MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ba0df7a9010da3092278ef2a16d8c6fda7bb47668c8f58a839f5996803fbdb8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 28 File information Comments

SHA256 hash:	5ba0df7a9010da3092278ef2a16d8c6fda7bb47668c8f58a839f5996803fbdb8
SHA3-384 hash:	9c7e8fcd61d88cdce63c0643726493c0416474d6419c6ef30871c22b68d79adc08a8f2abd07364ebad842fcc20a24d00
SHA1 hash:	a701b039d90e8d97ae8110675d4c9ac839246e72
MD5 hash:	c221c1f82fe4351862f799c1eb4d8c12
humanhash:	don-undress-romeo-jersey
File name:	Bukti_Transfer..pdf.7z
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'042'522 bytes
First seen:	2025-02-28 04:29:46 UTC
Last seen:	Never
File type:	7z
MIME type:	application/x-rar
ssdeep	24576:iBzteGPEjRxUTQUDXIAMtiYQzhfd6iYSnBfrB/97dx4I4JGT0:iBYGPEn6lIAGiYA5d6tStBxdOJN
TLSH	T1082533100FCBAED29123D58966B63386A95D728093ECBDBA351459C674803DCE235FBF
TrID	58.3% (.RAR) RAR compressed archive (v-4.x) (7000/1) 41.6% (.RAR) RAR compressed archive (gen) (5000/1)
Magika	rar
Reporter	MAM
Tags:	7z RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

101

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	Bukti_Transfer..pdf.exe
File size:	1'227'776 bytes
SHA256 hash:	e9c8eec1859524e1d0bc49cf7156a0eb867af6d301b6c98ee82c425ab5d12bda
MD5 hash:	778efeb9815da110b944909f92be85a7
MIME type:	application/x-dosexec
Signature	RemcosRAT

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.28929.RarHeur.UNOFFICIAL

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67c13b2a2dfba428b46f070f

Tags:

underscore kryptik virus msil

Result

Verdict:

Malicious

File Type:

PE File

Link:

https://app.docguard.net/5ba0df7a9010da3092278ef2a16d8c6fda7bb47668c8f58a839f5996803fbdb8/results/dashboard

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

masquerade obfuscated obfuscated obfuscated packed packed packer_detected vbnet

Link:

https://www.filescan.io/uploads/67c13be94a3011c802c3a1ad/reports/1fa983de-f679-43cb-8bbf-4646ed5098f6/overview

Verdict:

Malicious

Labled as:

HIDDENEXT/Worm.Generic

Link:

https://www.hybrid-analysis.com/sample/5ba0df7a9010da3092278ef2a16d8c6fda7bb47668c8f58a839f5996803fbdb8

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5ba0df7a9010da3092278ef2a16d8c6fda7bb47668c8f58a839f5996803fbdb8/

Threat name:

Win32.Trojan.CrypterX

Status:

Malicious

First seen:

2025-02-28 05:52:57 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

19 of 38 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=loqn66uqcdndberhr3zkc3mmn7nhxndwndeplcudt5mznab7xw4a._file

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:feb 19 discovery execution rat

Link:

https://tria.ge/reports/250228-gea6psstew/

Behaviour

Checks processor information in registry

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Remcos

Remcos family

Malware Config

C2 Extraction:

austin99.duckdns.org:9373
103.186.117.61:9373
sales778.bounceme.net:9373

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5ba0df7a9010da3092278ef2a16d8c6fda7bb47668c8f58a839f5996803fbdb8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	iexplorer_remcos Create hunting rule
Author:	iam-py-test
Description:	Detect iexplorer being taken over by Remcos

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Lumma_Stealer_Detection Create hunting rule
Author:	ashizZz
Description:	Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:	https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_RAR_with_PDF_Script_Obfuscation Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects RAR file with suspicious .pdf extension prefix to trick users
Reference:	Internal Research

Rule name:	SUSP_RAR_with_PDF_Script_Obfuscation_RID34A4 Create hunting rule
Author:	Florian Roth
Description:	Detects RAR file with suspicious .pdf extension prefix to trick users
Reference:	Internal Research

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Windows_Trojan_Remcos_b296e965 Create hunting rule
Author:	Elastic Security
Reference:	https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.remcos.

Rule name:	win_remcos_rat_unpacked Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detects strings present in remcos rat Samples.

Rule name:	win_remcos_w0 Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detects strings present in remcos rat Samples.

Rule name:	yarahub_win_remcos_rat_unpacked_aug_2023 Create hunting rule
Author:	Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

7z 5ba0df7a9010da3092278ef2a16d8c6fda7bb47668c8f58a839f5996803fbdb8

(this sample)

RemcosRAT

exe e9c8eec1859524e1d0bc49cf7156a0eb867af6d301b6c98ee82c425ab5d12bda

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 e9c8eec1859524e1d0bc49cf7156a0eb867af6d301b6c98ee82c425ab5d12bda

Dropping

MD5 778efeb9815da110b944909f92be85a7

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample