MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67c7c5ec03b9334d1a132f2b0fd7ddc99515ccdb2372aa3b16463ea34d09f060. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 67c7c5ec03b9334d1a132f2b0fd7ddc99515ccdb2372aa3b16463ea34d09f060
SHA3-384 hash: 97929846905a9ee5e783fa6c74e4eefd38603521ecef27cea5a798e4f8e0bfb3498a9ef1980ee58b1ce6f31b02abc279
SHA1 hash: 67b3f0e86292f060069c22aa852a92dbe8565d77
MD5 hash: 60a6d909bfe2740f27bc0514f3e7a7f5
humanhash: fourteen-september-grey-bluebird
File name:file
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:20'480 bytes
First seen:2023-06-13 14:18:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fe787b1eadbfae5dbcf4f056242a0594 (1 x RemcosRAT)
ssdeep 96:/lxYire+jvcGDf1MrLMXx2K/0cuj6KjI2:/Th1KcFeI
Threatray 2'028 similar samples on MalwareBazaar
TLSH T170921E33F658A471F1494BB30D73CBA90927BC608A25CD1B7E497F2E0E34291A8E475B
TrID 28.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
25.5% (.EXE) Win32 Executable (generic) (4505/5/1)
11.6% (.ICL) Windows Icons Library (generic) (2059/9)
11.5% (.EXE) OS/2 Executable (generic) (2029/13)
11.3% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter jstrosch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
274
Origin country :
US US
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-06-13 14:19:19 UTC
Tags:
opendir rat remcos keylogger loader
Link:
https://app.any.run/tasks/a37beb50-024a-484f-b755-56aedcdb6318

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/398414/
Detection(s):
SecuriteInfo.com.Variant.Doina.59565.6172.17585.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Launching a service
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Launching a process
Сreating synchronization primitives
Creating a window
Running batch commands
Creating a process with a hidden window
Creating a file
Creating a process from a recently created file
Setting a keyboard event handler
Creating a file in the %AppData% subdirectories
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
remcos
Link:
https://www.filescan.io/uploads/64887adc9f45f940f553d10d/reports/471adb2a-5398-4276-9756-658a42b90249/overview
Verdict:
Malicious
Labled as:
Doina.Generic
Link:
https://www.hybrid-analysis.com/sample/67c7c5ec03b9334d1a132f2b0fd7ddc99515ccdb2372aa3b16463ea34d09f060
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6c28d740-6c41-4fb1-9ac5-b88b467d6209
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1253677
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 886697 Sample: file.exe Startdate: 13/06/2023 Architecture: WINDOWS Score: 100 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus detection for URL or domain 2->41 43 9 other signatures 2->43 7 file.exe 15 2->7         started        process3 dnsIp4 31 51.79.49.73, 49724, 80 OVHFR Canada 7->31 25 C:\Users\user\AppData\Local\...\Remc[1].exe, PE32 7->25 dropped 27 C:\Users\Public\Remc.exe, PE32 7->27 dropped 45 Drops PE files to the user root directory 7->45 47 Adds a directory exclusion to Windows Defender 7->47 12 Remc.exe 6 119 7->12         started        17 cmd.exe 1 7->17         started        file5 signatures6 process7 dnsIp8 33 nov231122.con-ip.com 181.142.211.88, 49725, 49727, 49728 EPMTelecomunicacionesSAESPCO Colombia 12->33 35 geoplugin.net 178.237.33.50, 49726, 80 ATOM86-ASATOM86NL Netherlands 12->35 29 C:\ProgramData\remcos\logs.dat, data 12->29 dropped 49 Antivirus detection for dropped file 12->49 51 Multi AV Scanner detection for dropped file 12->51 53 Machine Learning detection for dropped file 12->53 55 Installs a global keyboard hook 12->55 19 wscript.exe 12->19         started        57 Adds a directory exclusion to Windows Defender 17->57 21 powershell.exe 21 17->21         started        23 conhost.exe 17->23         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/67c7c5ec03b9334d1a132f2b0fd7ddc99515ccdb2372aa3b16463ea34d09f060/
Threat name:
Win32.Trojan.Doina
Create hunting rule
Status:
Malicious
First seen:
2023-06-13 13:40:16 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
21 of 37 (56.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=m7d4l3adxezu2gqtf4vq7v65zgkrltg3enzkuoywiy7kgtij6bqa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
18cd3063dcc655b5b9bffc3692d2e2fbc7199ee08e9c6ab01a1d7a6d6b9cc10e
RemcosRAT
55b379ec8cd752f104605bdbd88048c1c3b49c328b393ba496494a118ef5ae16
RemcosRAT
58fb573c639d62595f7d87b34b86ad790e1031308953aeeaa7598aa690aa7731
RemcosRAT
6e3cf5c7cccc4369fbed86c4de5bb59d7bb40c1ced10cab8b0bc733299d45ea1
RemcosRAT
8c80ec1c91dcd77ea0be5d0e53e289a6bc0ed764a12f9262ba979f579bb25591
RemcosRAT
8e861cbf43bd4068930cb5ef3821cab163fad49d42b77c66b70fff8fa038db48
RemcosRAT
a4a9151dee1026abcaec06ec7596983a05cc7df43c37d5646e17ae02e2902445
RemcosRAT
aa6646da5d47bbfffce88075205a5e6c1af6107a9dae7dec98b14e7c3d022219
RemcosRAT
c1ccc7e57074fb432d2de187fca944ac480e5b2ad68ad7cc52388e3381990396
RemcosRAT
e970fdbbcd35127388ad909820df33fbe5d0a7bd4b52ccde011c5782edfe03fc
RemcosRAT
+ 2'018 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:ares rat
Link:
https://tria.ge/reports/230613-rmvkesge85/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Remcos
Malware Config
C2 Extraction:
nov231122.con-ip.com:7476
Unpacked files
SH256 hash:
67c7c5ec03b9334d1a132f2b0fd7ddc99515ccdb2372aa3b16463ea34d09f060
MD5 hash:
60a6d909bfe2740f27bc0514f3e7a7f5
SHA1 hash:
67b3f0e86292f060069c22aa852a92dbe8565d77
Link:
https://www.unpac.me/results/00284bd2-bfa1-496d-9927-d1a12cf97901/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/67c7c5ec03b9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/67c7c5ec03b9334d1a132f2b0fd7ddc99515ccdb2372aa3b16463ea34d09f060

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 67c7c5ec03b9334d1a132f2b0fd7ddc99515ccdb2372aa3b16463ea34d09f060

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/398414/

Comments