MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6534823922c1889047e2edc0aab14482758d7dbdd296941403ae7657cb248e05. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	6534823922c1889047e2edc0aab14482758d7dbdd296941403ae7657cb248e05
SHA3-384 hash:	5050b68072d9463f7c6406a0db581d8e24e3c9daa3fa1aa8b39e3b4d6b801d21b5573d7d72d98a39e309fe7dc60f5dba
SHA1 hash:	a2f2299c0a36a654def4aa1f4d9a129c378cd3fe
MD5 hash:	f143d5d6ba24c430f0103c91ceb294dd
humanhash:	bakerloo-golf-yankee-uranus
File name:	IRD-N.º 8800.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	2'033'664 bytes
First seen:	2023-02-11 09:40:43 UTC
Last seen:	2023-02-11 11:54:07 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	24576:YjyF7b9VCruYAkF/sHd/wuC7zMGavgVOWp9OPTfCzd:8UBwrE9/xxGm2
Threatray	1'108 similar samples on MalwareBazaar
TLSH	T1009538243DFB501AB173EFAA8BE4B4EADA6FB7733B06645D109103864623941DEC153E
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	abuse_ch
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

191

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

IRD-N.º 8800.exe

Verdict:

Malicious activity

Analysis date:

2023-02-11 09:46:48 UTC

Tags:

rat remcos

Link:

https://app.any.run/tasks/43935035-6c04-4c99-a45a-83ad3ba1dd85

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/363903/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.65446031.23775.25529.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Launching a process

Сreating synchronization primitives

Forced shutdown of a system process

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/63e762b0d641da4e64d76b7e/reports/82ed963f-8b50-4a17-bba8-e158da0a7420/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/6534823922c1889047e2edc0aab14482758d7dbdd296941403ae7657cb248e05

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/b7d7213a-6b23-489f-b44c-028587bd10c7

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1171948

Signature

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Contains functionality to bypass UAC (CMSTPLUA)

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6534823922c1889047e2edc0aab14482758d7dbdd296941403ae7657cb248e05/

Threat name:

Win64.Trojan.Pwsx

Status:

Malicious

First seen:

2023-02-10 22:11:14 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

18 of 38 (47.37%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mu2ieojcygejar7c5xakvmkeqj2y27n52kljifadvz3fpszerycq._file

Verdict:

malicious

RemcosRAT

577a6f8ac673a1b176fd32c9b8fe01178fee10a2602e3ccbc02b3fdebfa9bf0b

RemcosRAT

67388fca813133367167001c4114d6cd97b4bed24d0acdfda8b5784723a698ea

RemcosRAT

91ac5e95c271f56efcf7f8c2f1ce27579242a2cdca317fd11bf7ff380c9750ed

RemcosRAT

a808b2dec6bb188edaa16a54f10660276056567b3b5f83264ec98aeca4f2fd3b

RemcosRAT

b0500e38803ac3ca6b3fde965b1c03bfcae5cbe3a4a01a199d161e1371ced34d

RemcosRAT

bba28ca66b05cb8733dd5fe3deaac9f618ddeb2218e349a900501399a70d50a0

RemcosRAT

bcba671f1e3e1f7ab80f59d5c1cb280bfec3ca519b37820af0bb720fb5d7a8b9

RemcosRAT

fe14ae75b872e1b4419de4aac769c767a5d23479d2bd6c957be5648ad802a246

RemcosRAT

+ 1'098 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost rat

Link:

https://tria.ge/reports/230211-lnrx2add91/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Uses the VBS compiler for execution

Remcos

Malware Config

C2 Extraction:

161.129.44.36:5888

Unpacked files

SH256 hash:

6534823922c1889047e2edc0aab14482758d7dbdd296941403ae7657cb248e05

MD5 hash:

f143d5d6ba24c430f0103c91ceb294dd

SHA1 hash:

a2f2299c0a36a654def4aa1f4d9a129c378cd3fe

Link:

https://www.unpac.me/results/c9f49c07-caad-475b-b38f-194987d2cf18/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6534823922c1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.50

Link:

https://yomi.yoroi.company/submissions/6534823922c1889047e2edc0aab14482758d7dbdd296941403ae7657cb248e05

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

exe 6534823922c1889047e2edc0aab14482758d7dbdd296941403ae7657cb248e05

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/363903/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample