MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 452daf183846078dffb7fb5595860656cbff08f53bf710dd33c17590e2f13177. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 6

Intelligence 6 IOCs YARA 3 File information Comments

SHA256 hash:	452daf183846078dffb7fb5595860656cbff08f53bf710dd33c17590e2f13177
SHA3-384 hash:	cfaa0de96608219e86787cf56c8df59f2d2c86c6b858352de7f0718a7977cdfa3222b2e69120000ce98befb21c8bfbe0
SHA1 hash:	54395ce9dc76b798b9052c33e2c92184832a2e75
MD5 hash:	4be1bc0d4811a66a056fd6fe84205134
humanhash:	comet-orange-six-fanta
File name:	452daf183846078dffb7fb5595860656cbff08f53bf710dd33c17590e2f13177
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'310'720 bytes
First seen:	2020-11-13 15:39:06 UTC
Last seen:	2024-07-24 13:41:21 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	8c1206cb36a00551135959c1e7294be4 (2 x RemcosRAT)
ssdeep	24576:P7HUgE+h6PyUHQB+3F3bNXEBJO85qUmAYz4bUPBrXNbBbjL:/B6PyUH3LGm6FXkr9bl
Threatray	1'352 similar samples on MalwareBazaar
TLSH	6F555B227DAE8877C0762A388D9FA6A96439BE113924855F77F01D0CCF367807C1939B
Reporter	seifreed
Tags:	RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Packer.BorlandCpp-9

PUA.Win.Adware.Webalta-6854075-0

PUA.Win.Adware.Webalta-6862190-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Launching a process

Transferring files using the Background Intelligent Transfer Service (BITS)

DNS request

Sending a custom TCP request

Creating a file in the %temp% directory

Deleting a recently created file

Unauthorized injection to a system process

Forced shutdown of a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/452daf183846078dffb7fb5595860656cbff08f53bf710dd33c17590e2f13177/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2020-11-13 15:43:06 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Verdict:

malicious

Label(s):

remcos

RemcosRAT

3746f6d2d5f3e12e69c80085eef48b25f06974965b930563d773eac6e5c2f291

RemcosRAT

487032be06deec0a6b50c6c0464edb67d50f9bb769ea1527969d4b67b83e8733

RemcosRAT

73feac20d7cdbe1e10ca26b196d60d68ea0c4e652ceacf534b1c549e4e597e74

RemcosRAT

8cffc3d5b5b830c82c8c9f958a699fb4668d39df6ae0b2f50ec68571c9eac6d9

RemcosRAT

91adaeeb7ac7733741a68cc0283a10f64403f64d1378558bae2342bec847f8e5

RemcosRAT

a32c37dd601a6fcdd6e622b2c928c7ef7935a77a0df9a2dfb9c7774630dd266e

RemcosRAT

c689edeb2bea45f5a7e6402ba51dc23e40e6c8b509841f60cb3d7327340b9b60

RemcosRAT

ca1db184290b274c1f78b091bf019926fa258dd8b1f5bb316a55832aec970338

RemcosRAT

e138622ca793f4a546496b40dcf406a83aa667d16fa2a29879d8282a39d6e7ff

RemcosRAT

+ 1'342 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/201113-wperwvm9va/

Unpacked files

SH256 hash:

452daf183846078dffb7fb5595860656cbff08f53bf710dd33c17590e2f13177

MD5 hash:

4be1bc0d4811a66a056fd6fe84205134

SHA1 hash:

54395ce9dc76b798b9052c33e2c92184832a2e75

Link:

https://www.unpac.me/results/4f6336bc-7a1a-43ba-af75-5601f859e4d9/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Remcos

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/452daf183846078dffb7fb5595860656cbff08f53bf710dd33c17590e2f13177

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_win32_parallax_payload_1 Create hunting rule
Author:	@VK_Intel
Description:	Detects Parallax Injected Payload v1.01
Reference:	https://twitter.com/VK_Intel/status/1227976106227224578

Rule name:	crime_win32_rat_parralax_shell_bin Create hunting rule
Author:	@VK_Intel
Description:	Detects Parallax injected code
Reference:	https://twitter.com/VK_Intel/status/1257714191902937088

Rule name:	MAL_crime_win32_rat_parallax_shell_bin Create hunting rule
Author:	@VK_Intel
Description:	Detects Parallax injected code
Reference:	https://twitter.com/VK_Intel/status/1257714191902937088

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample