MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d20cc81fe3369624b78b05419fea8efdf9f147fa13ff541561ae4298b3c5ad8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4d20cc81fe3369624b78b05419fea8efdf9f147fa13ff541561ae4298b3c5ad8
SHA3-384 hash: 272c092e21eb2345addcb1ec41b483db197c4ee96695ccc31eeb90a9a54decc2dc172dfd2c180beeeef8392d89215c39
SHA1 hash: 741885a42d4517939c3a7e003727b12d457f0624
MD5 hash: 46003a917927235059d68042c451a6ca
humanhash: undress-lemon-alabama-purple
File name:file
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:553'522 bytes
First seen:2023-06-13 14:20:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4268417a626e2c0f1f976ac1fecf34a4 (1 x RemcosRAT)
ssdeep 12288:WioEcxmEeHrkc/hopGjiZdJiCb8jSjSbgDW/zmquIuG:WREBEeHrkcWpamECo+jLDW/Kni
Threatray 287 similar samples on MalwareBazaar
TLSH T155C4121E3D444CD1F2E837B31C22FD69B6A4AD3266DF4D1F508AA9AC2132B576F5031A
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4505/5/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 400cf970e0ecd808 (2 x Kutaki, 2 x RemcosRAT, 2 x AsyncRAT)
Reporter jstrosch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
281
Origin country :
US US
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-06-13 14:22:18 UTC
Tags:
remcos
Link:
https://app.any.run/tasks/7de76d06-082a-43f4-a633-10778d46d329

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/398439/
Detection(s):
SecuriteInfo.com.W32.Injector.DBRX.tr.23301.22208.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file in the %AppData% subdirectories
Launching a process
Searching for synchronization primitives
Creating a file
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/64887b549f45f940f553d14e/reports/a117c767-e7e7-4dd8-9035-b69371a7f318/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f4ce25a9-d532-44bd-9ee6-c0fa944f2e52
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1253742
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4d20cc81fe3369624b78b05419fea8efdf9f147fa13ff541561ae4298b3c5ad8/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-06-07 16:28:47 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=juqmzap6gnuwes3ywbkbt7vi57pz6fd7ue77kqkwdlsctcz4llma._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
07f678a2738900d3046868e70cddd95171240f3319c24dba741f95d5763932a5
RemcosRAT
2efdfea9644c378bb7e04dac7b7a2b4760ef9a4925026a3a23d804efefd2f26a
RemcosRAT
4107b6df1884a4eb7aeabe55741c01e486ba0b4454c99caaec0ed647018a6125
RemcosRAT
56386224d3f2d9dea8cce5f9dafcdce3012a548d824f4e9af162bc2397bb5916
RemcosRAT
64eb3d68103cc47e6c3af8880d7cec9371cfd787a396ea0f3ac1418e0b80ff47
RemcosRAT
6f6d7329e0948b935011c95d6f3899c917279086347ad85ddf4494ada1970ec6
RemcosRAT
ab122c5daa471c2dee1cc58e3a63b3a05be7e66b52faa1542a528dd81c62fed3
RemcosRAT
c3f58fc7e4e51a2d4c6551fd6cebac7d8c0bf79d83f1235e7570c2db574df0f6
RemcosRAT
c9e9f4d1945fc9cb9daf5b4a72032a00ba7040154e3fe44be5371fbb7da695ea
RemcosRAT
+ 277 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/230613-rn1stsgf27/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Remcos
Malware Config
C2 Extraction:
192.168.175.1:1800
Unpacked files
SH256 hash:
c3f58fc7e4e51a2d4c6551fd6cebac7d8c0bf79d83f1235e7570c2db574df0f6
MD5 hash:
1c9ff0b44e4db1fc5a2f5a84c6add5af
SHA1 hash:
09a4f3776beec99ccdb6260c5e48a5eab5c8244b
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/cd608f80-b57f-4c30-ae83-54518a7a075f/
Parent samples :
2efdfea9644c378bb7e04dac7b7a2b4760ef9a4925026a3a23d804efefd2f26a
4d20cc81fe3369624b78b05419fea8efdf9f147fa13ff541561ae4298b3c5ad8
6f6d7329e0948b935011c95d6f3899c917279086347ad85ddf4494ada1970ec6
c3f58fc7e4e51a2d4c6551fd6cebac7d8c0bf79d83f1235e7570c2db574df0f6
SH256 hash:
4d20cc81fe3369624b78b05419fea8efdf9f147fa13ff541561ae4298b3c5ad8
MD5 hash:
46003a917927235059d68042c451a6ca
SHA1 hash:
741885a42d4517939c3a7e003727b12d457f0624
Link:
https://www.unpac.me/results/cd608f80-b57f-4c30-ae83-54518a7a075f/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4d20cc81fe33/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
Link:
https://yomi.yoroi.company/submissions/4d20cc81fe3369624b78b05419fea8efdf9f147fa13ff541561ae4298b3c5ad8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 4d20cc81fe3369624b78b05419fea8efdf9f147fa13ff541561ae4298b3c5ad8

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/398439/

Comments