MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 593cf342a669fcb1bff594bd8ce85fc112bc19d42f7fcb0932c9ac5cdf70d0d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 17

Intelligence 17 IOCs YARA 10 File information Comments

SHA256 hash:	593cf342a669fcb1bff594bd8ce85fc112bc19d42f7fcb0932c9ac5cdf70d0d9
SHA3-384 hash:	806d81ad6af9897207d99887345edf13a3d1abc8266ee451505c45b89092c108007d540f990bc0f7da709bb99f9e32aa
SHA1 hash:	853c0f9dd4ef621170f7a8bc96a8e67aaaf0b30a
MD5 hash:	7ce48ca84dfdc400711520252fe8d076
humanhash:	green-network-washington-pasta
File name:	SEPA_2023-08-11 000538766211092.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	610'823 bytes
First seen:	2023-08-11 13:21:19 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 429 x GuLoader)
ssdeep	12288:/YzT2TQSEjWleV1407o3r1UhdBjAi3eetxtHoaCqsyP24Sg9rdyyX/vjw:/Yz7Slm1i3GdBkE5tfnCpyq+dyyX/vjw
Threatray	2'435 similar samples on MalwareBazaar
TLSH	T143D4230012D889DFEEA765B6B67B92098FABD41329D4C74F0BA1051D7D71902D32E3EA
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	James_inthe_box
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

288

Origin country :

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

SEPA_2023-08-11 000538766211092.exe

Verdict:

Malicious activity

Analysis date:

2023-08-11 13:22:06 UTC

Tags:

rat remcos remote

Link:

https://app.any.run/tasks/f02ebf77-d6a8-4373-be12-2e5a15ac513e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/442140/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.30928.22399.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Creating a window

Creating a file

Creating a file in the %AppData% subdirectories

Unauthorized injection to a recently created process

Restart of the analyzed sample

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Sending a TCP request to an infection source

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/102521/overview

Behaviour

MalwareBazaar

Gathering data

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/593cf342a669fcb1bff594bd8ce85fc112bc19d42f7fcb0932c9ac5cdf70d0d9

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e86ae878-5a4a-44ff-8695-7f06c823fdc0

Result

Threat name:

Remcos

Detection:

malicious

Classification:

rans.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1290020

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to bypass UAC (CMSTPLUA)

Contains functionality to modify clipboard data

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/593cf342a669fcb1bff594bd8ce85fc112bc19d42f7fcb0932c9ac5cdf70d0d9/

Threat name:

Win32.Trojan.Nemesis

Status:

Malicious

First seen:

2023-08-11 13:20:34 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

16 of 24 (66.67%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=le6pgqvgnh6ldp7vss6yz2c7yejlygouf574wcjszgwfzx3q2dmq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

37f3dc0db96f235594f3e2153e851add6103e86a79b81722a130c592d1981f0a

RemcosRAT

3da90b636e39cd1f67e3542c60d813c6ff8152f7f740b3ef4ef086ef120836df

RemcosRAT

69cb61375bae8db7278ca4adee488faea6723d8052270908010541c4850e8dcb

RemcosRAT

882a895b320ba323dccd33d6d82e02b4506b7386a91c63c0c505345796352d67

RemcosRAT

979b67124f30f347688897010f34abf0467a67516ba011c9601cf06a14be0432

RemcosRAT

b41e4528449d3fa1730eca98df0dc9fd9e3683ccfaedf1d72ee2af2899f18db8

RemcosRAT

ce068c31fc36142145899195cf4dcb87d3dce15616bf9f60428f931d355c86d2

RemcosRAT

+ 2'425 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost persistence rat

Link:

https://tria.ge/reports/230811-ql79fsdb33/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Loads dropped DLL

Remcos

Malware Config

C2 Extraction:

64.112.85.218:4888

Unpacked files

SH256 hash:

04adf7cc43ba331ca5f202b718fefbc16cbcccdee11c1830087b8115ae429eb4

MD5 hash:

07d1ba5604b10a849c185fa855c923da

SHA1 hash:

4dfecf14ddb1f0896b47b168273f8a37396b5051

Detections:

Remcos

win_remcos_auto

Link:

https://www.unpac.me/results/40e6e8d6-d1c0-46a1-9067-7700b90ee63c/

Parent samples :

356397e5a8cede8dc9420b6f76ed565748382705ed55888b0a85a48e94ec2bc4
37f3dc0db96f235594f3e2153e851add6103e86a79b81722a130c592d1981f0a
17927cf92cf25c048021f9517386f9a69936c8c03ac8afb18eac18e512e662a2
593cf342a669fcb1bff594bd8ce85fc112bc19d42f7fcb0932c9ac5cdf70d0d9
8167261af1cde7e03bd2ddf43ebde21bda4af66216d2c4ee9ca1c967e580f7a5

SH256 hash:

e754df289cc66e256c6b9e0f6e1ab979e6aa1d8c504fa66971063c9c51991acc

MD5 hash:

ad90cf327107b24d28f01cde88fb6248

SHA1 hash:

03b1affd9afd62bd4c0a328420e5c4340df6f5b9

Link:

https://www.unpac.me/results/40e6e8d6-d1c0-46a1-9067-7700b90ee63c/

SH256 hash:

593cf342a669fcb1bff594bd8ce85fc112bc19d42f7fcb0932c9ac5cdf70d0d9

MD5 hash:

7ce48ca84dfdc400711520252fe8d076

SHA1 hash:

853c0f9dd4ef621170f7a8bc96a8e67aaaf0b30a

Link:

https://www.unpac.me/results/40e6e8d6-d1c0-46a1-9067-7700b90ee63c/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/593cf342a669/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/593cf342a669fcb1bff594bd8ce85fc112bc19d42f7fcb0932c9ac5cdf70d0d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	iexplorer_remcos Create hunting rule
Author:	iam-py-test
Description:	Detect iexplorer being taken over by Remcos

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM Create hunting rule
Author:	ditekSHen
Description:	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Windows_Trojan_Remcos_b296e965 Create hunting rule
Author:	Elastic Security

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/442140/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample