9b0ff43d896801ae8337
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:909'824 bytes
First seen:2024-02-07 13:56:23 UTC
Last seen:2024-02-07 15:41:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fc6683d30d9f25244a50fd5357825e79 (92 x Formbook, 52 x AgentTesla, 23 x SnakeKeylogger)
ssdeep 12288:cYV6MorX7qzuC3QHO9FQVHPF51jgcER33rdKOUfgOKIIOP38QF6EkP7tNovDYkGD:7BXu9HGaVH4cHffFVP38QMx7O8k8wv+
TLSH T10A1501B1AAF269D9F4EA4E77AC149160BCE78C84CD42160EE009B4F56237BD8D1590FF
TrID 31.3% (.EXE) UPX compressed Win32 Executable (27066/9/6)
30.7% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
12.1% (.EXE) Win64 Executable (generic) (10523/12/4)
7.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 10808a8c8c8a8010 (77 x Formbook, 51 x AgentTesla, 44 x RemcosRAT)
Reporter adrian__luca
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
283
Origin country :
HU HU
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/475176/
Detection(s):
SecuriteInfo.com.AIT.Trojan.Nymeria.5819.19719.32631.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
autoit fingerprint keylogger lolbin nymeria packed packed packed shell32 upx
Link:
https://www.filescan.io/uploads/65c38c3a43584b5a3339cac7/reports/dcd0ff9d-341f-4d2b-92e7-254b829004bd/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/2bd5ab52fbb3957e4ec4b1c7bb5368548d9b8a2672ea9b0ff43d896801ae8337
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/af05013b-3eb5-4a26-a748-7c2fc2578c65
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1388385
Signature
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Drops VBS files to the startup folder
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1388385 Sample: 4qD8ac6MSO.exe Startdate: 07/02/2024 Architecture: WINDOWS Score: 100 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Antivirus detection for URL or domain 2->72 74 8 other signatures 2->74 14 4qD8ac6MSO.exe 6 2->14         started        18 wscript.exe 1 2->18         started        process3 file4 66 C:\Users\user\AppData\Local\...\na.exe, PE32 14->66 dropped 94 Binary is likely a compiled AutoIt script file 14->94 20 na.exe 3 14->20         started        96 Windows Scripting host queries suspicious COM object (likely to drop second stage) 18->96 24 na.exe 2 18->24         started        signatures5 process6 file7 64 C:\Users\user\AppData\Roaming\...\na.vbs, data 20->64 dropped 80 Binary is likely a compiled AutoIt script file 20->80 82 Drops VBS files to the startup folder 20->82 26 na.exe 2 20->26         started        29 na.exe 2 24->29         started        signatures8 process9 signatures10 88 Binary is likely a compiled AutoIt script file 26->88 31 na.exe 2 26->31         started        34 na.exe 2 29->34         started        process11 signatures12 98 Binary is likely a compiled AutoIt script file 31->98 36 na.exe 2 31->36         started        39 na.exe 2 34->39         started        process13 signatures14 78 Binary is likely a compiled AutoIt script file 36->78 41 na.exe 2 36->41         started        44 na.exe 2 39->44         started        process15 signatures16 86 Binary is likely a compiled AutoIt script file 41->86 46 na.exe 2 41->46         started        49 na.exe 44->49         started        process17 signatures18 92 Binary is likely a compiled AutoIt script file 46->92 51 na.exe 2 46->51         started        54 na.exe 49->54         started        process19 signatures20 76 Binary is likely a compiled AutoIt script file 51->76 56 na.exe 2 51->56         started        59 na.exe 54->59         started        process21 signatures22 84 Binary is likely a compiled AutoIt script file 56->84 61 na.exe 2 56->61         started        process23 signatures24 90 Binary is likely a compiled AutoIt script file 61->90
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2bd5ab52fbb3957e4ec4b1c7bb5368548d9b8a2672ea9b0ff43d896801ae8337
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2bd5ab52fbb3957e4ec4b1c7bb5368548d9b8a2672ea9b0ff43d896801ae8337/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2024-01-28 05:10:00 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fpk2wux3wokx4twewhd3wu3iksgzxcrgolvjwd7uhwewqanoqm3q._file
Verdict:
unknown
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:mightyking collection rat spyware stealer upx
Link:
https://tria.ge/reports/240207-q892kaadhj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
AutoIT Executable
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
UPX packed file
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
107.174.138.159:1900
Unpacked files
SH256 hash:
0ab87e55ce59218e4b8bdd13ffa13774700ebfeebf4c33877aad11153c67d836
MD5 hash:
83f8e47faaab9f374dd6b22a640ca296
SHA1 hash:
8ad1c1ba967003a5601ecc31a59d04dd3c6d72ca
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/7272113c-4371-4375-af08-3e5df542333a/
SH256 hash:
4ecb6f964cd2dd6fb8b0326cce29884f5ddd1b9a703984eb4b59e42106e7b8f7
MD5 hash:
3490e76dcce0cb436f0e9d807b355671
SHA1 hash:
2b1b5c46a04e4c9465319accd1a33b266eddb4df
Detections:
Remcos
Create hunting rule
win_remcos_w0
Create hunting rule
win_remcos_auto
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Link:
https://www.unpac.me/results/7272113c-4371-4375-af08-3e5df542333a/
Parent samples :
a154dce9949ad0786441d80feb36159e1197dc45d6b2101d5831bffa5bc46fec
2bd5ab52fbb3957e4ec4b1c7bb5368548d9b8a2672ea9b0ff43d896801ae8337
SH256 hash:
2bd5ab52fbb3957e4ec4b1c7bb5368548d9b8a2672ea9b0ff43d896801ae8337
MD5 hash:
25021f46eac2729d7ebc852929d1cd47
SHA1 hash:
63f194288320094781eda977fe17dab4f40075ce
Detections:
SUSP_Imphash_Mar23_3
Create hunting rule
Link:
https://www.unpac.me/results/7272113c-4371-4375-af08-3e5df542333a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2bd5ab52fbb3957e4ec4b1c7bb5368548d9b8a2672ea9b0ff43d896801ae8337

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/475176/

Comments