MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43281415b361da4215bb7a4a0a950b2c95c2d772f315d451088ffd53480de73f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43281415b361da4215bb7a4a0a950b2c95c2d772f315d451088ffd53480de73f
SHA3-384 hash: 04120026c25d525d155c1ec3e39a6d2dd6af55337e598591f595c9ff0638ed757fde641d8d20001632eb9c49bf142510
SHA1 hash: e5d97eb5a5bf91e0b006ce75e6ade7bccfde52b2
MD5 hash: dec965bfa7c35a4b7c9265610a45a7bf
humanhash: cardinal-chicken-monkey-purple
File name:ICICI Ref No. CMS4213872601.pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:630'784 bytes
First seen:2024-06-10 10:45:41 UTC
Last seen:2024-06-17 13:35:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:xX0pxBV36Di8BtLhPvBfLjhwCsMmhSqkcAOv19drFOBpCixYTJYviJ9EAmD:ABFKzVLlDsMmYqkcAO1QBpCkiH
Threatray 209 similar samples on MalwareBazaar
TLSH T19DD41291755A9EC8D86E03F10836966003BB2E9D68E6D10D34ED3EAF32B33135496F57
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 68d8d8c8d9a9c1d9 (96 x SnakeKeylogger, 67 x RemcosRAT, 66 x Formbook)
Reporter adrian__luca
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
369
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
43281415b361da4215bb7a4a0a950b2c95c2d772f315d451088ffd53480de73f.exe
Verdict:
Malicious activity
Analysis date:
2024-06-10 11:16:26 UTC
Tags:
rat remcos remote
Link:
https://app.any.run/tasks/9330e085-18b5-4a7e-aff1-1ce65276dac6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2548.23488.10515.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66670716a439c6d6b0874f3awin7simulatehigh_evasion
Tags:
Banker Encryption Execution Generic Network Stealth Heur Dexter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Setting a keyboard event handler
Creating a file in the %AppData% subdirectories
Connection attempt to an infection source
Sending a TCP request to an infection source
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/6666d9720bf5978c0b0e03a8/reports/edbd35ed-e4b6-475c-a207-46b35227376d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/43281415b361da4215bb7a4a0a950b2c95c2d772f315d451088ffd53480de73f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/66cc8e09-d274-48ae-966d-0a0a7488a2a2
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1454510
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Detected Remcos RAT
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension File Execution
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1454510 Sample: ICICI Ref No. CMS4213872601... Startdate: 10/06/2024 Architecture: WINDOWS Score: 100 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus / Scanner detection for submitted sample 2->53 55 17 other signatures 2->55 7 RdBpbpyLHU.exe 5 2->7         started        11 ICICI Ref No. CMS4213872601.pdf.exe 7 2->11         started        process3 file4 37 C:\Users\user\AppData\...\RdBpbpyLHU.exe.log, ASCII 7->37 dropped 57 Antivirus detection for dropped file 7->57 59 Multi AV Scanner detection for dropped file 7->59 61 Detected Remcos RAT 7->61 67 7 other signatures 7->67 13 RdBpbpyLHU.exe 7->13         started        16 schtasks.exe 1 7->16         started        39 C:\Users\user\AppData\...\RdBpbpyLHU.exe, PE32 11->39 dropped 41 C:\Users\...\RdBpbpyLHU.exe:Zone.Identifier, ASCII 11->41 dropped 43 C:\Users\user\AppData\Local\...\tmp3AE4.tmp, XML 11->43 dropped 45 ICICI Ref No. CMS4213872601.pdf.exe.log, ASCII 11->45 dropped 63 Adds a directory exclusion to Windows Defender 11->63 65 Injects a PE file into a foreign processes 11->65 18 ICICI Ref No. CMS4213872601.pdf.exe 1 2 11->18         started        21 powershell.exe 23 11->21         started        23 powershell.exe 23 11->23         started        25 schtasks.exe 1 11->25         started        signatures5 process6 dnsIp7 69 Detected Remcos RAT 13->69 71 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 13->71 27 conhost.exe 16->27         started        47 62.102.148.166, 3319, 49708, 49717 TEKNIKBYRANSE Sweden 18->47 73 Installs a global keyboard hook 18->73 75 Loading BitLocker PowerShell Module 21->75 29 WmiPrvSE.exe 21->29         started        31 conhost.exe 21->31         started        33 conhost.exe 23->33         started        35 conhost.exe 25->35         started        signatures8 process9
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/43281415b361da4215bb7a4a0a950b2c95c2d772f315d451088ffd53480de73f
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/43281415b361da4215bb7a4a0a950b2c95c2d772f315d451088ffd53480de73f/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2024-06-10 10:46:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=imubifntmhneefn3pjfavfilfsk4fv3s6mk5iuiir76vgsan447q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
14a79ce3f46a8cb58c98cfb730a841bf02ba8a62f4d90ae7cc77c6cab5e23aa3
RemcosRAT
6335b9e2204cdd0a2c6cbd39296aa6b409e46a3ec9ccec992423e65ddae20f30
RemcosRAT
800de052c0fa373e0df12a82d5b061fea2285dfde7e631e23961cffe079f8f3b
RemcosRAT
fd80ef0c4a88f9aa002cb779a52d56a5b0bbaf1061fc2885fc35559ec3d16907
RemcosRAT
+ 199 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:banksy execution rat
Link:
https://tria.ge/reports/240610-m4b27agd2y/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Remcos
Malware Config
C2 Extraction:
62.102.148.166:3319
Unpacked files
SH256 hash:
1a1de9f3fe4c3a7ea7cd547cdd9d78b3873d6e243e544e5bb647452d6d9f6cfe
MD5 hash:
ceb52a5c98659e8905ea76737fe00c01
SHA1 hash:
bb7b30ff84d6aa26eaa0021c9fa3cd2c5a08e694
Link:
https://www.unpac.me/results/67d6b6f5-496a-4e20-992c-ad9fddc9b395/
SH256 hash:
4b59f40fc970ca343e165586a5c91245b1c2ea7245afcc060658849c8afdeb95
MD5 hash:
cb99e4f25703826c7077019017616958
SHA1 hash:
70e0c9df094ca7a8c2eeaa7945adc5b16759a27b
Link:
https://www.unpac.me/results/67d6b6f5-496a-4e20-992c-ad9fddc9b395/
SH256 hash:
6243c709db7165f4a84036c0544b462ee9539412c61de6151a6aa18465659e48
MD5 hash:
5166d8930d5a1bf5a1738cc180587975
SHA1 hash:
4316633ea531432ff67776d1e59dcf8481a7cbbc
Link:
https://www.unpac.me/results/67d6b6f5-496a-4e20-992c-ad9fddc9b395/
SH256 hash:
b76a896c8faf8ca28e4f0ecce91e7a622c3ea8999f27503ac9f46e09542c26f7
MD5 hash:
caad5e1ae920d351c2521be2dc5f22fc
SHA1 hash:
387312f70d7bd53a4ab5a779a38d125d731323cc
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
win_remcos_g0
Create hunting rule
Remcos
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Link:
https://www.unpac.me/results/67d6b6f5-496a-4e20-992c-ad9fddc9b395/
Parent samples :
33cc55fef11d691d7728275b1e7dfc61520cef61bb0035de7dfb8e648f086f50
43281415b361da4215bb7a4a0a950b2c95c2d772f315d451088ffd53480de73f
7d7cf9b0a09e74a8a10b23b2265a31b41b0f017f18c965987ac47acebac15268
845c3ba76768948ab3df490599f02d060cd464c6251e16e7847d53707254ee46
b76a896c8faf8ca28e4f0ecce91e7a622c3ea8999f27503ac9f46e09542c26f7
253ae6027d114caeb26331508c9c916b54fe3561faf46679c06c48dad8860cac
d21d0451a7a8b112776118d88154bf7eab2703b13bf6ae1dcaec2f959bf42305
86329825eaf86f08f84bfc3ddd8870b5c05f47a43aba3695eea5ca4c7a0ee00b
SH256 hash:
43281415b361da4215bb7a4a0a950b2c95c2d772f315d451088ffd53480de73f
MD5 hash:
dec965bfa7c35a4b7c9265610a45a7bf
SHA1 hash:
e5d97eb5a5bf91e0b006ce75e6ade7bccfde52b2
Link:
https://www.unpac.me/results/67d6b6f5-496a-4e20-992c-ad9fddc9b395/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/43281415b361/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 43281415b361da4215bb7a4a0a950b2c95c2d772f315d451088ffd53480de73f

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments