MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 412a694c19663771576663125556c5e3e2377f20291f5593a4b0faade79b68a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 412a694c19663771576663125556c5e3e2377f20291f5593a4b0faade79b68a5
SHA3-384 hash: ad1044ee23425dae80d14b44532b6515001e9a907ab70d854ae314edd7fd7be5c1d4e7d797bb753a2d6d6c91502520a2
SHA1 hash: ee648e3e6e77e7fed8fdc12c345b97e27da29bd3
MD5 hash: 8bd74195c18fea6ddaa472d6d78f4ac8
humanhash: lemon-ink-lion-west
File name:8bd74195c18fea6ddaa472d6d78f4ac8.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:4'337'664 bytes
First seen:2022-09-01 10:32:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 24b92ccf1e266e626a6cc7126f975fe5 (7 x RemcosRAT)
ssdeep 98304:N9nrW9imEg5V8+LFYhBfrsqcl4KYHgJJ2I:NJgimEg5+Usoqcl47qN
TLSH T1A21623B353BB8201F4E6CC39C12BBDD572F7076A5F42ECB869E6A9C125524A0F312953
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
269
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
8bd74195c18fea6ddaa472d6d78f4ac8.exe
Verdict:
Malicious activity
Analysis date:
2022-09-01 10:37:47 UTC
Tags:
remcos
Link:
https://app.any.run/tasks/d8f98ac3-14f3-42f6-8b91-6bda4394165b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/307201/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Setting a keyboard event handler
Creating a window
Creating a file in the %temp% subdirectories
DNS request
Creating a file
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63108ae2116a699e02907807/reports/3a15a4ab-3c1d-4842-9b93-d348f9258f73/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/522aeb84-ae2d-4a2f-845a-019c44bbca9c
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1062693
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/412a694c19663771576663125556c5e3e2377f20291f5593a4b0faade79b68a5/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-09-01 10:07:40 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ievgstazmy3xcv3gmmjfkvwf4prdo7zafepvle5ewd5k3z43ncsq._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos rat
Link:
https://tria.ge/reports/220901-mlh3saccdm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Program crash
Remcos
Unpacked files
SH256 hash:
13f5c34b23e694d394d262e7a966ef93a724d1911410ab47458ae334d47b1e9d
MD5 hash:
2511b0ca6cd772adb53d565ab9f36024
SHA1 hash:
32d0aa294d292daa27319a3b441ad718e4f9a3d5
Link:
https://www.unpac.me/results/a1b04f3e-2adb-4d78-9c61-52a701b1f2ec/
SH256 hash:
412a694c19663771576663125556c5e3e2377f20291f5593a4b0faade79b68a5
MD5 hash:
8bd74195c18fea6ddaa472d6d78f4ac8
SHA1 hash:
ee648e3e6e77e7fed8fdc12c345b97e27da29bd3
Link:
https://www.unpac.me/results/a1b04f3e-2adb-4d78-9c61-52a701b1f2ec/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/412a694c1966/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/412a694c19663771576663125556c5e3e2377f20291f5593a4b0faade79b68a5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_CoinMiner02
Create hunting rule
Author:ditekSHen
Description:Detects coinmining malware
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:MAL_XMR_Miner_May19_1_RID2E1B
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:rig_win64_xmrig_6_13_1_xmrig
Create hunting rule
Author:yarGen Rule Generator
Description:rig_win64 - file xmrig.exe
Reference:https://github.com/Neo23x0/yarGen

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 412a694c19663771576663125556c5e3e2377f20291f5593a4b0faade79b68a5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2276782/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2276802/
Cape
Cape
https://www.capesandbox.com/analysis/307201/

Comments