MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 582867f54f2961f3249d0ebb19effc6e9adb068b5055cbf3be38ac6150462f87. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	582867f54f2961f3249d0ebb19effc6e9adb068b5055cbf3be38ac6150462f87
SHA3-384 hash:	426006a0376005bdf300c129b3f7f06ebe566cf3daeea45a1580f19d412f682b38c8493360e240e0fe8dbdd241c250a8
SHA1 hash:	3cc06283167ae5032373d65329eefa3ceeb10cea
MD5 hash:	599563fcb90a39d3d51f44fab45f39fa
humanhash:	black-item-washington-william
File name:	599563fcb90a39d3d51f44fab45f39fa.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	4'356'608 bytes
First seen:	2022-09-01 10:32:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	24b92ccf1e266e626a6cc7126f975fe5 (7 x RemcosRAT)
ssdeep	98304:BdG2jxBVwQ1J+SARMR0p7f/tPYgmT5oaScB10D:BdTjxnJ3wMOF/SJ5tB2
TLSH	T18416226213620006E4D2FCF99523BEE172F51E2A4F41A87569B679CA35324A3EF03D5F
TrID	29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 22.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 20.3% (.EXE) Win32 Executable (generic) (4505/5/1) 9.1% (.EXE) OS/2 Executable (generic) (2029/13) 9.0% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	06556d4d4d330f0e (2 x RemcosRAT)
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

262

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

599563fcb90a39d3d51f44fab45f39fa.exe

Verdict:

Malicious activity

Analysis date:

2022-09-01 10:36:13 UTC

Tags:

remcos

Link:

https://app.any.run/tasks/167aba57-d567-4b60-8956-19b00ef45f8c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/307209/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Setting a keyboard event handler

Creating a window

DNS request

Creating a file in the %temp% subdirectories

Creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/63108ae0e87b88e71bead886/reports/84a508c1-791f-4673-9b5f-001e93eefa5e/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/748e6617-c537-4f1e-9ed5-81126dbf24ff

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1062694

Signature

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to evade analysis by execution special instruction (VM detection)

Writes to foreign memory regions

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/582867f54f2961f3249d0ebb19effc6e9adb068b5055cbf3be38ac6150462f87/

Threat name:

Win32.Trojan.Fragtor

Status:

Malicious

First seen:

2022-09-01 07:52:35 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=laugp5kpffq7gje5b25rt374n2nnwbulkbk4x456hcwgcucgf6dq._file

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos rat

Link:

https://tria.ge/reports/220901-mlh3saccdl/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Remcos

Unpacked files

SH256 hash:

5a6e28deb916fd871fa7a47cad90d7236e9355e54d9156e2e61240e8b76e4897

MD5 hash:

c9db1b5649593cdaedbcf8805d10a148

SHA1 hash:

9821d91c2d19807b9d1bb5e4bddba2efbd593d14

Link:

https://www.unpac.me/results/bb7e9ff1-c2b7-4406-818e-f2bf4225478f/

SH256 hash:

582867f54f2961f3249d0ebb19effc6e9adb068b5055cbf3be38ac6150462f87

MD5 hash:

599563fcb90a39d3d51f44fab45f39fa

SHA1 hash:

3cc06283167ae5032373d65329eefa3ceeb10cea

Link:

https://www.unpac.me/results/bb7e9ff1-c2b7-4406-818e-f2bf4225478f/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/582867f54f29/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/582867f54f2961f3249d0ebb19effc6e9adb068b5055cbf3be38ac6150462f87

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

exe 582867f54f2961f3249d0ebb19effc6e9adb068b5055cbf3be38ac6150462f87

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2276802/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/307209/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample