MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5957f22f5a9db32e32e71ac070731648a1c3305dd4483375aaa8192a9ca20836. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	5957f22f5a9db32e32e71ac070731648a1c3305dd4483375aaa8192a9ca20836
SHA3-384 hash:	b8d166664235b21345e422159d4f855ed6bd1025801fca611d9d7397a4f52791153119b3a1ffa3ed60b7f09de7bf18da
SHA1 hash:	477132b8aad8f604df9473fea6ad52f6895a902a
MD5 hash:	0962d8ae059cab58285170179d5376e5
humanhash:	michigan-gee-stream-delaware
File name:	SecuriteInfo.com.Win64.PWSX-gen.9461.30102
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	531'968 bytes
First seen:	2022-10-05 09:00:33 UTC
Last seen:	2022-10-05 13:15:54 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:j0LM/NmuKTbRQJTJ/BYIP28ZJi+FaKzukzAdL00d6Cc8Q:jcMMuKTbRk1yQrAkzW6Cc8
Threatray	14 similar samples on MalwareBazaar
TLSH	T1F2B4ACF6AA392208FD1B34355A0B0F623D1C4EE541457513BAFDA63A83C3A4D35CAA77
TrID	63.5% (.EXE) Win64 Executable (generic) (10523/12/4) 12.2% (.EXE) OS/2 Executable (generic) (2029/13) 12.0% (.EXE) Generic Win/DOS Executable (2002/3) 12.0% (.EXE) DOS Executable Generic (2000/1)
Reporter	SecuriteInfoCom
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

3

# of downloads :

222

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/316771/

Detection(s):

SecuriteInfo.com.Win64.PWSX-gen.9461.30102.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Searching for the window

Creating a file

Сreating synchronization primitives

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/633d47d20d3d21420cca9337/reports/125bc2cc-5c17-41a9-9708-de5aafb0878c/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/121d633e-b32d-4622-9bc7-22c18c33a466

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1083959

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/5957f22f5a9db32e32e71ac070731648a1c3305dd4483375aaa8192a9ca20836/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-10-05 06:09:39 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

5

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lfl7el22twzs4mxhdlaha4ywjcq4gmc52redg5nkvamsvhfcba3a._file

Verdict:

unknown

Similar samples:

341b6ff76b63e3e74b8fd97b301462f9a6544405946271b7766c4ff4c8c28150

384b9f64f79052db685e1c7cdbf450b861d00b0ed42808ec9b688a604b53c5d2

5fc5899a46fe351361fc6245bfec6143e1f0daa8c2abf6a247af39e5a3c53353

7d7157dafa1904a0d5331931d078f7058a11316863715581fa3db547198029e3

8f47a0124c06f3bcc483fe0c29136e822be2b9853fc4c81c3f525dc041168d3f

9ba3f37b67b92faad989b9f328b13c5ad6e712678bc2e7e3f3284b82685c0eac

a6a120ad08da9e3fbbcb491477914dae9901653122984bf29475d7b344b20e0d

c3b9b17acd966a36e27681a32021b35e022cc0df29ee937c61dc766e87f9ecd0

ce6a420547785fbbec9f1b5d5e586737bba24219ecd8e689621b7c214691129d

f762563c3e7a28714cbec35efae8524d5b2a9889274f73dd963f9a9f1934aaa6

+ 4 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost rat

Link:

https://tria.ge/reports/221005-kywtasdgg5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Remcos

Malware Config

C2 Extraction:

172.111.234.110:5888

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/4a1afa64-e234-4a74-9249-c1efae16cede

Unpacked files

SH256 hash:

5957f22f5a9db32e32e71ac070731648a1c3305dd4483375aaa8192a9ca20836

MD5 hash:

0962d8ae059cab58285170179d5376e5

SHA1 hash:

477132b8aad8f604df9473fea6ad52f6895a902a

Link:

https://www.unpac.me/results/17916558-96d7-45d5-852d-edc8f436b256/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5957f22f5a9d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/5957f22f5a9db32e32e71ac070731648a1c3305dd4483375aaa8192a9ca20836

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/316771/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample