MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 38e450e0f888c722ba57ed39900759397ede821614371832456b7fa29143aaba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 38e450e0f888c722ba57ed39900759397ede821614371832456b7fa29143aaba
SHA3-384 hash: 39c2a13634c6c96121a8001dd899e06822fc37e731ffe7f96db0e66d4779e3f5a4c9e82d31ffa10fb154a6f9d6cb1e06
SHA1 hash: c08002db93295dc774137fb8b64e25982bb813b0
MD5 hash: 8bff446184b5ab123684c62895414df0
humanhash: wolfram-solar-eleven-delaware
File name:RESUME.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:454'756 bytes
First seen:2022-12-06 14:09:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ab6770b0a8635b9d92a5838920cfe770 (84 x Formbook, 30 x AgentTesla, 15 x Loki)
ssdeep 12288:VAC+Qu5ylAM8kCR7GIwhg9ZRHmWE485yHv/8YM1jk:WCTlAMiR6IfXm3WMZo
Threatray 1'286 similar samples on MalwareBazaar
TLSH T149A4231336B5C0FFCAA349724CA08224A2FBE62958649D4363362FFEB5254E1F85D747
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f4f679b179698cd4 (17 x RemcosRAT, 4 x SnakeKeylogger, 2 x NanoCore)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
RESUME.exe
Verdict:
Malicious activity
Analysis date:
2022-12-06 14:09:25 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/09380443-53f2-4ce6-bfe0-772d075926ab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/343467/
Detection(s):
SecuriteInfo.com.Win32.InjectorX-gen.19553.11417.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Setting a keyboard event handler
DNS request
Creating a file
Sending a custom TCP request
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/638f4d3df6e448d42df76bf5/reports/3f5efdb8-05ee-475e-b121-48bff56295f6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fec68277-07bd-42ae-928d-d53ddc28dbda
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1128966
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Remcos
Uses dynamic DNS services
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/38e450e0f888c722ba57ed39900759397ede821614371832456b7fa29143aaba/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-12-06 11:08:18 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hdsfbyhyrddsfosx5u4zab2zhf7n5aqwcq3rqmsfnn72fekdvk5a._file
Verdict:
unknown
Similar samples:
004156cb5b53a435cca18a919e1bbdea483b7382c16d006838b96f11160c5d0e
RemcosRAT
3e8e2a2868f0e729a298541b51105ca23c60b0ffaa2c7b7c89e8a1edc0b2eab7
RemcosRAT
5095959439a744df6fc4385ffd0aabf3bade4f34adfeade45dedb58a22a49494
RemcosRAT
57a0137324bbc30a462cb3ccaa9faf18259752bbca172c1f83d279505d502fd7
RemcosRAT
58873f3b0e839c017a4ae835787ad4c1f821e905184d168be6250d368f793fbb
RemcosRAT
5c9c51f336a4f92821219c73a99bd5c7e4bc749967e95745b12af9c25285b314
RemcosRAT
a148f6912ad65a00621fd10bf86af7d79ea6c91d9e653649955956a7a23e3f2a
RemcosRAT
+ 1'276 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/221206-rgqz2seb72/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
drremcoz1.ddns.net:1307
Unpacked files
SH256 hash:
683efe74532bed30e1f0a73e9e7485e2d11e444b7766cd7d2611d84ecc79fa22
MD5 hash:
c5124d216e7b0f383ba7e05b69d84379
SHA1 hash:
9e07ed49d15d00e15d5b603e2b74902284cb560a
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/f2aaef95-be00-4010-820a-d264bd596e2d/
Parent samples :
d2153ad12373ea7fab1232d8e957da465e2a7a6b5439f34d9ba6e3e177ab6c76
45cd8dd797af4fd769eef00243134c46c38bd9e65e15d7bd2e9b834d5e8b3095
f23af58c2cf4e24dc720b940dfcbb7a12793de187354f892b8ee9cbec7c3332e
38e450e0f888c722ba57ed39900759397ede821614371832456b7fa29143aaba
f55af4e1b592a12334c4434887b9bfd7429b4218e9c4b3b7cef3e345f4489f06
a5d0f96c465bc9f36b29fb88333dc996f63c39ec6ed8cc2acb5a5b36ad31500f
SH256 hash:
f16d98788c7b1df41e2cd58574c7104df45c013b55be2f85c140384dacf720c3
MD5 hash:
b3ec854957b0c20b1664125b89377765
SHA1 hash:
a87b491d92e97bab83f695987cf2ad2249726b0e
Link:
https://www.unpac.me/results/f2aaef95-be00-4010-820a-d264bd596e2d/
SH256 hash:
38e450e0f888c722ba57ed39900759397ede821614371832456b7fa29143aaba
MD5 hash:
8bff446184b5ab123684c62895414df0
SHA1 hash:
c08002db93295dc774137fb8b64e25982bb813b0
Link:
https://www.unpac.me/results/f2aaef95-be00-4010-820a-d264bd596e2d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/38e450e0f888/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.48
Link:
https://yomi.yoroi.company/submissions/38e450e0f888c722ba57ed39900759397ede821614371832456b7fa29143aaba

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/343467/

Comments