MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c09176981ccb4d6f7c48c6c88d4aad6ec13d5ad9b8afe41cdb40c749933f6b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c09176981ccb4d6f7c48c6c88d4aad6ec13d5ad9b8afe41cdb40c749933f6b0
SHA3-384 hash: 9edaeac809fce5668719d4c6325602ffbc29fd8e1f2148a87450647b25e2f795c36a3442a456f0a3a8d87fc006abbcb4
SHA1 hash: cfe8a0aaa16426f81875242843ecef3b433f884b
MD5 hash: 7dd0c45e64f1141f9e0b8e2add05c5b1
humanhash: berlin-whiskey-cold-victor
File name:file
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:4'371'816 bytes
First seen:2023-09-26 18:29:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7ca2ada15fca9ba51b650e1414510d44 (2 x Amadey, 1 x LummaStealer, 1 x RemcosRAT)
ssdeep 49152:SofmQA9pf5V3qLYeTxXiuJhLm4f0bvG+GkMEExfpSCLHytP5PImrennvhpfawK/1:Sofd0pf+LYAxXiuXLm4fkGKWSC+vPIXI
Threatray 2'615 similar samples on MalwareBazaar
TLSH T16216BF22BA41C071F9D201B954BEAB7A497DAE244735D0C397D43D6AC8311D33B3A7AB
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon d4e6e6d3f2bcc870 (3 x RedLineStealer, 1 x BitRAT, 1 x LaplasClipper)
Reporter jstrosch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
274
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2023-09-26 18:31:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e1466343-edea-499e-94c6-2f08e044c64d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/451335/
Detection(s):
SecuriteInfo.com.Trojan-Downloader.Win32.Agent.22829.18027.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Launching cmd.exe command interpreter
Creating a file in the %temp% directory
Transferring files using the Background Intelligent Transfer Service (BITS)
Enabling the 'hidden' option for recently created files
Moving a file to the %AppData% subdirectory
Unauthorized injection to a recently created process
Creating a process from a recently created file
Сreating synchronization primitives
Setting a keyboard event handler
Query of malicious DNS domain
Unauthorized injection to a system process
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
83%
Tags:
anti-debug control expand greyware lolbin overlay packed remote shell32
Link:
https://www.filescan.io/uploads/6513232f988a26b6d9711415/reports/dcfefea4-7d3d-4109-bf3f-a4bf44e8e063/overview
Verdict:
Suspicious
Labled as:
BScope.Backdoor
Link:
https://www.hybrid-analysis.com/sample/4c09176981ccb4d6f7c48c6c88d4aad6ec13d5ad9b8afe41cdb40c749933f6b0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1b3c1ad7-ee60-4888-a214-d2170f432b54
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1314764
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1314764 Sample: file.exe Startdate: 26/09/2023 Architecture: WINDOWS Score: 100 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for URL or domain 2->52 54 5 other signatures 2->54 8 file.exe 4 2->8         started        12 icsigd.exe 2 2->12         started        process3 dnsIp4 38 ipv4.imgur.map.fastly.net 199.232.32.193, 443, 49779 FASTLYUS United States 8->38 40 metmuseum.org 76.76.21.21, 443, 49777, 49806 AMAZON-02US United States 8->40 46 3 other IPs or domains 8->46 56 Maps a DLL or memory area into another process 8->56 14 cmd.exe 6 8->14         started        42 76.76.21.98, 443, 49808 AMAZON-02US United States 12->42 44 www.metmuseum.org 12->44 18 cmd.exe 12->18         started        signatures5 process6 file7 32 C:\Users\user\AppData\Local\Temp\hspguaf, PE32 14->32 dropped 34 C:\Users\user\AppData\Local\Temp\cnvfat.exe, PE32 14->34 dropped 58 Found hidden mapped module (file has been removed from disk) 14->58 60 Maps a DLL or memory area into another process 14->60 20 cnvfat.exe 14->20         started        22 conhost.exe 14->22         started        36 C:\Users\user\AppData\Local\Temp\merismhdf, PE32 18->36 dropped 24 cnvfat.exe 18->24         started        26 conhost.exe 18->26         started        signatures8 process9 process10 28 WerFault.exe 23 9 20->28         started        30 WerFault.exe 10 24->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4c09176981ccb4d6f7c48c6c88d4aad6ec13d5ad9b8afe41cdb40c749933f6b0/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-09-26 17:12:11 UTC
File Type:
PE (Exe)
Extracted files:
77
AV detection:
11 of 23 (47.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jqero2mbzs2nn56errwirvfk23wbhvnntofp4qonwqghjgjt62ya._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
6debeb4cbf5037ee3b4d23e3a005dc58ebb0f26ac5f5266e910187a66760a4a0
RemcosRAT
900274d5916f078ac30bedfc6b3bf5812c09de4cc1bdddd4e25d5efa1e3bb1c3
RemcosRAT
ad34fb2d07c3340e16218e86b663ec39717dfe30f8951bd3922603aeeb9a9f8c
RemcosRAT
c5b83cba12fc69072661e0c8d473ed6d4263580764f0ac0476e4306df3f71e64
RemcosRAT
dbe58d85c6d914e378b6ab0f05a3683a4e9ee3889a9c1e0b7834a1f2612cd09f
RemcosRAT
e1f130eaed82441c051ac3c8869fa7c76b3d60810a2b641b3bfb70cfdbdf9b1b
RemcosRAT
ee956c86cd6e470dc79533205689b9819b93ac3805eeb241266c2ef04e6a455a
RemcosRAT
f053d7dfa216679695b7a4956df3f2fc1aff73b5c34e54e118cf1009cc4c6465
RemcosRAT
f75fd5ce522743fe012bdf743efc66e481d72d92b6eb0465621a77a4600ff6b5
RemcosRAT
+ 2'605 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230926-w5f7zacf6t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
4c09176981ccb4d6f7c48c6c88d4aad6ec13d5ad9b8afe41cdb40c749933f6b0
MD5 hash:
7dd0c45e64f1141f9e0b8e2add05c5b1
SHA1 hash:
cfe8a0aaa16426f81875242843ecef3b433f884b
Link:
https://www.unpac.me/results/ede27ae5-2c8e-436e-9d7d-d89860fdc035/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.72
Link:
https://yomi.yoroi.company/submissions/4c09176981ccb4d6f7c48c6c88d4aad6ec13d5ad9b8afe41cdb40c749933f6b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_Sandworm_ArguePatch_Apr_2022_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect ArguePatch loader used by Sandworm group for load CaddyWiper
Reference:https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang
Create hunting rule
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 4c09176981ccb4d6f7c48c6c88d4aad6ec13d5ad9b8afe41cdb40c749933f6b0

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/451335/
  
URLhaus
https://urlhaus.abuse.ch/url/2711658/

Comments