MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56400d285883e72264ab693e17d3f94bb35df61618891768c8959932b5d9f140. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56400d285883e72264ab693e17d3f94bb35df61618891768c8959932b5d9f140
SHA3-384 hash: 58735d455951accdddcf3998f3efe36d8a36af02fa0bd76c32a57eaf0928c245acf7ca3755b358c891c76a60ebd6b42e
SHA1 hash: a2928c294f5847329d1608f9217e6b3f1f92b0c8
MD5 hash: 401be041a25b31e02102600645800a94
humanhash: crazy-video-timing-comet
File name:NINCMPNGB - CMP - MAY.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:659'053 bytes
First seen:2022-05-16 09:53:38 UTC
Last seen:2022-05-16 10:35:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 12288:IYvHDRyXENCAEyu4NRBOUcGIhQoGKtiH74sTT+SJwmb7DRMGL:IYvHDQXIUyuYOUcGIhtiH7xT+kb7F9
Threatray 12'536 similar samples on MalwareBazaar
TLSH T130E4D0485B41CCB0F8660A714816ACE0091B9DCDDDF8600DBE97F99B2AF299770BF617
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 71dce86971b2d471 (1 x RemcosRAT)
Reporter GovCERT_CH
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
212
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
NINCMPNGB - CMP - MAY.exe
Verdict:
Malicious activity
Analysis date:
2022-05-16 09:55:43 UTC
Tags:
remcos
Link:
https://app.any.run/tasks/01b4fcb0-b957-4990-873b-a1c9190473f3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/271006/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/17968/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe formbook overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62821f53cc43366302cdaefa/reports/0fa4bd41-3a5f-4d3a-8b3a-d46ed5840932/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/39965628-1f2b-4caa-8b45-86e02ed2a0fd
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/994781
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/56400d285883e72264ab693e17d3f94bb35df61618891768c8959932b5d9f140/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-05-16 08:11:18 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
22 of 41 (53.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kzaa2kcyqptsezflne7bpu7zjozv35qwdcero2giswmtfnoz6faa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1fed413e1cf6bf9886f077ac4ebe4c86b566917bf3b0cd806805acbb89b27558
RemcosRAT
2241716c3ddff7b1f771a6e3c91b67ded01e9f78026ecc124863099dbe5ac405
RemcosRAT
576183a33f5247a852bc65a4dc4cbca5762bfbad1291a82572681f7075dc6123
RemcosRAT
625f25dedd3f7e114dc89cff907dfec350df5cbb4efa09942f2b5ed9950c1216
RemcosRAT
6debeb4cbf5037ee3b4d23e3a005dc58ebb0f26ac5f5266e910187a66760a4a0
RemcosRAT
99f100122f5280ac44bc01f3bb7df9d3bd69681335e5f50d4ddfeca6e8ac3cb1
RemcosRAT
f75fd5ce522743fe012bdf743efc66e481d72d92b6eb0465621a77a4600ff6b5
RemcosRAT
+ 12'526 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat
Link:
https://tria.ge/reports/220516-lw7nfsgda2/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
172.94.88.13:5888
Unpacked files
SH256 hash:
acfec10fed3ea8d4763d0f1198786c669ae29c6be33239a4f145654eaa80fd94
MD5 hash:
04fd5949e5c1d7c40a8cf251913da7c8
SHA1 hash:
2c1b36d1b9efdeffcbe3348970ba05633a6cc63e
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/3b26cbef-3258-4395-bbd3-fb9c52e80a5d/
Parent samples :
56400d285883e72264ab693e17d3f94bb35df61618891768c8959932b5d9f140
2e2e396b422b84fb59ce15ed7a1594a3368bec5ea05101b3e56e9018917921a0
9962d1ba80518ed91f22173b0c311ada76a8b0e893ff8cd826831c0d0a65ae0c
SH256 hash:
d6e40d4e0a55dc248b8230c476afb617efc284f2ba76d4dcf7c279ae1c01ba4d
MD5 hash:
37ce49dd13a98e83424d81cdb816d42d
SHA1 hash:
4f03fd6728f8faf00543e599d3b2fe5a8165fcff
Link:
https://www.unpac.me/results/3b26cbef-3258-4395-bbd3-fb9c52e80a5d/
SH256 hash:
56400d285883e72264ab693e17d3f94bb35df61618891768c8959932b5d9f140
MD5 hash:
401be041a25b31e02102600645800a94
SHA1 hash:
a2928c294f5847329d1608f9217e6b3f1f92b0c8
Link:
https://www.unpac.me/results/3b26cbef-3258-4395-bbd3-fb9c52e80a5d/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/56400d285883/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/56400d285883e72264ab693e17d3f94bb35df61618891768c8959932b5d9f140

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 56400d285883e72264ab693e17d3f94bb35df61618891768c8959932b5d9f140

(this sample)

  
Dropped by
RemcosRAT
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/271006/

Comments