MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36c153ae3a33e8eb9badb45fc6c89b2c805bd61f52ad2e2003e1c0107be6d7d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 17

Intelligence 17 IOCs YARA 13 File information Comments

SHA256 hash:	36c153ae3a33e8eb9badb45fc6c89b2c805bd61f52ad2e2003e1c0107be6d7d8
SHA3-384 hash:	60a52b3ac424f594cf1fb7b745ed1f7bc74171192a2e13d481ba39840d10e00813f7791d37679997318ccf891daee888
SHA1 hash:	7cce8325bd1aca05b525910d65fea90ea18d0b3c
MD5 hash:	608d4a6897d2fd5a8b996bdb43e54d5f
humanhash:	ack-indigo-twenty-nuts
File name:	608d4a6897d2fd5a8b996bdb43e54d5f.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	555'975 bytes
First seen:	2022-08-17 06:46:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f9ee72c530e85b767a4ed3391690eadf (25 x RemcosRAT, 1 x Vjw0rm)
ssdeep	12288:z0kUVo1voInwnWh77v8FLkrsfZiM5NiBjvrEH7/6:Q3e1voMw/FLk+Z5HErEH7/6
Threatray	1'704 similar samples on MalwareBazaar
TLSH	T190C4BE11B6D2C2F2D17154302C29FB35DAF8BC38192A497BB3D60D5BFD38181A72A667
TrID	40.3% (.EXE) Win64 Executable (generic) (10523/12/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4505/5/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	c4d48eaa8ad4d4f8 (1'000 x RemcosRAT, 1 x Worm.Ramnit, 1 x Vjw0rm)
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

234

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

608d4a6897d2fd5a8b996bdb43e54d5f.exe

Verdict:

Malicious activity

Analysis date:

2022-08-17 06:54:23 UTC

Tags:

rat remcos trojan floxif keylogger

Link:

https://app.any.run/tasks/df018312-2941-4f82-8d98-776668df9a20

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/299171/

Detection(s):

Win.Virus.Pioneer-9111434-0

Win.Trojan.Remcos-9841897-0

Win.Virus.Pioneer-6804573-0

MiscreantPunch.SingleXOR.EXE.197.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Сreating synchronization primitives

Setting a keyboard event handler

Creating a window

Searching for synchronization primitives

Creating a file in the %AppData% subdirectories

Launching a service

Creating a file in the Program Files subdirectories

DNS request

Sending an HTTP GET request

Replacing executable files

Query of malicious DNS domain

Sending a TCP request to an infection source

Creating a file in the mass storage device

Infecting executable files

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

cmd.exe eventvwr.exe fingerprint floxif greyware keylogger obfuscated overlay packed rat shell32.dll

Link:

https://www.filescan.io/uploads/62fc8f36dae95ca4d4878877/reports/e6f13152-6794-4696-bcc6-a843eb59b105/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cedf578a-1c82-4765-8457-b3dcf704009b

Result

Threat name:

FloodFix, Remcos

Detection:

malicious

Classification:

troj.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1052857

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected FloodFix

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/36c153ae3a33e8eb9badb45fc6c89b2c805bd61f52ad2e2003e1c0107be6d7d8/

Threat name:

Win32.Virus.Floxif

Status:

Malicious

First seen:

2022-08-16 19:45:48 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 26 (96.15%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=g3avhlr2gpuoxg5nwrp4nse3fsafxvq7kkws4iad4haba67g27ma._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

2929451852384ac9f1b289746f767b752e04ec5d778b9538ac761cb175006948

RemcosRAT

48d97367a91454e04e0161675bc323aaea552ef9335c57090e0d471d3d28c97e

RemcosRAT

6c3193fce2bc8edb1884269cc6c43445db0c8a7ca04d89605d588a72510b3ca1

RemcosRAT

ac1906fa0c648d42c3e1b0c7b70b0e7c0c68888d90dc48c81b225f0932cdb258

RemcosRAT

b06040b023873e257e3cc5d803186e714ad4de74fd3bb305205550e5ce5233f7

RemcosRAT

b0e78152cf5f5eca9be7cc47e833600e77db47786c09cc2be451f310c50881d9

RemcosRAT

cce110eed95c36bf618669b1a290ee90b5152ee9c660b6b37f3e11dca7431419

RemcosRAT

ceb6fcadd0f96521026c478596bbc3ba3dfdd3ecdbb2d9e4e8f5bb4a422e446d

RemcosRAT

f171eba23f65f99cd49caa4d84e1adc3429100573de5405534922bc784dd0d23

RemcosRAT

+ 1'694 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:envio15 persistence rat upx

Link:

https://tria.ge/reports/220817-hj7k5sbhhn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Drops file in Program Files directory

Enumerates connected drives

Loads dropped DLL

Modifies AppInit DLL entries

UPX packed file

ACProtect 1.3x - 1.4x DLL software

Remcos

Malware Config

C2 Extraction:

marzo172022.con-ip.com:7475

Unpacked files

SH256 hash:

d8f8af91f54a875d0e6d4dd79a806347ee1281f2aa7796cc20b0dcca15b26bff

MD5 hash:

faf3df8721f12127b9b4ed05753a78c5

SHA1 hash:

84c4bb0056181ac2740ace8af7c6e4e9b3acd6f6

Link:

https://www.unpac.me/results/5b7c52e7-38d8-48eb-a37b-3e66184b5a0b/

SH256 hash:

9b430cf0279ea266bee0497fd21628c65442342d6270a8f7918522fa4fe9c387

MD5 hash:

f598b6379f84e43532b6adc2198bfd9c

SHA1 hash:

73fcd6e681a26ab2ea356a9b951a8557bbc43f4c

Link:

https://www.unpac.me/results/5b7c52e7-38d8-48eb-a37b-3e66184b5a0b/

Parent samples :

ed61a0c490e5b16ba93721a48865fb3312c314d2b42df1c45c997e2347e0fbea
5824816c15c14812f8d8fe64a2317520ac6e1e96f59d4477aacbaff84d706718
8603a6629d84f5151f3c14463f58a86b24baff50280fa66cc26c086e3211b89f
fd05a5d4e619781f5e1affdfb88dfd117b616df12c8c42e8f05fbcc24ebcfaae
aed65c4e500b4d5da1b557da1b4c7d916868aa100f0b0eab243892036422a3db
e40e040b7604a94d6f9db5175e1a1cc4eb762c035c90ba49f952e723a9c8258a
d014b70080dc2525f222f7eb5aa8c97b35ac366f2c1ad0e0b656f7879d4cb4a1
038d79354607ff85b37621bed1e5e33c68ae21b483730b0e6067abcdd5276c9a
ea201b8fe8ee9d0514b5cc3e273e02b1a06872ebadec937a57285c049de1854d
e58eb39c66efd238b3d957301383ab74099577cf79204d0f7ead51d9cb9c4b1c
56f790633aa97cca376318d0f6f9055ac17c0f102e12f2bf6f078b361c316aa3
e0b7c369ac7cd497c804fe503a65a76606fabed39db60c117ad196607f9c8aa4
3672c48abefd98e598090174265dc3051ff712838e7214ed009c6fcfede22654
a74ee1dbb1120582708462beadf602396c36e9738b150bbf21bdfce09ecd7538
c4e805cafe001cbf1ede9535183d4101c0c2409a8c0ee7debd74ccda64d827f1
6df588b4ad822707978cdc32b85764c300895f946f6581d529b6b9fe086ae706
f7deee99b91289f666e2f0f0043b7330e2c28e88cb319b44c2d1c4499ff9f45f
ee1c03beade3bc4d590fc2a208b7b4006a8918576f992b348c5488c61e7b3dc5
09e3afe1513862f13cc241700fa5f8e4084fee568bc0b12044c94bc458b6b36c
95eb3c2415875d0898a9a206222d25138e0261b4188be73bc6edd965dbe207a5
a419c37fe7f832d9c6541d699124426071b30de1c0e0c9754d0af85cba0ed021
fe1e5468f98a5abe64a3a98a801078fb61fcf393eb8c63ca153275d4f9c61655
29cfbcef98823aabf25d4bc612e9991ce971d7546f4d4660505eb75bbdc57eb8
9cc8ee5bceb4329db551ab0f1c20ddc51feb6ad3f07f876e911e61b1c632664d
9a831200151eb0fb1191eeb1ec85a0006acaeaeb834e3150c63b2ddfc7eb9fca
1886c8a0b8111446cc2f76dd0394264c14a8ae5f53e3dcbe7399c43e71b1b1f7
791a4219e0a98665d6abe5f0267c03499bd8d842c894daaac554f5e3200bc5fb
ce40e5f365dc4a4af4688ebfc262edbdb129fdab31de51f6e67f7fa52fe9fc2a
99d9b3e49c9eaed0615aaf6289a235ff9f39cb5c3b7382d6f51304a6ec04594a

SH256 hash:

36c153ae3a33e8eb9badb45fc6c89b2c805bd61f52ad2e2003e1c0107be6d7d8

MD5 hash:

608d4a6897d2fd5a8b996bdb43e54d5f

SHA1 hash:

7cce8325bd1aca05b525910d65fea90ea18d0b3c

Detections:

win_remcos_auto

Link:

https://www.unpac.me/results/5b7c52e7-38d8-48eb-a37b-3e66184b5a0b/

Malware family:

Floxif

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/36c153ae3a33/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/36c153ae3a33e8eb9badb45fc6c89b2c805bd61f52ad2e2003e1c0107be6d7d8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Malware_Floxif_mpsvc_dll Create hunting rule
Author:	Florian Roth
Description:	Malware - Floxif
Reference:	Internal Research

Rule name:	Malware_Floxif_mpsvc_dll_RID30C4 Create hunting rule
Author:	Florian Roth
Description:	Malware - Floxif
Reference:	Internal Research

Rule name:	MALWARE_Win_FloodFix Create hunting rule
Author:	ditekSHen
Description:	Detects FloodFix

Rule name:	MAL_Floxif_Generic Create hunting rule
Author:	Florian Roth
Description:	Detects Floxif Malware
Reference:	Internal Research

Rule name:	MAL_Floxif_Generic_RID2DCE Create hunting rule
Author:	Florian Roth
Description:	Detects Floxif Malware
Reference:	Internal Research

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	SUSP_Microsoft_Copyright_String_Anomaly_2 Create hunting rule
Author:	Florian Roth
Description:	Detects Floxif Malware
Reference:	Internal Research

Rule name:	SUSP_Microsoft_Copyright_String_Anomaly_2_RID3720 Create hunting rule
Author:	Florian Roth
Description:	Detects Floxif Malware
Reference:	Internal Research