MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2efdfea9644c378bb7e04dac7b7a2b4760ef9a4925026a3a23d804efefd2f26a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2efdfea9644c378bb7e04dac7b7a2b4760ef9a4925026a3a23d804efefd2f26a
SHA3-384 hash: 561a7746aef07cf147b6b43820fbf97fad1fbc536af562deccb54f73d3a4da354e341bd9a0eed89024f3b37af504fd38
SHA1 hash: 5ee7c05215b16e295b0f44684f18c4b0638e0293
MD5 hash: 3cc8d342301cf9a933f00af6b09619e0
humanhash: bacon-tennessee-comet-quebec
File name:file
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:553'502 bytes
First seen:2023-06-13 14:20:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ec7359737e4284389c0dec36902d6324 (1 x RemcosRAT)
ssdeep 12288:PictD7Djsjpb9lLAq1WP/HgChzItTtULeq8ycSneAx7:PZ4bRAWWP/zhETeKpycS9l
Threatray 283 similar samples on MalwareBazaar
TLSH T12DC4022C6FB81E27D0E1D7B0C9F37866B114C82E71CFAD1F4693AB541666923A58323D
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4505/5/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 400cf970e0ecd808 (2 x Kutaki, 2 x RemcosRAT, 2 x AsyncRAT)
Reporter jstrosch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
282
Origin country :
US US
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-06-13 14:24:53 UTC
Tags:
remcos
Link:
https://app.any.run/tasks/a5293287-cd2e-4d42-8cfa-a2153b53b7ba

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/398438/
Detection(s):
SecuriteInfo.com.Trojan.Heur3.LPT.Hm3@a041cqpib.9874.25911.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Creating a file in the %AppData% subdirectories
Launching a process
Searching for synchronization primitives
Creating a file
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/64887b539f45f940f553d14c/reports/c5f733fa-c56c-4425-9e54-121bffa05195/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/edad2031-ee86-4249-a600-2fd37f8b63d9
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1253762
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2efdfea9644c378bb7e04dac7b7a2b4760ef9a4925026a3a23d804efefd2f26a/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-06-13 14:21:09 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f3675klejq3yxn7ajwwhw6rli5qo7gsjeubguord3aco736s6jva._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
4107b6df1884a4eb7aeabe55741c01e486ba0b4454c99caaec0ed647018a6125
RemcosRAT
56386224d3f2d9dea8cce5f9dafcdce3012a548d824f4e9af162bc2397bb5916
RemcosRAT
64eb3d68103cc47e6c3af8880d7cec9371cfd787a396ea0f3ac1418e0b80ff47
RemcosRAT
b564ce75ebda7ddfe0c1be6becd119905c850c6703bb81af1d0ca8d8b9dcb86a
RemcosRAT
bcaf8f9bb1cda543a06ef101b8f4ac8228360400ec35a2ef2fba27b372ba75e7
RemcosRAT
c06613844bf5641d98c53c9536a3103b686a3123b44a147046fad162a1f164e0
RemcosRAT
c3f58fc7e4e51a2d4c6551fd6cebac7d8c0bf79d83f1235e7570c2db574df0f6
RemcosRAT
c9e9f4d1945fc9cb9daf5b4a72032a00ba7040154e3fe44be5371fbb7da695ea
RemcosRAT
+ 273 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/230613-rn1g3agf26/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Remcos
Malware Config
C2 Extraction:
192.168.175.1:1800
Unpacked files
SH256 hash:
c3f58fc7e4e51a2d4c6551fd6cebac7d8c0bf79d83f1235e7570c2db574df0f6
MD5 hash:
1c9ff0b44e4db1fc5a2f5a84c6add5af
SHA1 hash:
09a4f3776beec99ccdb6260c5e48a5eab5c8244b
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/594ede9d-eb25-4744-9f63-1885b3addf8d/
Parent samples :
2efdfea9644c378bb7e04dac7b7a2b4760ef9a4925026a3a23d804efefd2f26a
4d20cc81fe3369624b78b05419fea8efdf9f147fa13ff541561ae4298b3c5ad8
6f6d7329e0948b935011c95d6f3899c917279086347ad85ddf4494ada1970ec6
c3f58fc7e4e51a2d4c6551fd6cebac7d8c0bf79d83f1235e7570c2db574df0f6
SH256 hash:
2efdfea9644c378bb7e04dac7b7a2b4760ef9a4925026a3a23d804efefd2f26a
MD5 hash:
3cc8d342301cf9a933f00af6b09619e0
SHA1 hash:
5ee7c05215b16e295b0f44684f18c4b0638e0293
Link:
https://www.unpac.me/results/594ede9d-eb25-4744-9f63-1885b3addf8d/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2efdfea9644c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
Link:
https://yomi.yoroi.company/submissions/2efdfea9644c378bb7e04dac7b7a2b4760ef9a4925026a3a23d804efefd2f26a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 2efdfea9644c378bb7e04dac7b7a2b4760ef9a4925026a3a23d804efefd2f26a

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/398438/

Comments