MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 37f3dc0db96f235594f3e2153e851add6103e86a79b81722a130c592d1981f0a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 17

Intelligence 17 IOCs YARA 7 File information Comments

SHA256 hash:	37f3dc0db96f235594f3e2153e851add6103e86a79b81722a130c592d1981f0a
SHA3-384 hash:	8ccbc8efe67ed8d0835fb03583548d85df12dfcdf3ce733c983046b54245af3a1287f3c52b50a0f56a5b6dcac46a0aab
SHA1 hash:	c6b0df641c971af82a14cf71cbd2226f9430800e
MD5 hash:	c5b0e19ef0ac1a0ff7a848c9b156fd60
humanhash:	quebec-vermont-berlin-nevada
File name:	SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.29604.8216
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	488'672 bytes
First seen:	2023-07-26 01:28:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep	12288:vYpTPuz7x1BnMKo42AEJ2Nb2qoa12PaS/zcWhi4c:vYpqz7x1VMgEg2RaYhLcK8
Threatray	2'293 similar samples on MalwareBazaar
TLSH	T182A42300B964D2E7DD860A72597709246B7C56200AF85B07DBE18F5E3932963EE0BFF1
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	SecuriteInfoCom
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

367

Origin country :

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.29604.8216

Verdict:

Malicious activity

Analysis date:

2023-07-26 01:29:07 UTC

Tags:

rat remcos remote

Link:

https://app.any.run/tasks/7d70de60-8fa0-4ed9-8a33-233e3c847102

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/433322/

Detection(s):

SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.29604.8216.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a file

Creating a file in the %AppData% subdirectories

Unauthorized injection to a recently created process

Restart of the analyzed sample

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Sending a TCP request to an infection source

Gathering data

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/37f3dc0db96f235594f3e2153e851add6103e86a79b81722a130c592d1981f0a

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6da8a80b-8b69-4114-a2a8-cb7c6ab8d0bf

Result

Threat name:

Remcos

Detection:

malicious

Classification:

rans.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1279770

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to bypass UAC (CMSTPLUA)

Contains functionality to modify clipboard data

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/37f3dc0db96f235594f3e2153e851add6103e86a79b81722a130c592d1981f0a/

Threat name:

Win32.Trojan.Nsisx

Status:

Malicious

First seen:

2023-07-26 01:29:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

16 of 38 (42.11%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=g7z5ydnzn4rvlfht4ikt5bi23vqqh2dkpg4boivbgdczfumyd4fa._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

3da90b636e39cd1f67e3542c60d813c6ff8152f7f740b3ef4ef086ef120836df

RemcosRAT

4b66b1c337c83ccb79e4862a7a32421fd75a565a59fee1f830d4aae55b64af9a

RemcosRAT

69cb61375bae8db7278ca4adee488faea6723d8052270908010541c4850e8dcb

RemcosRAT

882a895b320ba323dccd33d6d82e02b4506b7386a91c63c0c505345796352d67

RemcosRAT

979b67124f30f347688897010f34abf0467a67516ba011c9601cf06a14be0432

RemcosRAT

b41e4528449d3fa1730eca98df0dc9fd9e3683ccfaedf1d72ee2af2899f18db8

RemcosRAT

+ 2'283 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost persistence rat

Link:

https://tria.ge/reports/230726-bv8t1sgg35/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Loads dropped DLL

Remcos

Malware Config

C2 Extraction:

64.112.85.218:4888

Unpacked files

SH256 hash:

41a6b66b34474558a055b445266241047c38240b85fbf399be40e8841f742d83

MD5 hash:

4804d6ffce0d37864ab01b3e10f63bf9

SHA1 hash:

a840c66ccd1761f431e95b40e8dc4daf2551afcc

Link:

https://www.unpac.me/results/85115609-052e-4afa-903e-866ed1add55c/

SH256 hash:

e9a57ea6ba112cbc31de122f5d0d3f34552ae0c81e5749dcc2dcb86f80a977e5

MD5 hash:

36a668f807e48b157d6707d3778b0d0c

SHA1 hash:

9e9b1333c1078e25090d321feb780a306cc04e5d

Link:

https://www.unpac.me/results/85115609-052e-4afa-903e-866ed1add55c/

SH256 hash:

04adf7cc43ba331ca5f202b718fefbc16cbcccdee11c1830087b8115ae429eb4

MD5 hash:

07d1ba5604b10a849c185fa855c923da

SHA1 hash:

4dfecf14ddb1f0896b47b168273f8a37396b5051

Detections:

Remcos

win_remcos_auto

Link:

https://www.unpac.me/results/85115609-052e-4afa-903e-866ed1add55c/

Parent samples :

356397e5a8cede8dc9420b6f76ed565748382705ed55888b0a85a48e94ec2bc4
37f3dc0db96f235594f3e2153e851add6103e86a79b81722a130c592d1981f0a
17927cf92cf25c048021f9517386f9a69936c8c03ac8afb18eac18e512e662a2
593cf342a669fcb1bff594bd8ce85fc112bc19d42f7fcb0932c9ac5cdf70d0d9
8167261af1cde7e03bd2ddf43ebde21bda4af66216d2c4ee9ca1c967e580f7a5

SH256 hash:

37f3dc0db96f235594f3e2153e851add6103e86a79b81722a130c592d1981f0a

MD5 hash:

c5b0e19ef0ac1a0ff7a848c9b156fd60

SHA1 hash:

c6b0df641c971af82a14cf71cbd2226f9430800e

Link:

https://www.unpac.me/results/85115609-052e-4afa-903e-866ed1add55c/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/37f3dc0db96f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/37f3dc0db96f235594f3e2153e851add6103e86a79b81722a130c592d1981f0a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	iexplorer_remcos Create hunting rule
Author:	iam-py-test
Description:	Detect iexplorer being taken over by Remcos

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM Create hunting rule
Author:	ditekSHen
Description:	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Windows_Trojan_Remcos_b296e965 Create hunting rule
Author:	Elastic Security

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/433322/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample