MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56386224d3f2d9dea8cce5f9dafcdce3012a548d824f4e9af162bc2397bb5916. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56386224d3f2d9dea8cce5f9dafcdce3012a548d824f4e9af162bc2397bb5916
SHA3-384 hash: 0fbe6dbfa6aa919144a065f27f0ef1778077db69c501337ac5de3433e9d5081f9c29bcd4e732d65d71232122f9aaa38a
SHA1 hash: 981f7c5d2c37a78ef1a6706563a4e8f26d8454b2
MD5 hash: 21d7db20f8996de7de0a4e56c5bc7b98
humanhash: autumn-idaho-venus-kansas
File name:21d7db20f8996de7de0a4e56c5bc7b98
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:672'306 bytes
First seen:2023-06-13 10:38:25 UTC
Last seen:2023-06-13 11:58:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b37cd65c066b7cb6cf1ab3e77cb216ea (1 x RemcosRAT)
ssdeep 12288:aiu/iJvzsK/6NTsUlQc8QeN0Aqr/zX8IfcM5NhaII/o4Ii:aKaDWX7EzMIfDNhS/oji
Threatray 21 similar samples on MalwareBazaar
TLSH T192E4156D6E120C3AE8EA4778D1017A1668702C297FDFD60DDF516B1D2CAC54EB3E821B
TrID 77.2% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
6.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
300
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
21d7db20f8996de7de0a4e56c5bc7b98
Verdict:
Malicious activity
Analysis date:
2023-06-13 10:39:16 UTC
Tags:
remcos
Link:
https://app.any.run/tasks/e7b049fb-e5d7-4d6a-bd85-6cfc5d73b4f9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/398240/
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Launching a process
Creating a file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6488474ac6414862d206dadb/reports/07e07104-aafd-429f-80b2-f4f18ee83503/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/56386224d3f2d9dea8cce5f9dafcdce3012a548d824f4e9af162bc2397bb5916
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f276bcf6-735a-4284-9e64-485bc5366a45
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1253535
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/56386224d3f2d9dea8cce5f9dafcdce3012a548d824f4e9af162bc2397bb5916/
Threat name:
Win32.Trojan.RemcosRAT
Create hunting rule
Status:
Malicious
First seen:
2023-06-13 10:39:06 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ky4gejgt6lm55kgm4x45v7g44masuvenqjhu5gxrmk6chf53lela._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
051101f45d03dac4583297cce0d708af562dedfa085b3d9dcfea40be2083e7ab
RemcosRAT
30ffce543f13fce23c61f63f8a6783b1c3be723377cb13e13bf033cbff8b904b
RemcosRAT
5ae1e20709a0557d7d4a90411f73981934d2184d4e6ee18c8a2cfe81a2381452
RemcosRAT
6987962aebbf833513cc85fd4ec26d215170035ee60e69bd2cc2e25b6e9a6d46
RemcosRAT
6d774b6ef4a21efee8a9116bfc18ab1a0a0609e058638a77566a29c9d98f7982
RemcosRAT
722c38612f58a2762ae67f38d4342c7aaa59c89c3546cbe0d69f4700b55420fa
RemcosRAT
8250b55601a05bc91cc88f36e0e99642682e4a0d2a8752afc0651c8eaa7a0706
RemcosRAT
b2c267c3ef336e879f1ecec51c36a5ad720222410a6ee3e1b0b8823b659f1915
RemcosRAT
c884dcf4fa00359eeb51ead67cd41d9a68b71f09e3588f03456244eddaa36fa0
RemcosRAT
d0d1cd4e935867d366c2e0e4b213c45919a6edbc4536eeb1637fa7eeda975a43
RemcosRAT
+ 11 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/230613-mpyyeagc9t/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Remcos
Malware Config
C2 Extraction:
127.0.0.1:1800
Unpacked files
SH256 hash:
56386224d3f2d9dea8cce5f9dafcdce3012a548d824f4e9af162bc2397bb5916
MD5 hash:
21d7db20f8996de7de0a4e56c5bc7b98
SHA1 hash:
981f7c5d2c37a78ef1a6706563a4e8f26d8454b2
Link:
https://www.unpac.me/results/1b0ae035-cb06-470b-a69f-9b5ea862e912/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/56386224d3f2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/56386224d3f2d9dea8cce5f9dafcdce3012a548d824f4e9af162bc2397bb5916

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 56386224d3f2d9dea8cce5f9dafcdce3012a548d824f4e9af162bc2397bb5916

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2659037/
Cape
Cape
https://www.capesandbox.com/analysis/398240/

Comments


Avatar
zbet commented on 2023-06-13 10:38:27 UTC

url : hxxp://51.79.49.73/crc/c.exe