MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51f5b830fb0da1abe98f445889d9cf12a5d2c175c8f8b5d30df220b11113756d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments

SHA256 hash: 51f5b830fb0da1abe98f445889d9cf12a5d2c175c8f8b5d30df220b11113756d
SHA3-384 hash: bde8f6f11f52817aa8368ca11cdfc1607f6caf89e738443a8a271e530268411dcf800288db4a7ef43e3715edb504c74c
SHA1 hash: 1a0c86251a0044d65915640a0042c492e19275a2
MD5 hash: fa8ce83b306dd68d1d7660919c9dd523
humanhash: spaghetti-winter-muppet-lactose
File name:fa8ce83b306dd68d1d7660919c9dd523
Download: download sample
Signature RemcosRAT
File size:1'461'760 bytes
First seen:2021-09-15 06:47:59 UTC
Last seen:2021-09-15 08:10:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'097 x AgentTesla, 20'115 x Formbook, 12'356 x SnakeKeylogger)
ssdeep 24576:nMwSQ9PXxgJCWHt0r6EeLU2nANSbm+IU2wh2zrzcv1SWmSUu1d5KHBBFj3RN:nMwXrov1SvUKBBF3r
Threatray 2'433 similar samples on MalwareBazaar
TLSH T13D659D0033FC0617E2FF0BB566B542018A75F9622696D71E725CA20E1FE2B944DB27B7
dhash icon b271e8cccccccc70 (3 x RemcosRAT)
Reporter JAMESWT_WT
Tags:Afia Wave Enterprises Oy exe RemcosRAT signed

Code Signing Certificate

Organisation:Afia Wave Enterprises Oy
Issuer:Sectigo Public Code Signing CA R36
Algorithm:sha384WithRSAEncryption
Valid from:2021-07-08T00:00:00Z
Valid to:2022-07-08T23:59:59Z
Serial number: 69ad1e8b5941c93d5017b7c3fdb8e7b6
Intelligence: 53 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 999bbf99f3b3c1a894340918d8f2c6a358e7ec6299bab5d8fd6b9e7570abf929
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence


File Origin
# of uploads :
2
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
51f5b830fb0da1abe98f445889d9cf12a5d2c175c8f8b5d30df220b11113756d.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-01 10:18:45 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file in the %temp% directory
Creating a window
Result
Threat name:
Detection:
malicious
Classification:
troj.adwa.expl.evad
Score:
100 / 100
Signature
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
Detected Remcos RAT
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the startup folder
Drops PE files with benign system names
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell adding suspicious path to exclusion list
Sigma detected: Powershell Defender Exclusion
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 483543 Sample: 5ByCQSmADU Startdate: 15/09/2021 Architecture: WINDOWS Score: 100 58 192.168.2.1 unknown unknown 2->58 62 Malicious sample detected (through community Yara rule) 2->62 64 Multi AV Scanner detection for dropped file 2->64 66 Sigma detected: Powershell adding suspicious path to exclusion list 2->66 68 12 other signatures 2->68 8 5ByCQSmADU.exe 9 11 2->8         started        12 svchost.exe 2->12         started        14 B2DAD187.exe 2->14         started        16 8 other processes 2->16 signatures3 process4 dnsIp5 44 C:\Windows\Microsoft.NET\...\svchost.exe, PE32 8->44 dropped 46 C:\Users\user\AppData\...\B2DAD187.exe, PE32 8->46 dropped 48 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 8->48 dropped 54 2 other files (1 malicious) 8->54 dropped 72 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->72 74 Creates autostart registry keys with suspicious names 8->74 76 Drops PE files to the startup folder 8->76 86 2 other signatures 8->86 19 B2DAD187.exe 8->19         started        23 powershell.exe 26 8->23         started        25 AdvancedRun.exe 1 8->25         started        27 8 other processes 8->27 50 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 12->50 dropped 78 Multi AV Scanner detection for dropped file 12->78 80 Tries to delay execution (extensive OutputDebugStringW loop) 12->80 52 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 14->52 dropped 82 Adds a directory exclusion to Windows Defender 14->82 56 127.0.0.1 unknown unknown 16->56 84 Changes security center settings (notifications, updates, antivirus, firewall) 16->84 file6 signatures7 process8 dnsIp9 42 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 19->42 dropped 70 Adds a directory exclusion to Windows Defender 19->70 30 conhost.exe 23->30         started        32 AdvancedRun.exe 25->32         started        60 192.168.0.133, 2404 unknown unknown 27->60 34 conhost.exe 27->34         started        36 conhost.exe 27->36         started        38 conhost.exe 27->38         started        40 4 other processes 27->40 file10 signatures11 process12
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Status:
Malicious
First seen:
2021-09-01 14:58:56 UTC
File Type:
PE (.Net Exe)
Extracted files:
40
AV detection:
23 of 45 (51.11%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Maps connected drives based on registry
Checks BIOS information in registry
Drops startup file
Loads dropped DLL
Windows security modification
Executes dropped EXE
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Nirsoft
Modifies Windows Defender Real-time Protection settings
Turns off Windows Defender SpyNet reporting
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
cc8e381203d130dfd27bc3cecacb0507433d4ed72734f488d7e8d13dd2234609
MD5 hash:
1cb4d2f4e005fc2fddceffcffbc9e890
SHA1 hash:
a18035c1892514a523974d068099a4fdcb735963
SH256 hash:
3da80bd8e18bf2ef5e28f5e2e0d2095b0d4e65391800ce18f9a18859d7beb220
MD5 hash:
5dbed7594d4c8d71c1882692e6776bf0
SHA1 hash:
8552a2f2afca501945fe57c1875970b6f777f709
SH256 hash:
8063623fd33585184e865ac1f8685446c819841d212bc6c848f8dc4a137960be
MD5 hash:
4abff34e351e4e95514aecb515e8aea3
SHA1 hash:
742702e8c78e7cf19f19e56a6cdb2d1811759710
SH256 hash:
b97ad6e9b56bf10e76b01fb69db58a231dd54b5b8103726c7559dafc2d8da2fc
MD5 hash:
bf1fb9b82c705725baf34810601a7afb
SHA1 hash:
30ad4209d9bc5c0c299fa138dfbf33e15e797594
Detections:
win_remcos_auto
SH256 hash:
51f5b830fb0da1abe98f445889d9cf12a5d2c175c8f8b5d30df220b11113756d
MD5 hash:
fa8ce83b306dd68d1d7660919c9dd523
SHA1 hash:
1a0c86251a0044d65915640a0042c492e19275a2
Malware family:
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Rule name:pe_imphash
Rule name:Remcos
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:REMCOS_RAT_variants
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash
Rule name:win_remcos_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments