MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43cb616356d0ad88a91a7beef82159db1e2345df33e0ad8cf4ce80a7cf1c277c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments 1

SHA256 hash:	43cb616356d0ad88a91a7beef82159db1e2345df33e0ad8cf4ce80a7cf1c277c
SHA3-384 hash:	59ee280d206cb813d17be9567065a04abffcbb1a00478e57b272f829e0a82d7b2d3c029b014a3c97643ab108dc3b9e47
SHA1 hash:	33f65a3b6bb816823866a286848fac808f64c1a0
MD5 hash:	b5cb5e1203743569f525e297a5fd1a7b
humanhash:	cold-louisiana-golf-muppet
File name:	b5cb5e1203743569f525e297a5fd1a7b
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'115'648 bytes
First seen:	2022-10-22 09:19:12 UTC
Last seen:	2022-10-22 10:26:56 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:Fj9kqnXJoyWyjv5IsSpW4X8riQIVLiT2Ea+ylAROJ3+PpLnSlF:FCMXJoZ85h8X8GQQLM2LfSW34nkF
Threatray	3'509 similar samples on MalwareBazaar
TLSH	T16535232877638976C6585B7A84D3042187B18E49B073EF8FB8C50B595D0A3FE4F81BE6
TrID	69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.9% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	d02f2b3337297b96 (20 x RemcosRAT, 4 x AgentTesla, 1 x NanoCore)
Reporter	zbetcheckin
Tags:	32 exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

215

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

b5cb5e1203743569f525e297a5fd1a7b

Verdict:

Malicious activity

Analysis date:

2022-10-22 09:20:40 UTC

Tags:

rat remcos keylogger

Link:

https://app.any.run/tasks/a98941d3-f728-4c2b-8762-dd1f7f17e640

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/322595/

Detection(s):

SecuriteInfo.com.Variant.Lazy.254755.30649.21303.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a process with a hidden window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6353b5c3898b0652a4b95743/reports/26c0590a-1a20-41d9-a870-58437c1d406a/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/935c7535-0691-4211-a19a-ff57d3818ca8

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1095416

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Yara detected AntiVM3

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/43cb616356d0ad88a91a7beef82159db1e2345df33e0ad8cf4ce80a7cf1c277c/

Threat name:

Win32.Trojan.Remcos0s19

Status:

Malicious

First seen:

2022-10-19 04:52:33 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 40 (60.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ipfwcy2w2cwyrki2ppxpqikz3mpcgro7gpqk3dhuz2akpty4e56a._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

3e19a176f456db3316b84a9a5bedaeae9323a65d035d285c486b518829aaa5d4

RemcosRAT

6e32755e959eedb7b200382f137bf89e6319644ffab4b52322c70f1d0e4f11e7

RemcosRAT

910d9b435b172c50ad6cde23d820b4e1f07197e82ecdece15a74fbe750584378

RemcosRAT

dff9dfa64f1a603197abded9f5942b83efab0c71520a4fe028ba8fb79cfe7b11

RemcosRAT

e93e5b0f594a010610642083421a9609b380eed335cba10a1138ca31e44c4166

RemcosRAT

+ 3'499 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:xp persistence rat

Link:

https://tria.ge/reports/221022-larp4scae4/

Behaviour

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Remcos

Malware Config

C2 Extraction:

xpremcuz300622.ddns.net:3542

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/8dde6227-9d48-4f7b-8c14-5616e3b5de68

Unpacked files

SH256 hash:

597dc46a254f145b30823349175801a7a18a79546b981c03c6f65d618d3c1a94

MD5 hash:

dd1232c07e3cd52b2accabe79e84de71

SHA1 hash:

366b3f3fc175b3784bde68bd82043fd7143a9ad1

Link:

https://www.unpac.me/results/4611f11b-d3af-4a9d-a303-07f50eab4edf/

SH256 hash:

e5db62eb9602eb4e7b1d2eda848b5f65f1ac35bc90e9127f4777b09493f1fcec

MD5 hash:

9705fef6bfdfbb7e9546fb9a9d1e4afc

SHA1 hash:

e74765ab9298b57cbad7927d693261c78075169d

Detections:

Remcos

win_remcos_auto

Link:

https://www.unpac.me/results/4611f11b-d3af-4a9d-a303-07f50eab4edf/

Parent samples :

703b4d505cd05c228e0cf681a542262dc98211cf2e4eb26102283b5b7efa29ee
4fb64a4a1e0876e8cdd9afcd6c62c908f1b2441692dcd83c430b4606272689d9
3639a796055969929b98a8a34fde77d9a0f79242ec6f012fea2dc14a98752a32
0d8783b653d2a02641f6b7684378b57a5cc6e1cf72521c0a0f378b1c6e74e618
00233105478fa8030ed5921ce8bd12897acf1e713f76b0cb335afb3df76d8aae
b893cb34f5bdccee94379aed6977ed09b939716cb1e982fb9a88a6ca1e4c1029
d4efc7df4617d7aa2c8d0c1fb399706c3ca1820d84ddd51d7b59df21141aa773
8b5f51bac1e86642f29d33ce68e4ca56edecb6c76c39d936309e6b4c1d1e8554
72c3d2d704faab4352ac7a4dd9a7b21501e07aa8a6f9fa9f1ea7f4d0849cedda
be9fe1cd741c239b0ce1b3edc3fb8f87445acf71ab2fb5346197e50c2da66968
fccf5521a09be0f003c6415ee7c87cd98cd109511ef7f79990e4386fcca0ae25
43cb616356d0ad88a91a7beef82159db1e2345df33e0ad8cf4ce80a7cf1c277c
42aa64afaf836bf9a44554d469c52d65cb987edfbe66300cd92663d8f31a188c
4fb5476bfc11cb3da1feffa767cc7abb70040bd0b11c0e26a7e4d2bdc2d5e049
d35305729959edc2c2f6821a1460ea8b1680ad5083a649080df614221c02492e
99d28200203baac82a7253419526711f38d7ecb1a6098f243c8656adc72ef6d8
bf5a377899f6233ee48281997d6c23ae42f78319f6368e946ffa78de01fa307d
0a52296b98cc01f0fd275dda6fb76f1f4193647528d1ea62f3cbc605a97af553
51cd8a9f4c1a4ef234ad2b69e36415377a4f73afa08f9b69d85f7bdc30d17bb8
32c38d159ca596fc6f8696c7462299312a8b243dd4ea75086946494f5c5cd801
f7361813973bf5358dfe900784ab0c2cddd70ad3c1bfdeac1b1de494ffb2a3fa
ad3a4db849a64ea07922d63153d3381798b4450f28d8db82c95393a5f6aaa569
cd53007fc79e7078155fef915142ca15d695c3a1ba6494d3027365cf24157f5a
6f156a6c661f4b68eb1be00e5a1be53fb80f05af516ef4dcdd7d3e937a1db580
e96aed97b899d7cfc37b229f045f6b87623f9abd97b15256fa6322685cb2c5f0

SH256 hash:

6f8bab8e33dfee22a6be413b37235771f788cad05594169866974c4db7bd2020

MD5 hash:

d1897a65c4f298f1ff32e0a037202387

SHA1 hash:

48f5469e5c4c8ba076542fbf216812326a664dfe

Link:

https://www.unpac.me/results/4611f11b-d3af-4a9d-a303-07f50eab4edf/

SH256 hash:

652b37febb030bae36d7736960e8cc87fb48c4ba32f387ea4eb328c4b9a72810

MD5 hash:

7d2c00b5650aa545d9ede01917931f77

SHA1 hash:

007f27dd7ac8f3ebf9fa1e82d0f93b201306de90

Link:

https://www.unpac.me/results/4611f11b-d3af-4a9d-a303-07f50eab4edf/

SH256 hash:

43cb616356d0ad88a91a7beef82159db1e2345df33e0ad8cf4ce80a7cf1c277c

MD5 hash:

b5cb5e1203743569f525e297a5fd1a7b

SHA1 hash:

33f65a3b6bb816823866a286848fac808f64c1a0

Link:

https://www.unpac.me/results/4611f11b-d3af-4a9d-a303-07f50eab4edf/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/43cb616356d0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/43cb616356d0ad88a91a7beef82159db1e2345df33e0ad8cf4ce80a7cf1c277c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

exe 43cb616356d0ad88a91a7beef82159db1e2345df33e0ad8cf4ce80a7cf1c277c

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/322595/

URLhaus

https://urlhaus.abuse.ch/url/2381682/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2022-10-22 09:19:24 UTC

url : hxxp://185.216.71.161/XZZ.exe