MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f54f1bec9ba28b84b92478b3db46235c07fa7b4fb106111dd68e4af94afcea3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 18

Intelligence 18 IOCs YARA 20 File information Comments

SHA256 hash:	5f54f1bec9ba28b84b92478b3db46235c07fa7b4fb106111dd68e4af94afcea3
SHA3-384 hash:	886505ce6b1f570f4cad75b83d5f7c668e7322971389add64082ae25e23d93fe447b36071c3637c31a943a602eb73fc5
SHA1 hash:	3f40142ffa5a2093a864446af3b80e0fb03f3bfd
MD5 hash:	e3f85d3db1a13a521b6dd6477298f9c5
humanhash:	oregon-snake-earth-oscar
File name:	5f54f1bec9ba28b84b92478b3db46235c07fa7b4fb106111dd68e4af94afcea3
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	494'592 bytes
First seen:	2024-10-10 12:07:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	8d5087ff5de35c3fbb9f212b47d63cad (170 x RemcosRAT)
ssdeep	6144:QXIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZoAX0cNc5Gv:QX7tPMK8ctGe4Dzl4h2QnuPs/Zo5cv
Threatray	4'485 similar samples on MalwareBazaar
TLSH	T184B49E01BAD1C072D57524300D36F776EAB8BD2028364A7B73D61D5BFE31190B62AAB7
TrID	32.2% (.EXE) Win64 Executable (generic) (10522/11/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4504/4/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
File icon (PE):
dhash icon	c4d48eaa8ad4d4f8 (1'000 x RemcosRAT, 1 x Worm.Ramnit, 1 x Vjw0rm)
Reporter	adrian__luca
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

408

Origin country :

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

5f54f1bec9ba28b84b92478b3db46235c07fa7b4fb106111dd68e4af94afcea3

Verdict:

Malicious activity

Analysis date:

2024-10-10 12:10:02 UTC

Tags:

remcos

Link:

https://app.any.run/tasks/eece7657-7145-4fb4-ad11-393eb4b3477d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Trojan.Remcos-9841897-0

Win.Trojan.Remcos-10002580-0

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6707c3a6f936b5621b0c4278

Tags:

Ransomware Downloader Dropper Remcos

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

crypto epmicrosoft_visual_cc evasive exploit explorer fingerprint fingerprint keylogger lolbin microsoft_visual_cc remcos shell32

Link:

https://www.filescan.io/uploads/6707c3a4a617144147821cf8/reports/d2983a41-1b01-4530-9308-5aca36a45ebc/overview

Verdict:

Malicious

Labled as:

Remcos.Generic

Link:

https://www.hybrid-analysis.com/sample/5f54f1bec9ba28b84b92478b3db46235c07fa7b4fb106111dd68e4af94afcea3

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/484c6f20-4983-4a26-86d6-ce1a1cf34a2f

Result

Threat name:

Remcos

Detection:

malicious

Classification:

rans.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1530766

Signature

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Contains functionality to bypass UAC (CMSTPLUA)

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Creates autostart registry keys with suspicious names

Delayed program exit found

Drops executable to a common third party application directory

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/5f54f1bec9ba28b84b92478b3db46235c07fa7b4fb106111dd68e4af94afcea3

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/5f54f1bec9ba28b84b92478b3db46235c07fa7b4fb106111dd68e4af94afcea3/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2024-10-10 12:08:04 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

34 of 38 (89.47%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=l5kpdpwjxiulqs4si6ft3ndcgxah7j5u7migceo5ndsk7ffpz2rq._file

Verdict:

malicious

Label(s):

remcos

nirsoft

admintool_mailpassview

RemcosRAT

3e32447ea3b5f07c7f6a180269f5443378acb32c5d0e0bf01a5e39264f691587

RemcosRAT

472a8fbff35cdda49a870d372fa6da50defd8480348438e245f11aad954642d1

RemcosRAT

909b4092841b4056937777a197673e86be281f43db661ee636ccd73744015768

RemcosRAT

ab4c9b244a1604655032a8f69acc4273265fa35337906e05a1dc2b274b3b13a6

RemcosRAT

d3ae0198e42c1f207bd4ba866ad9f634cddb1b3f15757db7b417a74bfc20116e

RemcosRAT

error

RemcosRAT

+ 4'475 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost discovery persistence rat

Link:

https://tria.ge/reports/241010-pav93s1ckr/

Behaviour

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Remcos

Malware Config

C2 Extraction:

104.250.180.178:7902

Verdict:

Malicious

Tags:

rat remcos

YARA:

malware_windows_remcos_rat REMCOS_RAT_variants Remcos_Payload win_remcos_rat_unpacked Windows_Trojan_Remcos_b296e965 MAL_EXE_Remcos_RAT_Jul_22 Remcos

Link:

https://app.threat.zone/submission/4e105ab2-021e-43d3-8c24-869c5fa06bf3

Unpacked files

SH256 hash:

5f54f1bec9ba28b84b92478b3db46235c07fa7b4fb106111dd68e4af94afcea3

MD5 hash:

e3f85d3db1a13a521b6dd6477298f9c5

SHA1 hash:

3f40142ffa5a2093a864446af3b80e0fb03f3bfd

Detections:

Remcos

win_remcos_auto

win_remcos_w0

malware_windows_remcos_rat

INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

win_remcos_rat_unpacked

Link:

https://www.unpac.me/results/103beb72-8fb0-4164-b86d-efd188e7ace7/

Parent samples :

aa5728008a7a4b1173fc74eb5e41666688baddefbb2d5214d46cd6815646b5f3
9b9ba6e3df79c2acd5ecdb46d3fb5f4828bcad17b899841fda48bef82f7ab1a1
70ee8c0d07ceccded841b84da618617ffade6266373de9470d14c27a67042ea6
524c637935103ad405e691fd652910fd2d7aab643348818a30b86ee24f3e70b0
561070b0ac5bfae16de4f01cbfc6fbf6b40d3afd5413de4c2abf8c844e7e9fe4
1b754a8b7d0c1d3be17f751d327b38961c3d6ea3b8769c9c8edb1f318dfd0787
6b21cf5ebc20615576167925b27adad49dd095dbca80a7a47101fa824295057c
d3ab0c4ddfbdbce6b1f200436de1c9d1f94567b06a420dc453d02460452cebca
79b1315cab839553008486cf182981ce0a36c1755a83e37f7b107cdb7266f0cb
5e3a1a463e8db9ecffcce81fcd53169562dc8dc0e8974e09376639aaef0e61ae
9c1dd67562324157ceab4d8e050c84150afc6ddff6aec72206ab437c31aac7bb
d99f687b6e744e9d9bdff2e59c273c85deff48dbaa52bf2d64009fd5ec4907ab
ae72b0b7e4c361d0016ed97ac0664e0c8f3d31dd9627c993b635b5fac24d7255
2c5f8cf6008b32d8845093b44852f6fbd1c2be8ec1ae5fa4e01e8d81d7e42929
5f54f1bec9ba28b84b92478b3db46235c07fa7b4fb106111dd68e4af94afcea3
7a9e36961ab5b2ab759ec2196d40618b1f43c5a04c40c01b31cfb4ea1adfc347
c51201337af75df4850b5392117e54eedfa2f1ac133e891947ece8102cdda0d0
b2a1e0e508be9c7546a8af45c72f2032f067ac036f03ec0c8309b368b195a65c
0ffd61040c88e3beb1cd998b777cbbe118f52daa4eb2759cd9329de5d7f2adc4
769cba836f991b58e8f70ebecb20c4e34fc5e1d1fc7c031b8fc704f43676d83a
21b895bddca92e3443bf32f96d3c2c740be863944ed1c78a41a7caf36ea8f2a7

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5f54f1bec9ba28b84b92478b3db46235c07fa7b4fb106111dd68e4af94afcea3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	iexplorer_remcos Create hunting rule
Author:	iam-py-test
Description:	Detect iexplorer being taken over by Remcos

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM Create hunting rule
Author:	ditekSHen
Description:	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	Remcos_unpacked_PulseIntel Create hunting rule
Author:	PulseIntel
Description:	Remcos Payload

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Windows_Trojan_Remcos_b296e965 Create hunting rule
Author:	Elastic Security
Reference:	https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.remcos.

Rule name:	win_remcos_rat_unpacked Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detects strings present in remcos rat Samples.

Rule name:	win_remcos_w0 Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detects strings present in remcos rat Samples.

Rule name:	yarahub_win_remcos_rat_unpacked_aug_2023 Create hunting rule
Author:	Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
GDI_PLUS_API	Interfaces with Graphics	gdiplus.dll::GdiplusStartup gdiplus.dll::GdipGetImageEncodersSize gdiplus.dll::GdipGetImageEncoders gdiplus.dll::GdipAlloc
MULTIMEDIA_API	Can Play Multimedia	WINMM.dll::mciSendStringA WINMM.dll::mciSendStringW WINMM.dll::PlaySoundW WINMM.dll::waveInAddBuffer WINMM.dll::waveInClose WINMM.dll::waveInOpen
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AdjustTokenPrivileges
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteExA SHELL32.dll::ShellExecuteW
URL_MONIKERS_API	Can Download & Execute components	urlmon.dll::URLDownloadToFileW urlmon.dll::URLOpenBlockingStreamW
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessW KERNEL32.dll::CreateProcessA KERNEL32.dll::OpenProcess ADVAPI32.dll::OpenProcessToken KERNEL32.dll::WriteProcessMemory KERNEL32.dll::CloseHandle WININET.dll::InternetCloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::FindFirstVolumeW KERNEL32.dll::FindNextVolumeW KERNEL32.dll::LoadLibraryExW KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetDriveTypeA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::AllocConsole KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetConsoleOutputCP KERNEL32.dll::SetConsoleTextAttribute KERNEL32.dll::SetStdHandle
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileMappingW KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW KERNEL32.dll::DeleteFileA
WIN_BASE_USER_API	Retrieves Account Information	ADVAPI32.dll::GetUserNameW ADVAPI32.dll::LookupPrivilegeValueA KERNEL32.dll::QueryDosDeviceW
WIN_CRYPT_API	Uses Windows Crypt API	ADVAPI32.dll::CryptAcquireContextA ADVAPI32.dll::CryptGenRandom
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyA ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegCreateKeyW ADVAPI32.dll::RegDeleteKeyA ADVAPI32.dll::RegOpenKeyExA ADVAPI32.dll::RegOpenKeyExW
WIN_SVC_API	Can Manipulate Windows Services	ADVAPI32.dll::ChangeServiceConfigW ADVAPI32.dll::ControlService ADVAPI32.dll::OpenSCManagerW ADVAPI32.dll::OpenSCManagerA ADVAPI32.dll::OpenServiceW ADVAPI32.dll::QueryServiceConfigW
WIN_USER_API	Performs GUI Actions	USER32.dll::AppendMenuA USER32.dll::EmptyClipboard USER32.dll::OpenClipboard USER32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample