MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 437c785b2093ffb955f17d63758cfb10e741509415cc55de8050e2d918716a4a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 437c785b2093ffb955f17d63758cfb10e741509415cc55de8050e2d918716a4a
SHA3-384 hash: cf2ceb1f778341a8b279b213a73b40423c6d0edb9f2e6b91c7841bf4fe7f75c4033acb800070ef9be72d2cfb0dac3d4f
SHA1 hash: 94ee709ab608d9d4ed6143a1deae85dd9fd812b3
MD5 hash: 0a8711fa1cb4189ab364c217db5f3620
humanhash: utah-oscar-december-ohio
File name:file
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'651'200 bytes
First seen:2024-11-19 14:55:30 UTC
Last seen:2024-11-19 14:55:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e65d5d56989c1441945255d78668884e (1 x RemcosRAT, 1 x njrat, 1 x AsyncRAT)
ssdeep 24576:Y/WWf67etHLvLdh+dLNuK5imSFRWct3BfA59jACSr6ggTan9mTYdGvhH0WygS:Uf66tXdh+147YcXIfUCc6bG9DgS
Threatray 1'545 similar samples on MalwareBazaar
TLSH T16F75CF45FF84851AD2D301BAE61261C4E6469EB1AC0284177EDB7B5FFB38A824F13F16
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
File icon (PE):PE icon
dhash icon e189c9a9b6aaf8d0 (1 x RemcosRAT, 1 x njrat, 1 x AsyncRAT)
Reporter Bitsight
Tags:exe RemcosRAT


Avatar
Bitsight
url: https://bhcc.com.sa/build.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
454
Origin country :
US US
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
https://drive.google.com/open?id=17W2HEG30C3wjmO6JBC-mb1zRw3AoviQb
Verdict:
Malicious activity
Analysis date:
2024-11-18 22:02:56 UTC
Tags:
cve-2024-43451 webdav loader rat remcos evasion purecrypter netreactor
Link:
https://app.any.run/tasks/7c04a799-d605-4c09-ba28-c4b4bdbd8792

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Inject5.12078.19086.32365.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673ca76c80d21948b033030f
Tags:
dropper overt sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Using the Windows Management Instrumentation requests
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypto explorer fingerprint hook keylogger lolbin microsoft_visual_cc packed packed packer_detected xpack
Link:
https://www.filescan.io/uploads/673ca7047a6ae3d44b9f852f/reports/a5aae027-050a-486a-bb0a-5c20853877eb/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/437c785b2093ffb955f17d63758cfb10e741509415cc55de8050e2d918716a4a
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/99522c5f-54f8-43aa-8ab4-a69e2dacefed
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1558585
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected unpacking (creates a PE file in dynamic memory)
Drops large PE files
Drops PE files with a suspicious file extension
Found API chain indicative of sandbox detection
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1558585 Sample: file.exe Startdate: 19/11/2024 Architecture: WINDOWS Score: 100 67 oportunidad-escolombiasegura.cfd 2->67 69 comercio0025.dns.army 2->69 71 7 other IPs or domains 2->71 93 Suricata IDS alerts for network traffic 2->93 95 Found malware configuration 2->95 97 Malicious sample detected (through community Yara rule) 2->97 99 21 other signatures 2->99 10 file.exe 1 3 2->10         started        14 ywezrgl.exe 27 2->14         started        16 wscript.exe 2->16         started        18 wscript.exe 2->18         started        signatures3 process4 file5 63 C:\Users\user\Pictures\...\QuickTextPaste.exe, PE32 10->63 dropped 113 Detected unpacking (creates a PE file in dynamic memory) 10->113 115 Contains functionality to register a low level keyboard hook 10->115 117 Writes to foreign memory regions 10->117 123 3 other signatures 10->123 20 csc.exe 16 3 10->20         started        119 Multi AV Scanner detection for dropped file 14->119 25 cmd.exe 3 14->25         started        121 Windows Scripting host queries suspicious COM object (likely to drop second stage) 16->121 27 MusesSync.scr 16->27         started        29 MusesSync.scr 18->29         started        signatures6 process7 dnsIp8 73 comercio0025.dns.army 181.141.40.225, 3020, 30201, 3021 EPMTelecomunicacionesSAESPCO Colombia 20->73 75 contath.org 69.49.234.173, 443, 49742 UNIFIEDLAYER-AS-1US United States 20->75 77 bhcc.com.sa 74.220.219.13, 443, 49773 UNIFIEDLAYER-AS-1US United States 20->77 59 C:\Users\user\AppData\Local\...\ywezrgl.exe, PE32 20->59 dropped 101 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->101 103 Writes to foreign memory regions 20->103 105 Allocates memory in foreign processes 20->105 107 Injects a PE file into a foreign processes 20->107 31 MSBuild.exe 3 16 20->31         started        61 C:\Users\user\AppData\Local\...\Defensive.pif, PE32 25->61 dropped 109 Drops PE files with a suspicious file extension 25->109 111 Uses schtasks.exe or at.exe to add and modify task schedules 25->111 35 Defensive.pif 25->35         started        38 cmd.exe 2 25->38         started        40 conhost.exe 25->40         started        42 7 other processes 25->42 file9 signatures10 process11 dnsIp12 79 geoplugin.net 178.237.33.50, 49764, 50063, 80 ATOM86-ASATOM86NL Netherlands 31->79 81 Contains functionality to bypass UAC (CMSTPLUA) 31->81 83 Contains functionalty to change the wallpaper 31->83 85 Contains functionality to steal Chrome passwords or cookies 31->85 91 2 other signatures 31->91 55 C:\Users\user\AppData\Local\...\MusesSync.scr, PE32 35->55 dropped 57 C:\Users\user\AppData\Local\...\MusesSync.js, ASCII 35->57 dropped 87 Drops PE files with a suspicious file extension 35->87 89 Installs a global keyboard hook 35->89 44 cmd.exe 35->44         started        47 cmd.exe 35->47         started        file13 signatures14 process15 file16 65 C:\Users\user\AppData\...\MusesSync.url, MS 44->65 dropped 49 conhost.exe 44->49         started        51 conhost.exe 47->51         started        53 schtasks.exe 47->53         started        process17
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/437c785b2093ffb955f17d63758cfb10e741509415cc55de8050e2d918716a4a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/437c785b2093ffb955f17d63758cfb10e741509415cc55de8050e2d918716a4a/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-11-18 17:30:32 UTC
File Type:
PE (Exe)
Extracted files:
56
AV detection:
20 of 24 (83.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=in6hqwzasp73svprpvrxldh3cdtucueucxgflxuakdrnsgdrnjfa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0a9ad0bf3a79d6344695b245021ac7939d4660b7099241013241210b88eaee45
RemcosRAT
33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546
RemcosRAT
437c785b2093ffb955f17d63758cfb10e741509415cc55de8050e2d918716a4a
RemcosRAT
767ad6a683c15dc908cd12b10e115c9b3dd1de419ac8f84ce80ccbfd7c0a564a
RemcosRAT
9dc121c5c9a9a1771a52101a2c664c622b23dfd1ad31ce6c1e92c902bebdb248
RemcosRAT
c68192f008c1b7638e18ec1a6e5787953ea6775bb33acf9a12f64440f3b788e7
RemcosRAT
error
RemcosRAT
f4062ce594210669e953bbb5d0371e320c834ac63b8e308a709206fe25e9aea6
RemcosRAT
+ 1'535 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:mouse discovery persistence rat
Link:
https://tria.ge/reports/241119-saz5taxdkd/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Downloads MZ/PE file
Remcos
Remcos family
Malware Config
C2 Extraction:
oportunidad-escolombiasegura.cfd:3020
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2ae8de3c-d85c-4fc9-95f8-dc8f131685d8
Unpacked files
SH256 hash:
af561bc44a7b0efd881f5dafd85656c94b61a49154e07327abbd0e71493dab2c
MD5 hash:
d763ada2eae622fe991810733da295b7
SHA1 hash:
5aaa07064b4a0f1fcfcaddb6c88b34a3b8d7207a
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/9a29ebeb-fe23-4fff-8441-2836097f9df4/
SH256 hash:
0ff3c04d6026c295ffd85a0306f2db6b62cdc6c60f6abc651b236df3b661ad8f
MD5 hash:
774ff37d51c0e3545b6dd96172df1858
SHA1 hash:
0ddef8a3386af869e75588a9c8e06301203a20c5
Link:
https://www.unpac.me/results/9a29ebeb-fe23-4fff-8441-2836097f9df4/
SH256 hash:
f27d9dbd889a2c41c2949970a218d845f706a0b9199bee488b0f18e7f5fea8a4
MD5 hash:
4986eb97eb9b964a599f9a6911628629
SHA1 hash:
06415e7d91e5a28ef2e27c6e58e9ff137ce34966
Link:
https://www.unpac.me/results/9a29ebeb-fe23-4fff-8441-2836097f9df4/
SH256 hash:
6bcaf806ba8db8dd591da14ad9d70e2f631d3054f183e7b55543615724be9bba
MD5 hash:
e8b19446d0d94ec0641e6e2ab82c1697
SHA1 hash:
1826a90dff4586d857fdbd1d0d2d300fa3c6e9a4
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/9a29ebeb-fe23-4fff-8441-2836097f9df4/
SH256 hash:
437c785b2093ffb955f17d63758cfb10e741509415cc55de8050e2d918716a4a
MD5 hash:
0a8711fa1cb4189ab364c217db5f3620
SHA1 hash:
94ee709ab608d9d4ed6143a1deae85dd9fd812b3
Link:
https://www.unpac.me/results/9a29ebeb-fe23-4fff-8441-2836097f9df4/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/437c785b2093/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/437c785b2093ffb955f17d63758cfb10e741509415cc55de8050e2d918716a4a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 437c785b2093ffb955f17d63758cfb10e741509415cc55de8050e2d918716a4a

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3296170/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetTokenInformation
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::ShellExecuteExW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetStartupInfoW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
ADVAPI32.dll::GetUserNameW
WIN_CRYPT_APIUses Windows Crypt APIADVAPI32.dll::CryptAcquireContextW
ADVAPI32.dll::CryptCreateHash
ADVAPI32.dll::CryptGetHashParam
ADVAPI32.dll::CryptHashData
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegOpenKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments