MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 303e415db0644366a316524070b046b1b2a5dd2441258d6295859abc74f352ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 303e415db0644366a316524070b046b1b2a5dd2441258d6295859abc74f352ff
SHA3-384 hash: 33438824ede14cd4a72f593f1ffdd05805e0226f0f8ff3d9f4dc351b9076506cbabbfc3cc1b471b413c6f52b6a360e08
SHA1 hash: 74388b7d29b042a1dabfeda00066eda76a9cf348
MD5 hash: fbcf58f9ce64d200379298fcd87aa56b
humanhash: twenty-mockingbird-ink-burger
File name:CalculatorMod.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:618'496 bytes
First seen:2024-08-27 05:02:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:MLKzlyrLuJygHZ8C2V3Oliayg2Mj1ngA+0mqwgqi59CU:uIyrCJygn2ZOlX1nz3wgqiHr
Threatray 4'390 similar samples on MalwareBazaar
TLSH T157D423A41A003025EBF2CDBB8C7985411FE8EB44EB5F1FBFEBAC9C591E5196058C5362
TrID 35.4% (.EXE) Win64 Executable (generic) (10523/12/4)
22.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.1% (.EXE) Win32 Executable (generic) (4504/4/1)
6.9% (.ICL) Windows Icons Library (generic) (2059/9)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon b0f8ccccccccf032 (1 x RemcosRAT)
Reporter adm1n_usa32
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
415
Origin country :
RO RO
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
CalculatorMod.exe
Verdict:
No threats detected
Analysis date:
2024-08-27 05:02:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/81319a7b-15cc-4e37-985f-e2b39d710a8a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Siggen27.32995.16211.4221.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66cd5e08e7ff3f5a063c0edc
Tags:
Generic Infostealer Network Stealth Kryptik
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Сreating synchronization primitives
Setting a keyboard event handler
DNS request
Creating a file
Connection attempt
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/66cd5e0658cbff3e3abdca09/reports/cd9fe91e-800b-4def-9c7f-41f33a92e5c7/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/303e415db0644366a316524070b046b1b2a5dd2441258d6295859abc74f352ff
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/86a597c0-9fbd-4572-8602-6c52be5a959a
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1499535
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1499535 Sample: CalculatorMod.exe Startdate: 27/08/2024 Architecture: WINDOWS Score: 100 16 Found malware configuration 2->16 18 Malicious sample detected (through community Yara rule) 2->18 20 Antivirus detection for URL or domain 2->20 22 8 other signatures 2->22 7 CalculatorMod.exe 3 2->7         started        process3 file4 14 C:\Users\user\...\CalculatorMod.exe.log, ASCII 7->14 dropped 10 CalculatorMod.exe 7->10         started        process5 process6 12 WerFault.exe 21 16 10->12         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/303e415db0644366a316524070b046b1b2a5dd2441258d6295859abc74f352ff
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/303e415db0644366a316524070b046b1b2a5dd2441258d6295859abc74f352ff/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2024-08-15 01:04:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ga7ecxnqmrbwniywkjahbmcgwgzklxjeiesy2yuvqwnly5htkl7q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9
RemcosRAT
820485feb8d8b9c13f3f2bc037f7918b0a38526c6f7193f878b2d410572dac26
RemcosRAT
8254d25a2c54050f8621c6ff69869e94b4cba878b5b246c00ac73377b4ae65b1
RemcosRAT
babc0e3f52501b3128c5b0d806696a82c6575d7194a721d0e354d9bc7b077d91
RemcosRAT
d3a32f2258bd5eff952576259dd78a6e73f56d52d07783d4fbc3ffd966549950
RemcosRAT
e69cbec2c6a28dca27558736ea04f1b998ed42c2e70cf2934b12330df04bf3be
RemcosRAT
+ 4'380 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost12 discovery rat
Link:
https://tria.ge/reports/240827-fppamsteqb/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Remcos
Malware Config
C2 Extraction:
rem24251mr.duckdns.org:24251
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a7ea435e-e354-4ed8-93ed-81c60e3a32a7
Unpacked files
SH256 hash:
d6f030194295bdec3c4ec91fbaf7dacd7a9b83edb99c4fd6556eb4eb7d948840
MD5 hash:
b0a4175cd9541a154e82efe59daa2b05
SHA1 hash:
e9ccf2c17da8b0fc2690a5cad0f8067de577b49d
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
win_remcos_w0
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
Link:
https://www.unpac.me/results/64fb3957-a3b5-4efd-a7f7-f5eeb2886388/
Parent samples :
303e415db0644366a316524070b046b1b2a5dd2441258d6295859abc74f352ff
d6f030194295bdec3c4ec91fbaf7dacd7a9b83edb99c4fd6556eb4eb7d948840
SH256 hash:
69586aa8c56d946aebbf763bb7b4ec052a93b35ec1dab2db32fbb99070c865d3
MD5 hash:
3484e6891e524a3a235c7d0912cf4b96
SHA1 hash:
8991714eed65e3c94ebf50944112dcaf76005b71
Link:
https://www.unpac.me/results/64fb3957-a3b5-4efd-a7f7-f5eeb2886388/
SH256 hash:
df799a232751f624d740181a77fb8f34c5d54dceedbf8c164bb293d4665424eb
MD5 hash:
37774ca06c322e08652757447188fd00
SHA1 hash:
09309a40b8ed4a9f1f6eba46cd0fe7a36d7166e8
Link:
https://www.unpac.me/results/64fb3957-a3b5-4efd-a7f7-f5eeb2886388/
SH256 hash:
303e415db0644366a316524070b046b1b2a5dd2441258d6295859abc74f352ff
MD5 hash:
fbcf58f9ce64d200379298fcd87aa56b
SHA1 hash:
74388b7d29b042a1dabfeda00066eda76a9cf348
Link:
https://www.unpac.me/results/64fb3957-a3b5-4efd-a7f7-f5eeb2886388/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/303e415db064/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/303e415db0644366a316524070b046b1b2a5dd2441258d6295859abc74f352ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments