MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52a37eb90b8f3a1d164717415b58cf9bac1db1caa1f8aa57224089811cf50960. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 19


Intelligence 19 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 52a37eb90b8f3a1d164717415b58cf9bac1db1caa1f8aa57224089811cf50960
SHA3-384 hash: 552a7a285e345dbd2f4082e2202bb081e6449c8679a3b18f102e5cacc4b53f2aebb433492f94fee92d4d3e3aac49c7ac
SHA1 hash: ccb27bc5570fd160601d8009727296a12c579f66
MD5 hash: 7b9956e820cfd64a02a13af88b5237af
humanhash: muppet-friend-jupiter-vegan
File name:52a37eb90b8f3a1d164717415b58cf9bac1db1caa1f8aa57224089811cf50960
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:6'608'384 bytes
First seen:2024-07-04 12:51:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:sjLAQlWpXO17Q2G4rWgnfeZ79HK+6aAsYsxY90n+Y+2JnsWW3Ff/F5VWdXHb1h6P:MAQlWpXk02Ygp9E+2JnsWWZ
Threatray 107 similar samples on MalwareBazaar
TLSH T1D8665CF5B1DF95F1F4478EB6E4A4B982133274B39EC24825235D36040EA7B6A7E0894F
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter adrian__luca
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
392
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
52a37eb90b8f3a1d164717415b58cf9bac1db1caa1f8aa57224089811cf50960
Verdict:
Malicious activity
Analysis date:
2024-07-04 12:49:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c418f7b2-7b46-4848-8eaa-b816b02c2953

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66869b2048eed605be6db4d5win10vpnfull_triage
Tags:
Infostealer Network Stealth Kryptik
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a process with a hidden window
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm explorer lolbin net_reactor packed
Link:
https://www.filescan.io/uploads/66869aba0bf5978c0b14dc95/reports/002b20d4-41c2-4168-88c2-275f1d6a9b3c/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/52a37eb90b8f3a1d164717415b58cf9bac1db1caa1f8aa57224089811cf50960
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2c92b5c3-c6a7-4503-9c57-fb61d19b30dd
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1467644
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/52a37eb90b8f3a1d164717415b58cf9bac1db1caa1f8aa57224089811cf50960
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/52a37eb90b8f3a1d164717415b58cf9bac1db1caa1f8aa57224089811cf50960/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2024-06-20 00:06:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
15 of 38 (39.47%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kkrx5oilr45b2fshc5avwwgptowb3mokuh4kuvzciceychhvbfqa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
064e6440deca5aa58958beea42cb378043a967f3f6fb0a78cb0fad42da64ae68
RemcosRAT
4d3ae7b4df431d356d2113033943c9bf9f7d411d4cf1e98c71e8692fb955e2c2
RemcosRAT
a705803d36a853fea252b00451b392245ee4d66f9c830778d021cdefaf252136
RemcosRAT
dc183f57a0679eb92ef393479dea0df619ddce3ff94051c84f8f1dba7de31d22
RemcosRAT
e7ee6803b3198f660de53f1dea2b7e005d640829b246f6ef97583c61276a9ac0
RemcosRAT
+ 97 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:4runhost persistence rat upx
Link:
https://tria.ge/reports/240704-p3gmdsyhpd/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
UPX packed file
Remcos
Malware Config
C2 Extraction:
juderule.africa:3395
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ddf0eb5a-29e6-4c88-a134-7774c8cc8ab3
Unpacked files
SH256 hash:
0b9c4983d8a8ef6d933182b8d5883d90ad3a353ccc181a7d7b0ead5c58e5464a
MD5 hash:
0ec353301134926f01c74496c5af1036
SHA1 hash:
5442f202a31d068f386b91acde645a77fc439902
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
win_remcos_w0
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Link:
https://www.unpac.me/results/22b7b94e-8329-4e5c-8fa9-75e9f827433a/
Parent samples :
eda360f8f9d868886fed471f8154089a2309a1869acf5ba49d765bfeb4dfda1e
52a37eb90b8f3a1d164717415b58cf9bac1db1caa1f8aa57224089811cf50960
SH256 hash:
25323d8451164904ce973fb8c6b91d82320222d7bdc6e88a17da37f373b494bf
MD5 hash:
3b6021c54760e483a55839b8f9679b42
SHA1 hash:
992588e3a8b58a7fcab2f4fe846db9a12f53a68f
Link:
https://www.unpac.me/results/22b7b94e-8329-4e5c-8fa9-75e9f827433a/
SH256 hash:
f0706c3a6b464a7a46ab41033f358093d5a050bf51bb85b07b53dedda0d07315
MD5 hash:
95ea7d67baf06f055eb4938c57fbbeee
SHA1 hash:
22e3b1497f8817f78664a0ff188f6284e84a4686
Link:
https://www.unpac.me/results/22b7b94e-8329-4e5c-8fa9-75e9f827433a/
SH256 hash:
f9d9b2a74b34888a55e7f2fe7584803520076ceef62b2fe4f0db01fb32960742
MD5 hash:
9a6bd142e10d0594919eb5e6b1acca38
SHA1 hash:
14f2b4972c7f193145bb5c5436dceaf7513e4a34
Link:
https://www.unpac.me/results/22b7b94e-8329-4e5c-8fa9-75e9f827433a/
SH256 hash:
582379b127bd9e086aa3ce61e53be94345e381e41c15a9f1cf7cc9dc3973c9eb
MD5 hash:
8f0641e8a946758816a083bc11375136
SHA1 hash:
13dfc8da7cecc42726a002aaa711243eb271d43a
Link:
https://www.unpac.me/results/22b7b94e-8329-4e5c-8fa9-75e9f827433a/
SH256 hash:
52a37eb90b8f3a1d164717415b58cf9bac1db1caa1f8aa57224089811cf50960
MD5 hash:
7b9956e820cfd64a02a13af88b5237af
SHA1 hash:
ccb27bc5570fd160601d8009727296a12c579f66
Link:
https://www.unpac.me/results/22b7b94e-8329-4e5c-8fa9-75e9f827433a/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/52a37eb90b8f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/52a37eb90b8f3a1d164717415b58cf9bac1db1caa1f8aa57224089811cf50960

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments