MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52a189781402d404196a0bd74055e8322915aa4a00b37ac0f1ef06e2c7a91d74. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 52a189781402d404196a0bd74055e8322915aa4a00b37ac0f1ef06e2c7a91d74
SHA3-384 hash: 5b7d8b1ab85d4ab40d381532c4bfb4a5b7c638c62492cbe9b2c434dbd076d735f28086e3537102411175efe62439d697
SHA1 hash: 75a28bb099763870639506c34526bc526d6415bb
MD5 hash: 8d4199db6a7081378a7bd8bd471d425f
humanhash: shade-hydrogen-stream-yellow
File name:WinPlugins.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:2'093'758 bytes
First seen:2025-03-22 16:12:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7e0a0e8f80bbd1a9c0078e57256f1c3d (5 x GCleaner, 4 x LummaStealer, 3 x CoinMiner)
ssdeep 49152:OgqKIXzlCtQ2yUqSfB+tI1Vr8Z/Ja3DhI7EEH6rv///:OzYOpSS4VB3VI7EJ3/
Threatray 5'073 similar samples on MalwareBazaar
TLSH T142A50109D2A8C4FBE0A7AD38892245F2E67E7C090361D78F17E576761F336909F2A711
TrID 92.4% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10522/11/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.7% (.EXE) OS/2 Executable (generic) (2029/13)
0.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon d02a95d866b55820 (1 x RemcosRAT)
Reporter aachum
Tags:exe RemcosRAT VenomRAT xworm


Avatar
iamaachum
https://github.com/legendary99999/mnnkjhjnklm/releases/download/kjkjknknkjnlk/WinPlugins.exe

VenomRAT C2: 37.48.64.102:4950
Remcos C2:
dico.on-the-web.tv:3950
dr.is-gone.com:3950
dyndico.from-il.com:3950
nvdiemozess.broke-it.net:3950
XWorm C2:
imagine.here-for-more.info:3960
neverdiedico.mypets.ws:3960
nvdiemosole.broke-it.net:3960
37.48.64.102:3960

Intelligence

File Origin
# of uploads :
1
# of downloads :
425
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
WinPlugins.exe
Verdict:
Malicious activity
Analysis date:
2025-03-22 16:10:06 UTC
Tags:
autoit rat remcos remote
Link:
https://app.any.run/tasks/76151f2f-257e-4bc1-8dbd-e9bca14e508c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67dee0dd518d210202e7f21d
Tags:
shell virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Enabling the 'hidden' option for files in the %temp% directory
Using the Windows Management Instrumentation requests
DNS request
Running batch commands
Creating a process with a hidden window
Launching a process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm fingerprint installer microsoft_visual_cc overlay packed packer_detected sfx
Link:
https://www.filescan.io/uploads/67dee194195c2ecf47ef5b9e/reports/2051fc75-8537-41d7-bcda-2aa27c986fb1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/52a189781402d404196a0bd74055e8322915aa4a00b37ac0f1ef06e2c7a91d74
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/2676b187-7ff6-46c4-8747-8a2f55ce75bf
Result
Threat name:
Remcos, AsyncRAT, XWorm
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1645818
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to log keystrokes (.Net Source)
Detected Remcos RAT
Found API chain indicative of sandbox detection
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potential Data Stealing Via Chromium Headless Debugging
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Remcos
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Double Extension Files
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected AntiVM autoit script
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Autoit Injector
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1645818 Sample: WinPlugins.exe Startdate: 22/03/2025 Architecture: WINDOWS Score: 100 158 imagine.here-for-more.info 2->158 160 dico.on-the-web.tv 2->160 162 geoplugin.net 2->162 180 Suricata IDS alerts for network traffic 2->180 182 Found malware configuration 2->182 184 Malicious sample detected (through community Yara rule) 2->184 186 26 other signatures 2->186 13 WinPlugins.exe 10 2->13         started        16 ilrcphdp.jpg.exe 2->16         started        signatures3 process4 file5 144 C:\Users\user\AppData\Local\Temp\rtsf.exe, PE32 13->144 dropped 146 C:\Users\user\AppData\Local\Temp\XLtod.exe, PE32 13->146 dropped 148 C:\Users\user\AppData\Local\Temp\Vltod.exe, PE32 13->148 dropped 19 rtsf.exe 39 13->19         started        23 XLtod.exe 29 13->23         started        25 Vltod.exe 5 43 13->25         started        150 C:\Users\user\pgkv\ilrcphdp.jpg.exe.exe, PE32 16->150 dropped 172 Writes to foreign memory regions 16->172 174 Allocates memory in foreign processes 16->174 176 Injects a PE file into a foreign processes 16->176 signatures6 process7 file8 116 C:\Users\user\AppData\Local\...\koemhx.mp2, PE32 19->116 dropped 188 Multi AV Scanner detection for dropped file 19->188 190 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 19->190 27 wscript.exe 19->27         started        118 C:\Users\user\AppData\Local\...\ilrcphdp.jpg, PE32 23->118 dropped 29 wscript.exe 23->29         started        120 C:\Users\user\AppData\...\wscmnoqdwk.3gp, PE32 25->120 dropped 122 C:\Users\user\AppData\Local\Temp\...\ofqp.vbe, Unicode 25->122 dropped 31 wscript.exe 1 25->31         started        signatures9 process10 signatures11 34 cmd.exe 27->34         started        36 cmd.exe 27->36         started        38 cmd.exe 27->38         started        40 cmd.exe 29->40         started        42 cmd.exe 29->42         started        44 cmd.exe 29->44         started        226 Windows Scripting host queries suspicious COM object (likely to drop second stage) 31->226 228 Suspicious execution chain found 31->228 46 cmd.exe 31->46         started        48 cmd.exe 31->48         started        51 cmd.exe 31->51         started        process12 signatures13 53 2 other processes 34->53 57 2 other processes 36->57 59 2 other processes 38->59 61 2 other processes 40->61 63 2 other processes 42->63 65 2 other processes 44->65 67 2 other processes 46->67 178 Uses ipconfig to lookup or modify the Windows network settings 48->178 69 2 other processes 48->69 71 2 other processes 51->71 process14 file15 124 C:\Users\user\AppData\...\koemhx.mp2.exe, PE32 53->124 dropped 126 C:\Users\user\AppData\Roaming\...\koemhx.mp2, PE32 53->126 dropped 128 C:\Users\user\AppData\...\koemhx.mp2.exe, PE32 53->128 dropped 73 RegSvcs.exe 53->73         started        78 powershell.exe 53->78         started        80 powershell.exe 53->80         started        88 4 other processes 53->88 130 C:\Users\user\pgkv\ilrcphdp.jpg.exe, PE32 61->130 dropped 132 C:\Users\user\pgkv\ilrcphdp.jpg, PE32 61->132 dropped 140 2 other malicious files 61->140 dropped 192 Allocates memory in foreign processes 61->192 194 Adds a directory exclusion to Windows Defender 61->194 196 Injects a PE file into a foreign processes 61->196 82 RegSvcs.exe 61->82         started        84 powershell.exe 61->84         started        86 powershell.exe 61->86         started        90 4 other processes 61->90 134 C:\vjxs\wscmnoqdwk.3gp.exe, PE32 67->134 dropped 136 C:\vjxs\wscmnoqdwk.3gp, PE32 67->136 dropped 138 C:\Users\user\AppData\...\wscmnoqdwk.3gp.exe, PE32 67->138 dropped 198 Found API chain indicative of sandbox detection 67->198 200 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 67->200 202 Writes to foreign memory regions 67->202 92 6 other processes 67->92 signatures16 process17 dnsIp18 164 dico.on-the-web.tv 198.167.205.53, 3950, 49700, 49701 CYBERDYNELR Saint Kitts and Nevis 73->164 166 geoplugin.net 178.237.33.50, 49704, 80 ATOM86-ASATOM86NL Netherlands 73->166 168 127.0.0.1 unknown unknown 73->168 142 C:\ProgramData\remcos\logs.dat, data 73->142 dropped 204 Detected Remcos RAT 73->204 206 Tries to harvest and steal browser information (history, passwords, etc) 73->206 208 Writes to foreign memory regions 73->208 216 2 other signatures 73->216 94 recover.exe 73->94         started        99 8 other processes 73->99 210 Loading BitLocker PowerShell Module 78->210 97 conhost.exe 78->97         started        101 2 other processes 80->101 170 imagine.here-for-more.info 37.48.64.102, 3960, 4950, 49698 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 82->170 212 Attempt to bypass Chrome Application-Bound Encryption 82->212 214 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 82->214 103 2 other processes 84->103 105 2 other processes 86->105 107 8 other processes 88->107 109 7 other processes 90->109 111 11 other processes 92->111 file19 signatures20 process21 signatures22 218 Tries to steal Instant Messenger accounts or passwords 94->218 220 Tries to steal Mail credentials (via file / registry access) 94->220 222 Tries to harvest and steal browser information (history, passwords, etc) 99->222 113 chrome.exe 99->113         started        224 Loading BitLocker PowerShell Module 109->224 process23 dnsIp24 152 clients2.googleusercontent.com 113->152 154 142.250.81.225, 443, 49715 GOOGLEUS United States 113->154 156 googlehosted.l.googleusercontent.com 113->156
Score:
81%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/52a189781402d404196a0bd74055e8322915aa4a00b37ac0f1ef06e2c7a91d74
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/52a189781402d404196a0bd74055e8322915aa4a00b37ac0f1ef06e2c7a91d74/
Threat name:
Win64.Trojan.Amadey
Create hunting rule
Status:
Suspicious
First seen:
2025-03-21 15:27:08 UTC
File Type:
PE+ (Exe)
Extracted files:
238
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kkqys6aualkaiglkbpluavpigiurlkskaczxvqhr54dofr5jdv2a._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
3ed356b88af2907fcad812a2ca7fb093f31d6f14e5e54889215a60d913627f8a
RemcosRAT
719b90e90ec80dc97228c3bf8116c9a45fd3636a93e4d0c6917fb8de7f719ef8
RemcosRAT
7946865787ec14985dbeb9fd9b08f426a2aabe834e5110b9f22f3c6dcede79b2
RemcosRAT
988ea487dfd5734dcd7634862146aa73f63a835cc6dd995a960e27554640f157
RemcosRAT
ca4959ce3c1df9fc7cac1f66b99e79523f4486eb99fb3e1e6beab4ee7bdefd8f
RemcosRAT
dcefdcb0308eb805bea44d012871acb60ea7deb8f412299fd59c183c55d5dfaf
RemcosRAT
error
RemcosRAT
+ 5'063 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:remcos family:xworm botnet:tl61 botnet:v-lg60 collection credential_access discovery execution persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/250322-tn4wlawwhz/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Gathers network information
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Uses browser remote debugging
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
AsyncRat
Asyncrat family
Detect Xworm Payload
Remcos
Remcos family
Xworm
Xworm family
Malware Config
C2 Extraction:
37.48.64.102:4950
imagine.here-for-more.info:3960
neverdiedico.mypets.ws:3960
nvdiemosole.broke-it.net:3960
37.48.64.102:3960
dico.on-the-web.tv:3950
dr.is-gone.com:3950
dyndico.from-il.com:3950
nvdiemozess.broke-it.net:3950
Gathering data
Unpacked files
SH256 hash:
52a189781402d404196a0bd74055e8322915aa4a00b37ac0f1ef06e2c7a91d74
MD5 hash:
8d4199db6a7081378a7bd8bd471d425f
SHA1 hash:
75a28bb099763870639506c34526bc526d6415bb
Link:
https://www.unpac.me/results/e29dee8d-33d9-417c-853a-eee0215ea6ac/
SH256 hash:
17b48e9aa4ea6dc0b97d9d4233806960051c384281a34fd0ec23dc4f3cb30250
MD5 hash:
f870a8a57ae1743628a513a2aaab35c4
SHA1 hash:
3f801da77dd5afa206d19a4746675359ecd84280
Link:
https://www.unpac.me/results/e29dee8d-33d9-417c-853a-eee0215ea6ac/
SH256 hash:
98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b
MD5 hash:
0adb9b817f1df7807576c2d7068dd931
SHA1 hash:
4a1b94a9a5113106f40cd8ea724703734d15f118
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/e29dee8d-33d9-417c-853a-eee0215ea6ac/
Parent samples :
7cdd2a796b1b8de7131deadb7a9d6b348d321ce6b7af022124b0826166f70c18
333d68c6bff4c107f9f4b95c51c5471aa56c03469d8d155bd949902ada3af5fa
db9737257fac05121420a708b7d32413086f06824152969883dbf04a23e8137d
7f5afd30f7eb7858f4d31dc758fdf58927e9547446a50125216b0486f2295e2e
a7d30ea8eb070eddffb46afd3b839c4af00021f0dd33352e36ef1173502bac11
98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b
4fba27b378c3aeab8e9f98899e8d13ed36c61039b023af9388fb3056ef894f59
8057475293e725d1b81a46eb5196aa468fa2d67af28ec220908ac89153381f95
e0ee7fe891f5d36b1b41e16f94c53a99e74c81ac3b721b639867fb0a5043c99b
282b43f40f8670d673e45bba045f21d498cd5a857c36a27be13acae669e90120
e8747d7ab6ce57aee41a7085c16d08e55441ae0a8a88a49d9fab903ed07ac888
62a89602c9e4fdf606690b19290c75ca012a3308e044a522fb019654a8780bd4
6c13b65c7ffaef21388c60cc2be3370b35a729eb9e8986ce1abd3303e144896f
490aa9aa3053f1eaba17713ac5f334e94271e979a56ebc4d3f9cfb61d78f66d5
a1cafe0d39cc17c0e36db2afdb4f640e3e81da7b2302c01e03c96348723ffdc9
aee72e1441fa3c9ea74409e5e670e10dbf86e1663f6d6a9dc11fd97e7dec6030
16b2851cd765c313395a3cba2a38a16d4338ef32bb68e5c13320494b3c84c52a
5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350
6d414885d7f75777705948ed9a7134421d7cc2eabb4c4591b913864e8642850a
f9b5af130a858971c48de2b78ac57dc335d2e5fa905887ab0e058c083cfc5fe3
1e847cccbb36b7d28db70aeedede580bab5721a1da53b9296b1c4e13b344c313
c23b7950208b8f8e8a22c401cb5e9a05e560ae6119307d975ba601b4e2e99273
e5bcb2a1cdf6cab62da5b7c8e8d78c25acb5627be5028fd5499df561fd4f24df
f3c0f469753fe8f40c2f45cee815d8afb9fa2b54f2b6a32a14bf3dd1db56f3b7
807ccda4477aa254715390adcb32600ec28e9b601cc1c66d94d5d4a8fd72593d
5e124622c393c00a23222f7d61e5680a6572c7fe6db6412ac631b8cdfb56f339
6678bc6c477241fda05929d12aa57d80511f56bde4c16eaba2338b7ae039dd2f
4ee8706cd6bf820a75a528e933d35a306ac18d466cc989a3317be9f5be9c1e5e
e037b1be05a5def69a7692aef31446093ef7c4190215af0a6d742f4724fb1fd3
9051f50868b433bf7b8fb2c35956bd87deff78c6b3f4ce06986956aa46dc161e
ffc9154b06d3288a4e30383c92b53ac10d9f617bfebd5b6cd9bd8aef91acfd12
a625ecad0006b950b07194830e7f33e7e820ac29ab8d8d90305f7bf441c0803e
83f196de27b44807a2c4697ebe19b7995971e7dbf6d09a9dbc0c91076b47a6a1
52a189781402d404196a0bd74055e8322915aa4a00b37ac0f1ef06e2c7a91d74
2d4a0802f338b3b4a174963bbb8e76c13ef958a42265f51af1f746736c6c8451
17b48e9aa4ea6dc0b97d9d4233806960051c384281a34fd0ec23dc4f3cb30250
7df40b776f6b6c0d3e904a5f4e459aceb74cdfaeaed506702fb3e3cebc0acde3
4cea2d681b946622831d5aabe52bea6be9a92dd70a1725f4f21c7af87bc30b8d
9e1a61c477a77c8d3429f2332c6ac7f9cbf7acc7d0f760f30067b5b2ba9c32f7
e9dd17079ef1906ec63ae75676a703731a1a0b235abf8604630d0f52b44b5088
488c6c4ea3ea6021ef5f344aa958fad9e977958533c4d48ce923b6410679ffc1
4c8de5fe1cd25f11cacfd4aae14eb69a3579cf210d9135fd5a2eed1dfc7798f3
a54764e6c1d020ee0c9b2184cc1b7697a7a86d9e9126c7cabef65a6576fc4893
3fc87dc91ea3a28c0b71dd59cfbf92ac4f27fe1d1e682dac03198fd07ad8d4c1
02aafe6e13fc993f38f7c81ca8d3560ca596d5189984550ff293f6a998c7bb40
de0ad26e3d33b27e4486440745067ba3aa765dfe8ee35d759229ae83473bd669
1dad6cb984f93799b594024aad10191ae1374d53670e132b75abffb89848ae46
bac991e38b4e9ac602cb939fdbffb4213ed6dbfa1d5b170c28cad6e5b3d5c83d
057c2a603337cc33567f32aa4e793e5b1975715b18dd71200f6785b740d95394
b062569dc998c1decbde7acc61c10c5aa751e3eeaed8abe43fc5e2d930ae68b2
e003206e4b468d128c3e9a3cced6def52784b5dd6efda81f30107eee1af2b265
6c292a1785ee86d820b7cd804efe7ae31b179cbab3a99fed8c5fccb1e2750936
4ca06ee3340b192b3ca3ff2d08ab69f3753c6a805c2db18ef81303d7beeb7d68
6962ecb3e9c43b067ef6f3e6a445d8110f24165c3dd5704b3d2cc85fc3b65ba7
dabdfe0696d886914b534e0f90d81627113409ec8b3f3cdcad0aebd2e5bc8aea
ead56795ab3c2106e9618fa6cafcece2a0bbd1ab7ad7daba386df21d45aa67dd
b9cb9cf246d2d9d8a4bff2d7758267af69bcb1f3179d104d66eb0a73e54ab524
12a45143a35ee31f3e9c92deb6377873b3aaf360aab15bd606d347bedd0a2378
da1140a4d3a9c65f836af07667be9ebe4dc54e0dfbc29143be53ef160e36c910
Malware family:
MailPassView
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/52a189781402/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/52a189781402d404196a0bd74055e8322915aa4a00b37ac0f1ef06e2c7a91d74

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 52a189781402d404196a0bd74055e8322915aa4a00b37ac0f1ef06e2c7a91d74

(this sample)

RemcosRAT

Executable exe 2d4a0802f338b3b4a174963bbb8e76c13ef958a42265f51af1f746736c6c8451

  
Link
https://tria.ge/250322-thygmazpw3/behavioral1
  
Delivery method
Distributed via web download
  
Dropping
SHA256 2d4a0802f338b3b4a174963bbb8e76c13ef958a42265f51af1f746736c6c8451
  
Dropping
MD5 eab8cf436fb82e60bf78298cd0792a2c
  
Dropping
SHA256 17b48e9aa4ea6dc0b97d9d4233806960051c384281a34fd0ec23dc4f3cb30250
  
Dropping
MD5 f870a8a57ae1743628a513a2aaab35c4
  
Dropping
SHA256 7df40b776f6b6c0d3e904a5f4e459aceb74cdfaeaed506702fb3e3cebc0acde3
  
Dropping
MD5 23c936c92eed2fd026c93411d8406a9a

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments