MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d557010ee25ae325ccf46c7c7f49ea759e863f84cfa6726accca87d492717c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d557010ee25ae325ccf46c7c7f49ea759e863f84cfa6726accca87d492717c8
SHA3-384 hash: 2168c1aec3ecc3158765d4e3de3ded0b747d522e523ecf7cf4c80ba9fd7e3240cc3d617841c23559a499a20c7dbd634f
SHA1 hash: 04506a61d55e6dab295588df637a64d3a5175d6d
MD5 hash: a20c0b5c93cf0879718ef989218cedb9
humanhash: freddie-blue-texas-alpha
File name:file.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:97'280 bytes
First seen:2024-02-23 16:20:16 UTC
Last seen:2024-02-23 18:23:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 1536:SytXF8TRtLnapEBGsLsjKOICCGpM3NN1RcrvzkaqPH4ojAvcR1a33jyAzfic5+4I:SytXidtLnapCYjs9vRwzkbHjAvH3xfiJ
TLSH T117937CEC5AF84A26D1AD877DC1B250209B369A027303F35D5F82A0EB1D633878653DE7
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
318
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/477532/
Detection(s):
SecuriteInfo.com.W64.KryptoCibule.A.gen.Eldorado.31721.17786.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Connecting to a non-recommended domain
Running batch commands
Creating a process with a hidden window
Launching a process
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/65d8c5ef0ba622dfa9541b37/reports/e5e961a8-db6b-4dc6-9f14-baed41b5e609/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/2d557010ee25ae325ccf46c7c7f49ea759e863f84cfa6726accca87d492717c8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e3b09b5c-ef22-4438-90b0-a2afcc493fbc
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1397800
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops PE files with benign system names
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Schedule system process
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1397800 Sample: file.exe Startdate: 23/02/2024 Architecture: WINDOWS Score: 100 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Yara detected UAC Bypass using CMSTP 2->63 65 15 other signatures 2->65 8 file.exe 15 7 2->8         started        13 svchost.exe 2->13         started        15 svchost.exe 2 2->15         started        17 4 other processes 2->17 process3 dnsIp4 47 115.74.153.5 VIETEL-AS-APViettelGroupVN Viet Nam 8->47 49 74.103.66.15 UUNETUS United States 8->49 51 98 other IPs or domains 8->51 45 C:\Users\user\AppData\Roaming\svchost.exe, PE32+ 8->45 dropped 69 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->69 71 Drops PE files with benign system names 8->71 19 cmd.exe 1 8->19         started        21 cmd.exe 1 8->21         started        73 System process connects to network (likely due to code injection or exploit) 13->73 75 Writes to foreign memory regions 13->75 77 Injects a PE file into a foreign processes 13->77 24 iexplore.exe 13->24         started        79 Machine Learning detection for dropped file 15->79 26 cmd.exe 17->26         started        28 WerFault.exe 17->28         started        30 WerFault.exe 17->30         started        file5 signatures6 process7 signatures8 32 svchost.exe 19->32         started        35 conhost.exe 19->35         started        37 timeout.exe 1 19->37         started        67 Uses schtasks.exe or at.exe to add and modify task schedules 21->67 39 conhost.exe 21->39         started        41 schtasks.exe 1 21->41         started        process9 signatures10 53 System process connects to network (likely due to code injection or exploit) 32->53 55 Writes to foreign memory regions 32->55 57 Injects a PE file into a foreign processes 32->57 43 wmplayer.exe 32->43         started        process11
Score:
91%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2d557010ee25ae325ccf46c7c7f49ea759e863f84cfa6726accca87d492717c8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2d557010ee25ae325ccf46c7c7f49ea759e863f84cfa6726accca87d492717c8/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-02-23 16:21:05 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
2
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fvkxaehoewxdexgpi3d4p5e6u5m6qy7yjt5gojvmzsuh2sjhc7ea._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/240223-ttmt9sea4t/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies system certificate store
Runs regedit.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Adds Run key to start application
Creates a large amount of network flows
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Contacts a large (4430) amount of remote hosts
Unpacked files
SH256 hash:
2d557010ee25ae325ccf46c7c7f49ea759e863f84cfa6726accca87d492717c8
MD5 hash:
a20c0b5c93cf0879718ef989218cedb9
SHA1 hash:
04506a61d55e6dab295588df637a64d3a5175d6d
Link:
https://www.unpac.me/results/8f7ab675-ba61-4333-ac15-719f5650f9bd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2d557010ee25ae325ccf46c7c7f49ea759e863f84cfa6726accca87d492717c8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 2d557010ee25ae325ccf46c7c7f49ea759e863f84cfa6726accca87d492717c8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/477532/

Comments