MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6619b7126840529091b2da2fa1b7238d6b10bc17bbfc8327aad3683ae686b81d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6619b7126840529091b2da2fa1b7238d6b10bc17bbfc8327aad3683ae686b81d
SHA3-384 hash: 4fa13e83f5344b9fcfea6d1da14512b383636aff44ee2bd5386d602140f639d017664207ce8537dc1660579768abf31d
SHA1 hash: dbd645922e01c40d48e20a153984b3d79f23c823
MD5 hash: fc99e0883a1fa153693547953a83674e
humanhash: december-jupiter-diet-video
File name:SecuriteInfo.com.Win32.RATX-gen.1825.29829
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:15'644'672 bytes
First seen:2023-12-22 13:14:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 393216:O4qkspD9+x8Gk7ro43BWwU0VEqHLHvQeCU3yU3NU3CU3OU3AU3pU3:Obks1Z9BBJHjvQeCU3yU3NU3CU3OU3AB
Threatray 3'263 similar samples on MalwareBazaar
TLSH T185F6DF8F57C43E6FD8987F301022693D079BAEB46D64A209F839B42F37F258611B6395
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f133b2cce8e0d4f0 (1 x RemcosRAT)
Reporter SecuriteInfoCom
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
386
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.RATX-gen.1825.29829
Verdict:
Malicious activity
Analysis date:
2023-12-22 13:18:06 UTC
Tags:
remcos
Link:
https://app.any.run/tasks/53225ab0-f0b1-4eb9-b6a8-f5833105647d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.1825.29829.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed packed smartassembly
Link:
https://www.filescan.io/uploads/65858bd9eabaed0701724f53/reports/6e73a1ee-39ea-422f-85b4-10c9befd86b1/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/6619b7126840529091b2da2fa1b7238d6b10bc17bbfc8327aad3683ae686b81d
Result
Verdict:
MALICIOUS
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2e512811-a103-415a-81f1-829144587629
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1365491
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1365491 Sample: wsuscr.exe Startdate: 21/12/2023 Architecture: WINDOWS Score: 100 14 Multi AV Scanner detection for domain / URL 2->14 16 Found malware configuration 2->16 18 Malicious sample detected (through community Yara rule) 2->18 20 6 other signatures 2->20 7 wsuscr.exe 1 2->7         started        process3 signatures4 22 Injects a PE file into a foreign processes 7->22 10 wsuscr.exe 7->10         started        process5 process6 12 WerFault.exe 22 16 10->12         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6619b7126840529091b2da2fa1b7238d6b10bc17bbfc8327aad3683ae686b81d
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6619b7126840529091b2da2fa1b7238d6b10bc17bbfc8327aad3683ae686b81d/
Threat name:
Win32.Trojan.Seraph
Create hunting rule
Status:
Malicious
First seen:
2023-12-21 10:21:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
81
AV detection:
17 of 37 (45.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mym3oetiibjjbens3ix2dnzdrvvrbpaxxp6igj5k2nudvzugxaoq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1f46d078bfe514f7aeebf7ac92bd226d10335d74702a81059b9d24f5849437e4
RemcosRAT
75e017e742b2506cdda2a132759075c7b187ca941df606b34116d0452ef04fd0
RemcosRAT
9d8282d54901d4e795f0469a5191242b2e7b3b0c51f810f71c739bfff52de8d5
RemcosRAT
a7aca87179f51e229aa9a2f13bb8ab76750c8092579cc7b4d0cbc40235cdde27
RemcosRAT
b5ca34b966549dfee1a824ab645c66b17217aadda4ccea96731b8cb0cfb03a27
RemcosRAT
b89f11149cf87734d5e56b24e4b6a604ba3c10a4bcb5ca6567a9f6c595c6a4ab
RemcosRAT
c5898ac379acfcd23bedfceff198bf5e738921bf61b299ca47bdd8c223199515
RemcosRAT
e970fdbbcd35127388ad909820df33fbe5d0a7bd4b52ccde011c5782edfe03fc
RemcosRAT
ff0a84220d028052a841312cd81baa525d19f7e4b0ce94dbbaf6634a776d3814
RemcosRAT
+ 3'253 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:wsus persistence rat
Link:
https://tria.ge/reports/231222-qg8dnafbfn/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Remcos
Unpacked files
SH256 hash:
a18876e286ea71d6d0098f6daa61a456fe1a2c176ab025668bbe5d64feafb829
MD5 hash:
490a5462fc6e4f477811ee08a00c7c85
SHA1 hash:
a02439d3f08460ad7cc3c3d91f35c501a7091c58
Detections:
Remcos
Create hunting rule
win_remcos_w0
Create hunting rule
win_remcos_auto
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
win_remcos_rat_unpacked
Create hunting rule
Link:
https://www.unpac.me/results/3bf143e0-885e-4c54-91c7-680136cbbc6f/
SH256 hash:
6619b7126840529091b2da2fa1b7238d6b10bc17bbfc8327aad3683ae686b81d
MD5 hash:
fc99e0883a1fa153693547953a83674e
SHA1 hash:
dbd645922e01c40d48e20a153984b3d79f23c823
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/3bf143e0-885e-4c54-91c7-680136cbbc6f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6619b7126840529091b2da2fa1b7238d6b10bc17bbfc8327aad3683ae686b81d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 6619b7126840529091b2da2fa1b7238d6b10bc17bbfc8327aad3683ae686b81d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2743493/
  
Delivery method
Distributed via web download

Comments