MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs 1 YARA 23 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c
SHA3-384 hash: c12d7696e775a26405bfc7eebae9fe4a7844fc9d076c43ab9c4b5ff73661d172e3b069b7d2c8ef102b2e34ea9b9af576
SHA1 hash: 9aa5380dc87829c6fa22e9029cadcab9f6221ef9
MD5 hash: 4a9440baa61be8363a372b0bbc5933ad
humanhash: neptune-uniform-uncle-michigan
File name:4A9440BAA61BE8363A372B0BBC5933AD.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:985'600 bytes
First seen:2025-01-04 17:40:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'477 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:fdFeteG2H+FLBvmhCWWmLiUZklZGIo/KCrB:FA9w+bvmhCWWpUZkbDo5rB
Threatray 197 similar samples on MalwareBazaar
TLSH T1492523A81E0AC95FD88217B40A72F37B96798D9DD4238213CBEDFCFB791165A611C2D0
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon 22842ce6e0889204 (2 x RemcosRAT, 2 x SnakeKeylogger, 1 x VIPKeylogger)
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
185.234.72.215:4444

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.234.72.215:4444 https://threatfox.abuse.ch/ioc/1377757/

Intelligence

File Origin
# of uploads :
1
# of downloads :
571
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c
Verdict:
Malicious activity
Analysis date:
2025-01-02 23:06:02 UTC
Tags:
remcos rat
Link:
https://app.any.run/tasks/4df10fef-3314-4c1a-89cd-19f1523aef51

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.BackDoor.AgentTeslaNET.20.6388.31803.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67771bd91ada707798256cd2
Tags:
shell virus micro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Restart of the analyzed sample
Creating a file
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Setting a keyboard event handler
Connection attempt
Sending a custom TCP request
Launching a process
DNS request
Sending an HTTP GET request
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/677972aeddbd8eb878d9475e/reports/36b13ed2-0ed0-496c-807a-bd72d02ca22f/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/43f2c18e-b2f9-4ef2-b836-6725598d8a74
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1584203
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Remcos
Sigma detected: Suspect Svchost Activity
Suricata IDS alerts for network traffic
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1584203 Sample: 4XYAW8PbZH.exe Startdate: 04/01/2025 Architecture: WINDOWS Score: 100 98 www.google.com 2->98 100 mdec.nelreports.net 2->100 102 geoplugin.net 2->102 124 Suricata IDS alerts for network traffic 2->124 126 Found malware configuration 2->126 128 Malicious sample detected (through community Yara rule) 2->128 130 12 other signatures 2->130 12 4XYAW8PbZH.exe 4 2->12         started        signatures3 process4 file5 94 C:\Users\user\AppData\...\4XYAW8PbZH.exe.log, ASCII 12->94 dropped 140 Contains functionality to bypass UAC (CMSTPLUA) 12->140 142 Contains functionalty to change the wallpaper 12->142 144 Contains functionality to steal Chrome passwords or cookies 12->144 146 5 other signatures 12->146 16 4XYAW8PbZH.exe 1 4 12->16         started        20 powershell.exe 23 12->20         started        22 WerFault.exe 21 16 12->22         started        signatures6 process7 file8 88 C:\Users\user\AppData\Roaming\...\graias.exe, PE32 16->88 dropped 90 C:\Users\user\...\graias.exe:Zone.Identifier, ASCII 16->90 dropped 118 Detected Remcos RAT 16->118 120 Creates autostart registry keys with suspicious names 16->120 24 graias.exe 4 16->24         started        122 Loading BitLocker PowerShell Module 20->122 27 conhost.exe 20->27         started        92 C:\ProgramData\Microsoft\...\Report.wer, Unicode 22->92 dropped signatures9 process10 signatures11 132 Multi AV Scanner detection for dropped file 24->132 134 Machine Learning detection for dropped file 24->134 136 Adds a directory exclusion to Windows Defender 24->136 138 Injects a PE file into a foreign processes 24->138 29 graias.exe 24->29         started        34 powershell.exe 24->34         started        36 WerFault.exe 24->36         started        process12 dnsIp13 114 185.234.72.215, 4444, 49734 COMBAHTONcombahtonGmbHDE United Kingdom 29->114 116 geoplugin.net 178.237.33.50, 49737, 80 ATOM86-ASATOM86NL Netherlands 29->116 96 C:\ProgramData\graias\logs.dat, data 29->96 dropped 148 Detected Remcos RAT 29->148 150 Writes to foreign memory regions 29->150 152 Maps a DLL or memory area into another process 29->152 154 Installs a global keyboard hook 29->154 38 svchost.exe 29->38         started        40 svchost.exe 29->40         started        42 svchost.exe 29->42         started        48 23 other processes 29->48 156 Loading BitLocker PowerShell Module 34->156 44 conhost.exe 34->44         started        46 WmiPrvSE.exe 34->46         started        file14 signatures15 process16 process17 50 chrome.exe 38->50         started        53 chrome.exe 38->53         started        55 chrome.exe 40->55         started        57 chrome.exe 40->57         started        59 chrome.exe 42->59         started        61 chrome.exe 42->61         started        63 chrome.exe 48->63         started        65 chrome.exe 48->65         started        67 42 other processes 48->67 dnsIp18 104 192.168.2.4, 138, 443, 4444 unknown unknown 50->104 106 239.255.255.250 unknown Reserved 50->106 69 chrome.exe 50->69         started        72 chrome.exe 53->72         started        74 chrome.exe 55->74         started        76 chrome.exe 57->76         started        78 chrome.exe 59->78         started        80 chrome.exe 61->80         started        82 chrome.exe 63->82         started        84 chrome.exe 65->84         started        86 41 other processes 67->86 process19 dnsIp20 108 s-part-0032.t-0009.t-msedge.net 13.107.246.60, 443, 50605, 50623 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 69->108 110 142.250.186.164, 443, 50477, 50584 GOOGLEUS United States 69->110 112 11 other IPs or domains 69->112
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c/
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2024-12-31 21:18:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=khalzpcaiuobby5vnxyqquyvmn4orw73glxgh2utm435ikayqiwa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
unknown_loader_037
Create hunting rule
Similar samples:
264fc1a50a0f37a599e8cb50572d99a78c493da4837930a480253e04a5963fa9
RemcosRAT
277bce05fe87b2c2edd725dc6bc75c98a9f3d3fc68159a65471625009fe0e9e7
RemcosRAT
32f32787e8bbc5276d6f9d1d1d8b0f5f762b33df9abf8a820f34d6e702603b99
RemcosRAT
5294488f02dcfa41ad7b603ad9658346c028c5855781e5f41c6a2c94030ba96f
RemcosRAT
7f1cb04d89b68d07cb2c9928a9b34c6d0211cd33715da37216724ec43fb8c5c3
RemcosRAT
af6c6b710e9a4c5e2d8b53642779548a4edcd528cd7e5714c6ac9d69f38efb80
RemcosRAT
bcaff60055929f46412dd46cfe9f59413be788904cb1d55f794ecb5ef0409cba
RemcosRAT
c8017f526793dd8b6b6e98bfa9847fcf3aa7c4096a8432719a8324e06ba8c088
RemcosRAT
error
RemcosRAT
+ 187 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:graias discovery execution persistence rat
Link:
https://tria.ge/reports/250104-v9edha1rap/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Remcos
Remcos family
Malware Config
C2 Extraction:
185.234.72.215:4444
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c65e8f80-b03e-47f8-ac42-1c5241ab1060
Unpacked files
SH256 hash:
38fab977db1afa7d55b8866200831cf63a8df53d8bd4444ceb5b345feea7fb45
MD5 hash:
27c0e331f22f96bb50f30c937ee16cc2
SHA1 hash:
b2a4afbbd41463b0360e4b1b527b40f1b32e4e83
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
win_remcos_w0
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
win_remcos_rat_unpacked
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Link:
https://www.unpac.me/results/899fb4d7-5764-4780-bd1e-306e8e606f76/
Parent samples :
c8017f526793dd8b6b6e98bfa9847fcf3aa7c4096a8432719a8324e06ba8c088
51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c
SH256 hash:
a62706fb0d993667c1f38379fb0f8f0e03ff72a59a61e3d791cf7c42c7056db7
MD5 hash:
9b7e1766ffc12d8e2a90db9f1be93774
SHA1 hash:
52d564c81a6b94f4c9ac162673b45ca5acd171ba
Link:
https://www.unpac.me/results/899fb4d7-5764-4780-bd1e-306e8e606f76/
SH256 hash:
c579a50f7385090b0e353f97b3524ed02679214b45372900d6d43c8eeda9fe7a
MD5 hash:
fc2bc6175fdeae3a6339920ec8fa302a
SHA1 hash:
303d89cc8f4ee2e922fed001a8f36d1ee697cdad
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/899fb4d7-5764-4780-bd1e-306e8e606f76/
SH256 hash:
51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c
MD5 hash:
4a9440baa61be8363a372b0bbc5933ad
SHA1 hash:
9aa5380dc87829c6fa22e9029cadcab9f6221ef9
Link:
https://www.unpac.me/results/899fb4d7-5764-4780-bd1e-306e8e606f76/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:lsi_remcos
Create hunting rule
Author:anonym
Description:Remcos_V5 Payload
Rule name:lsi_remcos2
Create hunting rule
Author:anonym
Description:Remcos_V5 Payload
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Remcos_unpacked_PulseIntel
Create hunting rule
Author:PulseIntel
Description:Remcos Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.
Rule name:win_remcos_rat_unpacked
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:win_remcos_w0
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:yarahub_win_remcos_rat_unpacked_aug_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments