MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 440bf4ade63b87eae52d65ed736ef6a8427aa6cab59669244419ca5580eda1ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 440bf4ade63b87eae52d65ed736ef6a8427aa6cab59669244419ca5580eda1ee
SHA3-384 hash: a363b51ac44a6b82f1d74cd69511f3648eb2c915b8c6ec1be5e0d59123dbd6f736bacec563608e0a3bc93fb8af440515
SHA1 hash: a43bf11bb3853b15129e0d4bdb3c0fe21b3bd977
MD5 hash: a8f21d79369634f852ce26e5113b3719
humanhash: oranges-alaska-edward-timing
File name:SecuriteInfo.com.Win32.RATX-gen.21306.22425
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'954'304 bytes
First seen:2023-11-22 12:37:55 UTC
Last seen:2023-11-22 13:15:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep 49152:KSj3ECneZI//7SE6y+Bcpo6GfTpea0Z2:xdeu//77cBcpC0D
TLSH T1CF9533A926E9C7CAC445EB301638C1BE13626E097CDE6D50C1F97E9BB440FA37A5C5B0
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon c4d48eaa8ad4d4f8 (1'000 x RemcosRAT, 1 x Worm.Ramnit, 1 x Vjw0rm)
Reporter SecuriteInfoCom
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
344
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/459702/
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.21306.22425.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Gathering data
Gathering data
Verdict:
Malicious
Labled as:
GenPack:Generic.Remcos
Link:
https://www.hybrid-analysis.com/sample/440bf4ade63b87eae52d65ed736ef6a8427aa6cab59669244419ca5580eda1ee
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ca603cde-dd54-4796-97f0-e9301d11679b
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1346396
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Sigma detected: Remcos
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/440bf4ade63b87eae52d65ed736ef6a8427aa6cab59669244419ca5580eda1ee
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/440bf4ade63b87eae52d65ed736ef6a8427aa6cab59669244419ca5580eda1ee/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-11-22 12:38:05 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
13 of 23 (56.52%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iqf7jlpghod6vzjnmxwxg3xwvbbhvjwkwwlgsjcedhfflahnuhxa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:wz101 evasion rat
Link:
https://tria.ge/reports/231122-pt2k7scd74/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Remcos
Malware Config
C2 Extraction:
193.142.59.240:5151
Unpacked files
SH256 hash:
440bf4ade63b87eae52d65ed736ef6a8427aa6cab59669244419ca5580eda1ee
MD5 hash:
a8f21d79369634f852ce26e5113b3719
SHA1 hash:
a43bf11bb3853b15129e0d4bdb3c0fe21b3bd977
Link:
https://www.unpac.me/results/3db70baa-8f8d-44b3-a3da-17e9b0521087/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/440bf4ade63b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/440bf4ade63b87eae52d65ed736ef6a8427aa6cab59669244419ca5580eda1ee

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/459702/

Comments