MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c17244fb01d8a66bce39e0c2ba32293c8c955de7afeb0db1fb0da7814039206. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c17244fb01d8a66bce39e0c2ba32293c8c955de7afeb0db1fb0da7814039206
SHA3-384 hash: 6fd67096cc5cecbc7035bb14e679cf7e6c688a867c94fe931ba93164ae07fbcb6843cc6c51953dc9c7b2f5b909af0671
SHA1 hash: 97ae278f1acb46346055954bb15e8fe6c5116f5b
MD5 hash: e869d47743bee3fae32d358ee5e285d4
humanhash: fruit-white-ink-missouri
File name:PO530.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'156'608 bytes
First seen:2023-07-27 06:38:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:kx+NHIcTrGCSF12y/f0Ca8tk4deeFl1RYEuXofVRHlJEot:UGHIkrzSay/MNQewRCYfLFJ
Threatray 2'339 similar samples on MalwareBazaar
TLSH T1FA35012176AAAF57C2BA97F85020623413FEAEDD3035E3286DC270DE1571F848A25F57
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
267
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
PO530.exe
Verdict:
Malicious activity
Analysis date:
2023-07-27 06:40:00 UTC
Tags:
rat remcos remote keylogger
Link:
https://app.any.run/tasks/946e9832-847b-4a40-a5d0-b3baae8313da

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/434645/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.68349731.30601.13238.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a process with a hidden window
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/6c17244fb01d8a66bce39e0c2ba32293c8c955de7afeb0db1fb0da7814039206
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a2991211-910b-424d-ace6-1d9d2a114992
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1280859
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1280859 Sample: PO530.exe Startdate: 27/07/2023 Architecture: WINDOWS Score: 100 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus detection for URL or domain 2->54 56 8 other signatures 2->56 7 PO530.exe 7 2->7         started        11 BDIZlGO.exe 5 2->11         started        process3 file4 36 C:\Users\user\AppData\Roaming\BDIZlGO.exe, PE32 7->36 dropped 38 C:\Users\user\...\BDIZlGO.exe:Zone.Identifier, ASCII 7->38 dropped 40 C:\Users\user\AppData\Local\...\tmp61C9.tmp, XML 7->40 dropped 42 C:\Users\user\AppData\Local\...\PO530.exe.log, ASCII 7->42 dropped 58 Uses schtasks.exe or at.exe to add and modify task schedules 7->58 60 Adds a directory exclusion to Windows Defender 7->60 62 Injects a PE file into a foreign processes 7->62 13 PO530.exe 3 15 7->13         started        18 powershell.exe 19 7->18         started        20 schtasks.exe 1 7->20         started        22 PO530.exe 7->22         started        64 Multi AV Scanner detection for dropped file 11->64 66 Machine Learning detection for dropped file 11->66 24 schtasks.exe 1 11->24         started        26 BDIZlGO.exe 11->26         started        28 BDIZlGO.exe 11->28         started        signatures5 process6 dnsIp7 46 obclondon.ddns.net 2.59.255.209, 4072, 49706 CMCSUS Germany 13->46 48 geoplugin.net 178.237.33.50, 49707, 80 ATOM86-ASATOM86NL Netherlands 13->48 44 C:\ProgramData\remcos\logs.dat, data 13->44 dropped 68 Installs a global keyboard hook 13->68 30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 24->34         started        file8 signatures9 process10
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6c17244fb01d8a66bce39e0c2ba32293c8c955de7afeb0db1fb0da7814039206/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-25 14:00:52 UTC
File Type:
PE (.Net Exe)
Extracted files:
41
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nqlsit5qdwfgnphdtygcxizcspemsvo6pl7lbwy7wdnhqfadsida._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
21a3feee6f44d5a03971e5aced1f93b6bc28950d2729f411a477fdec605ec156
RemcosRAT
663142f32de0caac83cb6418b0982e82a1973eb3eaa916a24f88ddb9ae12edc1
RemcosRAT
882bbeb5c5706da87e906a768a4335ab9adf734ac4348e4cee02c35339b2afac
RemcosRAT
8c5c20763f5514325caf9fd4aa11531658fbf52200ba359f4aa3d4c7284c464d
RemcosRAT
95bffddb091c2b221f1395a4a4cf1dbf4a3ad29638a503b7cc85848a45198e06
RemcosRAT
9cfa472702dbedc0f87b0e594d3c8ace16e1c9952d8d7e44be8aa9114b214c45
RemcosRAT
9e87a118ff99af8fa1ae32be359992f8872d632ee4e838e27d5b5137fef34cfc
RemcosRAT
ba2ca0c5ba29b90d2ce55292293642c9f6b3b931381db8221d529452d04a5189
RemcosRAT
df72be5f9ed3c15149f37c8fdb80683554f439257317837b0b6bb96dc4cac387
RemcosRAT
fe1140b9f51be2ad605b26a161f79839994aad33089412401912811eb6d569e0
RemcosRAT
+ 2'329 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/230727-hd4bjaab46/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
obclondon.ddns.net:4072
obclondon.duckdns.org:4072
Unpacked files
SH256 hash:
3f68cc843eb3b2a764dc02355e2e3f97dce8f1164d6f18a4f77e850410dfc137
MD5 hash:
60126f10641986bbcefca9ed6159994b
SHA1 hash:
df584155d49b10805f1f0d81a758e98b23990815
Link:
https://www.unpac.me/results/30b36d6a-3ec5-42bc-ac68-634e6b740293/
SH256 hash:
1b04aaa09f38dc503111495f6f36c4cf20cac30f9c6b22fe113e30c93286df35
MD5 hash:
7d8378214593e17f9032b0e33833ea13
SHA1 hash:
a40b0efe4c47072826307de3a1c450381fdb4c98
Link:
https://www.unpac.me/results/30b36d6a-3ec5-42bc-ac68-634e6b740293/
SH256 hash:
aa387b11bec2d490956514c893600cd7a2ddfca0bc64821fc727747b62517023
MD5 hash:
3e402453631bf2f4d5870cdcac9d7f9f
SHA1 hash:
78b8f2547360aab85d48b6d884987a7f126df340
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/30b36d6a-3ec5-42bc-ac68-634e6b740293/
Parent samples :
6c17244fb01d8a66bce39e0c2ba32293c8c955de7afeb0db1fb0da7814039206
c06b82a4003da0da508dbad0b63fad050682b8490aefa104f4f9f016abb60fb6
ec901217558e77f2f449031a6a1190b1e99b30fa1bb8d8dabc3a99bc69833784
ca9c5b008a075bbdb57a89b0aef111458f5f9c8ee21f279a06abc481d35ba324
4dd39cd7e19df27e79b7aecf317eb2ff409a3d15c2abd470a055e11c3aeefb6d
SH256 hash:
87db63ce15f6166bfd5bcfabe7bcd0a298eb1c1435ec37ae510095b5682ab791
MD5 hash:
171c542ad852813252701bd0ab0a13ec
SHA1 hash:
2e022e6c5442d6e2cc2f69aff6d40b4c2df026a4
Link:
https://www.unpac.me/results/30b36d6a-3ec5-42bc-ac68-634e6b740293/
SH256 hash:
6c17244fb01d8a66bce39e0c2ba32293c8c955de7afeb0db1fb0da7814039206
MD5 hash:
e869d47743bee3fae32d358ee5e285d4
SHA1 hash:
97ae278f1acb46346055954bb15e8fe6c5116f5b
Link:
https://www.unpac.me/results/30b36d6a-3ec5-42bc-ac68-634e6b740293/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6c17244fb01d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 6c17244fb01d8a66bce39e0c2ba32293c8c955de7afeb0db1fb0da7814039206

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/434645/

Comments