MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a573796b5e6f1cc3a92eef7e268fa4e74aeddf34f5dd62f7b02109fe560ecd2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a573796b5e6f1cc3a92eef7e268fa4e74aeddf34f5dd62f7b02109fe560ecd2
SHA3-384 hash: 1dd593fd88abb6bb4cd8e01ded97c5325efb14e4100fb25a05d5436526d14dcfb9121cc5f7e8173062a2bd949f5c1c29
SHA1 hash: 93b803d920a4c0a5e291cdca4bf250c379cd729b
MD5 hash: d51e8ebb04a5849f46514dcaef7f4c32
humanhash: ohio-mobile-carbon-fourteen
File name:d51e8ebb04a5849f46514dcaef7f4c32
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:2'168'632 bytes
First seen:2023-02-21 08:27:12 UTC
Last seen:2023-02-21 11:29:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4dd24c5aa6efe26191b8c320e81469c3 (1 x RemcosRAT)
ssdeep 12288:3iSHMv8y+XQcA6AJPe+kDuOlwflEzQBxfQPoQaM010P4AiwlUpq+C3AXwvYzcOFG:3K+XQcA6Z7vglEE1Qv3qUTQLwurLM
Threatray 397 similar samples on MalwareBazaar
TLSH T19EA52F2122EAD6D5E5B26A30ED7671F10E27BC50E9359C0F2D883D4A3BB7940E57072E
TrID 85.7% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
4.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 316d4d4d5d554569 (4 x AgentTesla, 4 x Stealc, 3 x RemcosRAT)
Reporter zbetcheckin
Tags:32 exe RemcosRAT signed

Code Signing Certificate

Organisation:PAK AFGHAN FROZEN FOODS LTD
Issuer:Sectigo Public Code Signing CA R36
Algorithm:sha384WithRSAEncryption
Valid from:2022-02-13T00:00:00Z
Valid to:2023-02-13T23:59:59Z
Serial number: 29127065e11aab25ed52f956439ae270
Thumbprint Algorithm:SHA256
Thumbprint: 59f4c24e233a04142503e32a9e1973cdff223ce25e95027c64bb1ba4b6fb5e01
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
253
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d51e8ebb04a5849f46514dcaef7f4c32
Verdict:
No threats detected
Analysis date:
2023-02-21 08:29:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7afd8d02-c290-4da8-bb87-2df367f52693

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/368566/
Detection(s):
SecuriteInfo.com.BScope.Trojan.Downloader.2448.13100.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug cmd.exe greyware overlay packed remcos
Link:
https://www.filescan.io/uploads/63f4809242bf85850e3e7701/reports/7af05ed7-3eb3-4c6c-81ff-5e9ac3f424c1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/3a573796b5e6f1cc3a92eef7e268fa4e74aeddf34f5dd62f7b02109fe560ecd2
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/4e088d27-cf65-41de-80ec-430047b72fa7
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1179598
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to access PhysicalDrive, possible boot sector overwrite
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to infect the boot sector
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected unpacking (creates a PE file in dynamic memory)
Found evasive API chain (may execute only if attached device has certain properties)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3a573796b5e6f1cc3a92eef7e268fa4e74aeddf34f5dd62f7b02109fe560ecd2/
Threat name:
Win32.Hacktool.Sysdupate
Create hunting rule
Status:
Malicious
First seen:
2023-02-20 15:48:42 UTC
File Type:
PE (Exe)
Extracted files:
45
AV detection:
11 of 39 (28.21%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hjltpfvv43y4yous5336e2h2jz2k5xptj5o5ml33aiij7zla5tja._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0f1c1a1c87587222d358553c1b9a482e7d9e6a601cdf40e9a0288827311c0650
RemcosRAT
1e903460f6285170c6e841e25181b9e465cdf5a6864bbd96a205b1d229438d5e
RemcosRAT
38813d304e6f75adc3b92ba75bdee6b6f000837d26cde3a0a07edb869f1666bd
RemcosRAT
4fa8e3ed74b9d941888ab229b323154e2a2bdb2274fd7e767e16bb8dadd97365
RemcosRAT
615410f6d53aefbcbdd874fdeaa335d174bdbdae890d8888e02af05e9851b589
RemcosRAT
6d0b9f54f09f25973baccfbdf8c98b61a33cbdbdf0d90563cf2964f4966ff48f
RemcosRAT
797c253df096431e69f1aa84f0010f248384fe437cda4bf8df916c48fbb7984f
RemcosRAT
d063eec4ec30ecc633469e28b06bf8288a9107cd9f16ea97720877a6f761e248
RemcosRAT
e1d94beb469be76da4aafd382a153f477ede6e3a1a283b7becf6cffbd131d4df
RemcosRAT
e47ca034c78e942930e24ba0b911f2d5bb826d9259d83d0b0991dd0939f115a0
RemcosRAT
+ 387 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:nvidiaconsole rat
Link:
https://tria.ge/reports/230221-kczm3aga4v/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
45.137.118.105:443
Unpacked files
SH256 hash:
3a573796b5e6f1cc3a92eef7e268fa4e74aeddf34f5dd62f7b02109fe560ecd2
MD5 hash:
d51e8ebb04a5849f46514dcaef7f4c32
SHA1 hash:
93b803d920a4c0a5e291cdca4bf250c379cd729b
Link:
https://www.unpac.me/results/c040f9f8-fd78-4db8-9c28-aef54d7a439e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3a573796b5e6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/3a573796b5e6f1cc3a92eef7e268fa4e74aeddf34f5dd62f7b02109fe560ecd2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 3a573796b5e6f1cc3a92eef7e268fa4e74aeddf34f5dd62f7b02109fe560ecd2

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2546603/
Cape
Cape
https://www.capesandbox.com/analysis/368566/

Comments


Avatar
zbet commented on 2023-02-21 08:27:26 UTC

url : hxxps://merafm.com/wp-content/uploads/2021/02/paf/Talking-Points-with-China-PLAAF.exe