MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ed2be2c358988a27a0973273b80c89f3e0cb808b654a2a09b91bcf5a38c46c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ed2be2c358988a27a0973273b80c89f3e0cb808b654a2a09b91bcf5a38c46c7
SHA3-384 hash: a28caa4dca0d6bd1b33a7b0f096d601247f65af3728f21b3439bb447e1952ad4825b47de02832525161f9b07b88cd3f0
SHA1 hash: f96e8c5ca7c3369aea4e9286cc60c96455c0ef81
MD5 hash: a8866d1129bde5e76d54062999935308
humanhash: mexico-snake-illinois-victor
File name:MEMQ098789009000.cmd
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:443'541 bytes
First seen:2023-12-12 11:21:27 UTC
Last seen:2023-12-12 13:24:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:P8LxBsMBAsL9XYtikPb8G1XE2cr9oLN/JM+QlFM2y5FI6uRh41vhgyXKZK4gmn:BIzL9cjp0gNfNI63vhgyTmn
TLSH T17E94235972538C73D2125CB0A9B2E3BAE7BDDA59F2203B5F4B90AE6F31315058A0D274
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter cocaman
Tags:cmd exe QUOTATION RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
308
Origin country :
CH CH
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/466370/
Detection(s):
SecuriteInfo.com.Trojan.Loader.1550.16137.27345.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Setting a keyboard event handler
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a recently created process
Stealing user critical data
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control installer lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/657842603f60a81034900821/reports/ba0161bf-c7ae-4110-b9fa-14acbabca377/overview
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/5ed2be2c358988a27a0973273b80c89f3e0cb808b654a2a09b91bcf5a38c46c7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ca62e085-0ae6-4365-b216-3fc26004740b
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1360043
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to inject code into remote processes
Contains functionality to modify clipboard data
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Sigma detected: Remcos
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1360043 Sample: MEMQ098789009000.cmd.exe Startdate: 12/12/2023 Architecture: WINDOWS Score: 100 55 geoplugin.net 2->55 63 Snort IDS alert for network traffic 2->63 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 7 other signatures 2->69 9 dmirb.exe 2->9         started        12 MEMQ098789009000.cmd.exe 17 2->12         started        15 dmirb.exe 2->15         started        signatures3 process4 file5 81 Antivirus detection for dropped file 9->81 83 Contains functionality to bypass UAC (CMSTPLUA) 9->83 85 Tries to steal Mail credentials (via file registry) 9->85 89 9 other signatures 9->89 17 dmirb.exe 3 15 9->17         started        22 dmirb.exe 9->22         started        49 C:\Users\user\AppData\Local\Temp\rriyu.exe, PE32 12->49 dropped 24 rriyu.exe 1 2 12->24         started        87 Maps a DLL or memory area into another process 15->87 26 dmirb.exe 15->26         started        28 dmirb.exe 15->28         started        30 dmirb.exe 15->30         started        signatures6 process7 dnsIp8 51 107.175.229.139, 49713, 49714, 8087 AS-COLOCROSSINGUS United States 17->51 53 geoplugin.net 178.237.33.50, 49716, 80 ATOM86-ASATOM86NL Netherlands 17->53 45 C:\ProgramData\remcos\logs.dat, data 17->45 dropped 71 Maps a DLL or memory area into another process 17->71 73 Installs a global keyboard hook 17->73 32 dmirb.exe 1 17->32         started        35 dmirb.exe 1 17->35         started        37 dmirb.exe 2 17->37         started        41 2 other processes 17->41 47 C:\Users\user\AppData\Roaming\...\dmirb.exe, PE32 24->47 dropped 75 Antivirus detection for dropped file 24->75 77 Machine Learning detection for dropped file 24->77 79 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 24->79 39 rriyu.exe 24->39         started        file9 signatures10 process11 signatures12 57 Tries to steal Instant Messenger accounts or passwords 32->57 59 Tries to harvest and steal browser information (history, passwords, etc) 32->59 61 Tries to steal Mail credentials (via file / registry access) 35->61 43 WerFault.exe 22 18 39->43         started        process13
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5ed2be2c358988a27a0973273b80c89f3e0cb808b654a2a09b91bcf5a38c46c7
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5ed2be2c358988a27a0973273b80c89f3e0cb808b654a2a09b91bcf5a38c46c7/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-12-11 01:54:14 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l3jl4lbvrgeke6qjomttxagit47azoaiwzkkfie3sg6pli4mi3dq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost collection persistence rat spyware stealer upx
Link:
https://tria.ge/reports/231212-ngjzyscafm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
107.175.229.139:8087
Unpacked files
SH256 hash:
5ed2be2c358988a27a0973273b80c89f3e0cb808b654a2a09b91bcf5a38c46c7
MD5 hash:
a8866d1129bde5e76d54062999935308
SHA1 hash:
f96e8c5ca7c3369aea4e9286cc60c96455c0ef81
Link:
https://www.unpac.me/results/485c75b5-a818-486d-b49f-447fde448da0/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5ed2be2c3589/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXv20MarkusLaszloReiser
Create hunting rule
Author:malware-lu
Rule name:upx_3
Create hunting rule
Author:Kevin Falcoz
Description:UPX 3.X
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.
Rule name:win_remcos_w0
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:yarahub_win_remcos_rat_unpacked_aug_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip b8c66af97b06b4660cd8000811f9333bda7bb032f57767c0417819820b3ebdf8

RemcosRAT

Executable exe 5ed2be2c358988a27a0973273b80c89f3e0cb808b654a2a09b91bcf5a38c46c7

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 b8c66af97b06b4660cd8000811f9333bda7bb032f57767c0417819820b3ebdf8
Cape
Cape
https://www.capesandbox.com/analysis/466370/
  
Dropped by
MD5 5c6c02f3080118030dd73ceb30b9e249

Comments