MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43bdecd290fd3df3dc807e4744a50fb488624a8653b3db356c809b3898d975fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43bdecd290fd3df3dc807e4744a50fb488624a8653b3db356c809b3898d975fe
SHA3-384 hash: 1e803b76305c5d3dc5a1b2656983c28fa411d345e616914f84d8a7bbc81bc928ca6474c45d457e5d0e1d27a1886ceb97
SHA1 hash: 7c7abde1b5f87c19067b741ce79d08416559455f
MD5 hash: 9f8fcdaf77f1ffa7326404c88659764f
humanhash: india-enemy-cola-maryland
File name:DESGH123ED.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'128'448 bytes
First seen:2023-06-19 05:55:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:Z3Yqtm8OqKkM4bJmPwYk86L2TmFSX7UetmlEu170wnn5Jm4:Z3+8O54bYPDyUgHlEBEn5
Threatray 2'100 similar samples on MalwareBazaar
TLSH T1013501C6E9814587EC1D5BB940727E71136BBF79BCB9E24D9D49B0E07AB36830032A47
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0307612c88000000 (65 x AgentTesla, 47 x RemcosRAT, 9 x MassLogger)
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
194.147.140.166:1987

Intelligence

File Origin
# of uploads :
1
# of downloads :
304
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
DESGH123ED.exe
Verdict:
Malicious activity
Analysis date:
2023-06-19 05:56:57 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/2cd95fd7-e38e-4016-b9ae-fb0a4020ce21

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/400284/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.22849.20340.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed remcos
Link:
https://www.filescan.io/uploads/648fedf310461c2d676a5bd4/reports/59cd74e8-4caa-4c3d-be7e-7f3a2f3ab345/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/43bdecd290fd3df3dc807e4744a50fb488624a8653b3db356c809b3898d975fe
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a76d29ee-d792-4fbc-962f-db301572ee24
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1257074
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 890090 Sample: DESGH123ED.exe Startdate: 19/06/2023 Architecture: WINDOWS Score: 100 48 Snort IDS alert for network traffic 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 8 other signatures 2->54 7 pQdcxnbBt.exe 5 2->7         started        10 DESGH123ED.exe 7 2->10         started        process3 file4 58 Multi AV Scanner detection for dropped file 7->58 60 Contains functionality to bypass UAC (CMSTPLUA) 7->60 62 Contains functionalty to change the wallpaper 7->62 70 5 other signatures 7->70 13 schtasks.exe 1 7->13         started        15 pQdcxnbBt.exe 7->15         started        34 C:\Users\user\AppData\Roaming\pQdcxnbBt.exe, PE32 10->34 dropped 36 C:\Users\...\pQdcxnbBt.exe:Zone.Identifier, ASCII 10->36 dropped 38 C:\Users\user\AppData\Local\...\tmp6C6F.tmp, XML 10->38 dropped 40 C:\Users\user\AppData\...\DESGH123ED.exe.log, ASCII 10->40 dropped 64 Uses schtasks.exe or at.exe to add and modify task schedules 10->64 66 Adds a directory exclusion to Windows Defender 10->66 68 Injects a PE file into a foreign processes 10->68 17 DESGH123ED.exe 2 15 10->17         started        22 powershell.exe 21 10->22         started        24 schtasks.exe 1 10->24         started        signatures5 process6 dnsIp7 26 conhost.exe 13->26         started        42 194.147.140.166, 1987, 49692 PTPEU unknown 17->42 44 geoplugin.net 178.237.33.50, 49693, 80 ATOM86-ASATOM86NL Netherlands 17->44 46 192.168.2.1 unknown unknown 17->46 32 C:\ProgramData\remcos\logs.dat, data 17->32 dropped 56 Installs a global keyboard hook 17->56 28 conhost.exe 22->28         started        30 conhost.exe 24->30         started        file8 signatures9 process10
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/43bdecd290fd3df3dc807e4744a50fb488624a8653b3db356c809b3898d975fe/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-06-19 05:56:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=io66zuuq7u67hxeapzdujjipwsegesugkoz5wnlmqcntrggzox7a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
082c753b9065e2c0db0904195b91ae7b59b23d56252bf941c70cf9b0a5fcb6ea
RemcosRAT
3c2b603e5f2c4bf67f3e240cff2daa7ffca9703ce808e9893f446963ff72eb1e
RemcosRAT
6053c5c3a4202b8c2e6b2f176a99c980233f63024be06b67d3a30e2f0b4470f4
RemcosRAT
9271b609db698f886795f121d1d110acf0a4959eaf5d94a93ade96b6a6cf0a95
RemcosRAT
97e54013704e2edc63c7d31ee30dfba3d2bcdbdd91df650ff0a01e560c3e111a
RemcosRAT
9e6406269fe3e1f7a309e3ee01e4770d6f5c7abd2dead9afc7eddfedcdb04295
RemcosRAT
a6bf09d8242fd2933426629a504f995a5d624d555bd2f28a49876762ec0a03a6
RemcosRAT
ca19795538ded5ca26ae167d5417cc200d51ff7738e36695fbb05b305dbc15b6
RemcosRAT
e2c60159ad9908ac2a1ab446c1866dfe5a59b1535ca29f111ae56833996d82b8
RemcosRAT
ea7e6b5688313cb532684ecc61a1438a40bbd32a0eb1ee7b1810086cb705aa09
RemcosRAT
+ 2'090 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:bomb rat
Link:
https://tria.ge/reports/230619-gm1rbsbh33/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
194.147.140.166:1987
Unpacked files
SH256 hash:
77c77d44e13672e67b7666dc3edcddd7c5ab39649c2027cdfd19b196aa153264
MD5 hash:
cc1a2b37ac17d10c7d91ff64d6d1ded7
SHA1 hash:
f42e9688bca58c41f501b7681a848da7c1442dc9
Link:
https://www.unpac.me/results/a2f3a343-a3e1-46d7-9b53-e17cd32a5865/
SH256 hash:
52f358d201e81d3a0391cedd3042e2f957555b77aa49559f7fb810bbb7673ba1
MD5 hash:
c785ddc46141af772c75101d17c46a41
SHA1 hash:
e248723b6f60cc7607980d07172b64c33b2b2f15
Link:
https://www.unpac.me/results/a2f3a343-a3e1-46d7-9b53-e17cd32a5865/
SH256 hash:
24b077fd9b344cd944a736f24ada8b80c7285f7343ff9dc56b58769bde27e4f6
MD5 hash:
64fcc151459a284a183dbbc044aa2142
SHA1 hash:
a33fa55f857e654bb5688c116680217e673bb600
Link:
https://www.unpac.me/results/a2f3a343-a3e1-46d7-9b53-e17cd32a5865/
SH256 hash:
4f7393b85a656f1c36e31aebc595db87cd5a6b609bccc4422e8a04d1877346be
MD5 hash:
e9df7133f6262c5ae2eab24218c9acf8
SHA1 hash:
9fd38b455978b405a9c09c75767743ebc28a311d
Link:
https://www.unpac.me/results/a2f3a343-a3e1-46d7-9b53-e17cd32a5865/
SH256 hash:
02d5c84a33fcdc8c674aeb20fc37437435c64fd465590922e34f11f8a232e183
MD5 hash:
9633e47d6778556294c320a93da6692d
SHA1 hash:
83abe8962a5d0ce4a48b48f976a23fae1583d802
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/a2f3a343-a3e1-46d7-9b53-e17cd32a5865/
SH256 hash:
43bdecd290fd3df3dc807e4744a50fb488624a8653b3db356c809b3898d975fe
MD5 hash:
9f8fcdaf77f1ffa7326404c88659764f
SHA1 hash:
7c7abde1b5f87c19067b741ce79d08416559455f
Link:
https://www.unpac.me/results/a2f3a343-a3e1-46d7-9b53-e17cd32a5865/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/43bdecd290fd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.87
Link:
https://yomi.yoroi.company/submissions/43bdecd290fd3df3dc807e4744a50fb488624a8653b3db356c809b3898d975fe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/400284/

Comments