MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39a8c585d60201261bad7600af0f3840fcb174fec63263ebf55020e4dedc157c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	39a8c585d60201261bad7600af0f3840fcb174fec63263ebf55020e4dedc157c
SHA3-384 hash:	d2b0fba1e887a577082c68607c314dbdf2be2f84979b8cf27b2216bffd2ebff57f317e2a088ccbf1074e80d66514d1e9
SHA1 hash:	11de21f3a74a4a7d57dd6a1b6f6685660236667a
MD5 hash:	5ef829717783ea928aa19bc0df4ef1c6
humanhash:	carpet-blue-robin-artist
File name:	5ef829717783ea928aa19bc0df4ef1c6.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'590'784 bytes
First seen:	2024-01-09 20:33:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	cc2b3e63a50ba98c3412285dee7a8f0b (16 x AgentTesla, 5 x RemcosRAT, 3 x 404Keylogger)
ssdeep	24576:MqDEvCTbMWu7rQYlBQcBiT6rpFd+zILDCk9XSbOutoKwyOYcfnbVlMh:MTvC/MTQYxsWPkzIPvCbOuZo7bVlM
Threatray	1'789 similar samples on MalwareBazaar
TLSH	T1AC759E02B3B18192FFDE51320F6DF2650A799E25055BB72EC2770D39F930671263EA62
TrID	52.2% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 24.0% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 9.5% (.EXE) Win64 Executable (generic) (10523/12/4) 4.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.0% (.EXE) Win32 Executable (generic) (4505/5/1)
dhash icon	71e8c6aa8ac6e871 (1 x AgentTesla, 1 x RemcosRAT)
Reporter	smica83
Tags:	exe HUN RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

308

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/470089/

Detection(s):

PUA.Win.Packer.Ep-7

PUA.Win.Packer.Embedpe-3

PUA.Win.Packer.AcprotectUltraprotect-1

SecuriteInfo.com.Trojan.Generic.33203615.28472.17882.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

autoit bladabindi control darkkomet greyware keylogger lolbin packed remcos shell32 threat

Link:

https://www.filescan.io/uploads/659dadbbe1815911f1681b97/reports/af3ac780-350d-46d3-ab8b-89ba0e19b5a8/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/39a8c585d60201261bad7600af0f3840fcb174fec63263ebf55020e4dedc157c

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/694ea864-c035-4e2e-adf8-dbb0eb31b09e

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/1372056

Signature

Antivirus / Scanner detection for submitted sample

Binary is likely a compiled AutoIt script file

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/39a8c585d60201261bad7600af0f3840fcb174fec63263ebf55020e4dedc157c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/39a8c585d60201261bad7600af0f3840fcb174fec63263ebf55020e4dedc157c/

Threat name:

Win32.Trojan.Remcos

Status:

Malicious

First seen:

2024-01-07 04:55:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

15 of 37 (40.54%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hgumlbowaiasmg5noyak6dzyid6lc5h6yyzgh27vkaqojxw4cv6a._file

Verdict:

unknown

RemcosRAT

4310f5a0b37713c8d7d799fbecdcd58efac466347999fff02e183535c67c86d4

RemcosRAT

4b8896554332d025010afb7c2d634ae9ff5294433f534652aa1cf0cf2a0b1ac1

RemcosRAT

60b2187fb7db90cc596f9ab3eb852ef99e5d8a53467b552440282d02df5b18b2

RemcosRAT

7761e6403caabbe4742e7afaf1be7dbf908974fd6d9f8367ca44352ea79a96a7

RemcosRAT

799c7bed3c5fe743f6b748efff0994fbda6f19028cc9921a06cf633e7629bba7

RemcosRAT

7cfbfe371912b59dec9a22cb39790c9f94774124ac786b48d493ec46830a0c1c

RemcosRAT

7e1a176d5f2a191b4b4266335be0f1f6986dd3e0c745a3222eb028e8746702ce

RemcosRAT

7e390ca86f3a591a740e6aed05214cf75773e0d38dd70fd194fe26f12e876123

RemcosRAT

c56085ee871e8eea85eb269f98c711fd2f7a395f5b054309a0e59047f9605ead

RemcosRAT

+ 1'779 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/240109-zceefshgfk/

Unpacked files

SH256 hash:

cf0bc44ce17f3691873b5d4b1048d2ee37966fed0d6f9aefe82a63d5e3a44381

MD5 hash:

4c9dcdd5946caffba47fd4218404d384

SHA1 hash:

4f733af9d4a0eef8aa55968c2971f5d6ae1f0f57

Detections:

Remcos

win_remcos_w0

win_remcos_auto

malware_windows_remcos_rat

INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

win_remcos_rat_unpacked

Link:

https://www.unpac.me/results/ee8c0671-c394-493d-ae7d-37aa2a29fcbc/

Parent samples :

db4520e67b7388d613d17e7a0758192feda02f2951e3a3a2f5bd4f2c55efd7a2
cf0bc44ce17f3691873b5d4b1048d2ee37966fed0d6f9aefe82a63d5e3a44381
a1f95947c7d421aef77f87b95744c6a93c149e203af906b32b3e6002f3331cf3
1592a15da607057998d44258e4892bbe0191a9fb4b0f688b9ecb8112016d387d
9fdca9360e25dcfd92011c7aa47c40037cadc4573826b13cfdb8ecf7dc3bb553
48df72d38c4b15ae4c34723fd6b2c8399110aebbf9f4205064901bc2650f2571
bafc5fae0104b9851797f62ad1d638cf18237782147ff341033d6bfc06e0d5ca
d72b9ebc71193849d196a3962f735f5bc49b4be81d099317582f199008580704
88c300243b5102cdcf2685203b2469f384d12d0cbd66b49dd479d21b3ceab24d
c6f1ef6ad4ded0111f232672a308199294eb93182d7cd7acc294f0a2c2d20413
788edaf71879b87d34ea6397f6be0c718a67bc8f3ef5a2b32e5b1ad8064a44d0
e32b631a8b82943b24d90088fba052ef7c6bb591b6bd759c71fa7ba8ef63fa63
39a8c585d60201261bad7600af0f3840fcb174fec63263ebf55020e4dedc157c

SH256 hash:

39a8c585d60201261bad7600af0f3840fcb174fec63263ebf55020e4dedc157c

MD5 hash:

5ef829717783ea928aa19bc0df4ef1c6

SHA1 hash:

11de21f3a74a4a7d57dd6a1b6f6685660236667a

Detections:

AutoIT_Compiled

Link:

https://www.unpac.me/results/ee8c0671-c394-493d-ae7d-37aa2a29fcbc/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/39a8c585d60201261bad7600af0f3840fcb174fec63263ebf55020e4dedc157c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE).

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/470089/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample