MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ff630bb32483baef5a0d497a5e37bff0484cdb5d3126ac959a931070ce61730. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ff630bb32483baef5a0d497a5e37bff0484cdb5d3126ac959a931070ce61730
SHA3-384 hash: 6d40f63957c65cf0124d3aba82b49a3ab9a20eb5fabb0c544617618d0e0098ea312a28bff1b4f04514b7a962358ba977
SHA1 hash: 391198ab016d895f5d52131a7ed127a138ae1236
MD5 hash: 22b8897b1b2132954c79b0061d4e3992
humanhash: sodium-steak-nevada-asparagus
File name:Payment Advice.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:880'640 bytes
First seen:2022-10-04 08:50:18 UTC
Last seen:2022-10-04 10:27:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:p2vvWHoEc6d1TtnkgM82NIj5RQ/idIvF0JP/xvX8OTBcNh6Os:pcvWHoEc6d1pnkRx2qEId2/xvMZ4Os
Threatray 154 similar samples on MalwareBazaar
TLSH T11A15BE2036A66245CC660F704935C2DA43753D367E38C25E34AEB48EFF73A664732B66
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon a9c0ccc4d4c4d4e4 (1 x RemcosRAT)
Reporter GovCERT_CH
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316384/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.62483275.21797.8438.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file
Сreating synchronization primitives
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
60%
Tags:
packed remcos
Link:
https://www.filescan.io/uploads/633bf3f70d3d21420cca5e13/reports/250221ac-8c0d-4927-bdf0-ae79d42f878b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e4d276d9-c74b-49f9-84d7-1ce8fb321340
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1083064
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5ff630bb32483baef5a0d497a5e37bff0484cdb5d3126ac959a931070ce61730/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2022-10-02 23:32:40 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
25
AV detection:
15 of 41 (36.59%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l73dbozsja5255na2sl2ly3374cijtnv2mjgvskzveyqodhgc4ya._file
Verdict:
malicious
Similar samples:
0090513973ddeb882d5e3ebfe181a43aca5aae4adc2adc9cbff9e512f1b90c6e
RemcosRAT
341b6ff76b63e3e74b8fd97b301462f9a6544405946271b7766c4ff4c8c28150
RemcosRAT
384b9f64f79052db685e1c7cdbf450b861d00b0ed42808ec9b688a604b53c5d2
RemcosRAT
5c50b7e005524ede0a2c636b92a0933bc631c783bb8201e98dbdc52c390cd566
RemcosRAT
7d7157dafa1904a0d5331931d078f7058a11316863715581fa3db547198029e3
RemcosRAT
9ba3f37b67b92faad989b9f328b13c5ad6e712678bc2e7e3f3284b82685c0eac
RemcosRAT
a6a120ad08da9e3fbbcb491477914dae9901653122984bf29475d7b344b20e0d
RemcosRAT
c3b9b17acd966a36e27681a32021b35e022cc0df29ee937c61dc766e87f9ecd0
RemcosRAT
d127a960084b0950a8ceb5ea4d1ada28102a8a6934ed63838bde4c199e2baf31
RemcosRAT
+ 144 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/221004-kr54dsada5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8b452482-89ac-4a84-b1ef-52513e426bba
Unpacked files
SH256 hash:
5ff630bb32483baef5a0d497a5e37bff0484cdb5d3126ac959a931070ce61730
MD5 hash:
22b8897b1b2132954c79b0061d4e3992
SHA1 hash:
391198ab016d895f5d52131a7ed127a138ae1236
Link:
https://www.unpac.me/results/8c2c935f-9141-4d7a-87a6-667ff42a0bcd/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5ff630bb3248/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.50
Link:
https://yomi.yoroi.company/submissions/5ff630bb32483baef5a0d497a5e37bff0484cdb5d3126ac959a931070ce61730

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 5ff630bb32483baef5a0d497a5e37bff0484cdb5d3126ac959a931070ce61730

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/316384/

Comments