MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59397ecc5298cc33e5a6e4a92c0a1f08a5917b31efa2a7aa4edfee4b37d74df3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 59397ecc5298cc33e5a6e4a92c0a1f08a5917b31efa2a7aa4edfee4b37d74df3
SHA3-384 hash: 5f1b7d07258badd98a07daca2c25bcc039cb01f3e656923762f71ce6ab89723b84b4b7c37ed9bc769f9a4372bbe549ae
SHA1 hash: 91efb8a98bdf06f454ab11846b403e199cdc4d2a
MD5 hash: 8e9084c661a2e4ab2d549b64751d6339
humanhash: uniform-enemy-emma-jig
File name:8e9084c661a2e4ab2d549b64751d6339.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:4'308'992 bytes
First seen:2022-08-31 07:51:04 UTC
Last seen:2022-08-31 08:45:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 24b92ccf1e266e626a6cc7126f975fe5 (7 x RemcosRAT)
ssdeep 98304:f/RQRS3kWS54G/k5VG6UiSxrPp/FF3ZhiQJ++bnmcG:fJp0f4Gc5VGDxxrlzziQHTmcG
TLSH T1761622675A691189D0E9CD394537FEF470F707EBCB42BBB855BA5CC222425A2E203E43
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
265
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/306735/
Detection(s):
SecuriteInfo.com.Trojan.Heur.TP.@J0@bOtTdsii.9717.13087.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Setting a keyboard event handler
Creating a window
DNS request
Creating a file in the %temp% subdirectories
Creating a file
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed remcos wacatac
Link:
https://www.filescan.io/uploads/630f14f4116a699e028e2458/reports/935e2683-69b1-4265-a9d5-2b12b9d12942/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
PrivateLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1061391
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/59397ecc5298cc33e5a6e4a92c0a1f08a5917b31efa2a7aa4edfee4b37d74df3/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2022-08-31 06:56:53 UTC
File Type:
PE (Exe)
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=le4x5tcstdgdhzng4susycq7bcszc6zr56rkpkso37xewn6xjxzq._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos rat
Link:
https://tria.ge/reports/220831-jpwlhabbcm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Remcos
Unpacked files
SH256 hash:
9aed6a883b08cd0afd7e473d5bff20c0cd454c8483db7830eb731e22ac41a277
MD5 hash:
7017503be107e667225d106c6852212e
SHA1 hash:
d85104fe9966d1aed319007398ace428380c83e4
Link:
https://www.unpac.me/results/bafed946-bf8a-4fac-8ebd-49f968d22278/
SH256 hash:
59397ecc5298cc33e5a6e4a92c0a1f08a5917b31efa2a7aa4edfee4b37d74df3
MD5 hash:
8e9084c661a2e4ab2d549b64751d6339
SHA1 hash:
91efb8a98bdf06f454ab11846b403e199cdc4d2a
Link:
https://www.unpac.me/results/bafed946-bf8a-4fac-8ebd-49f968d22278/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/59397ecc5298/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 59397ecc5298cc33e5a6e4a92c0a1f08a5917b31efa2a7aa4edfee4b37d74df3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2276802/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2276782/
Cape
Cape
https://www.capesandbox.com/analysis/306735/

Comments