MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6debeb4cbf5037ee3b4d23e3a005dc58ebb0f26ac5f5266e910187a66760a4a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 17

Intelligence 17 IOCs YARA 4 File information Comments

SHA256 hash:	6debeb4cbf5037ee3b4d23e3a005dc58ebb0f26ac5f5266e910187a66760a4a0
SHA3-384 hash:	90be81b16f0f54047e76d7f6070ded7c0ade62791537c474c74692984b6df510813589de597691b5e043ebbc17ae33b8
SHA1 hash:	f0f9db57f7816b4024fdb15f9f3b700c29c62745
MD5 hash:	723775e2c2939d11d3a97be870a4f1ad
humanhash:	blossom-nebraska-robin-potato
File name:	STATEMENT OF ACCOUNTING APR,2022.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	700'056 bytes
First seen:	2022-05-10 03:52:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep	12288:8NJ7SQzNMbu3z1iVZzdNCjRrrRPHwC1fkywsQ3s1YBgxSfbFsxNJD5dFCHdUi:8NxiVZzdNk1tQC1fkywsQQYBguKFD5ef
Threatray	11'527 similar samples on MalwareBazaar
TLSH	T1FDE4C046F58492A9DC29A3B07931CA7007167E6BFD74645E1BDD3E2B3FB74A3006A843
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	d4d4d4d4d4d4d4c4 (7 x RemcosRAT, 6 x AgentTesla, 1 x MassLogger)
Reporter	GovCERT_CH
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

240

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

STATEMENT OF ACCOUNTING APR,2022.exe

Verdict:

Malicious activity

Analysis date:

2022-05-10 03:54:35 UTC

Tags:

remcos

Link:

https://app.any.run/tasks/28a20b9e-da8c-44c2-bccc-31e4beb1ef70

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.6896.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file in the %AppData% subdirectories

Сreating synchronization primitives

Sending a custom TCP request

DNS request

Sending an HTTP GET request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/16878/overview

Behaviour

MalwareBazaar

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/6279e1dcb119a5f609b62056/reports/44ea409f-7e6a-4331-a416-ee5981d2e23e/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8a0e58eb-d261-4574-9d17-c779565d274f

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/6debeb4cbf5037ee3b4d23e3a005dc58ebb0f26ac5f5266e910187a66760a4a0/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2022-05-10 02:18:54 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nxv6wtf7ka364o2nepr2abo4ldv3b4tkyx2sm3uragd2mz3ausqa._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

1c783c06aa669b0133618672069fba39409a6eda891e48e172d679ed0c1e8fef

RemcosRAT

2c9eea8d5b6618d104ec61f30308a1e872139ff87a6a9f18bf3d7dd442f9fcf0

RemcosRAT

31325ab8e1ff304852042e03613425c9bac4f03a8aa70745bb8613ad865d59f9

RemcosRAT

5d0a8a5478876026ee661b50518e44f95308bf20e1e512c3608f97f97aed3384

RemcosRAT

73c64cc8fcfb9a95a1a7a4caf2f42c48727ab4a557d34d1fde2801761878a794

RemcosRAT

9b9b8fda0efdc14380cc3da53380812bfe152a4a05de99aa9159f167066f9ff0

RemcosRAT

9d64fd569d16bcaaa6d77f50bbb447055c968b65e20ff1cbfbc453cf8ee32b15

RemcosRAT

bbc5503e9511c3d9a4116c7c0189bcf33a0189cf61e02bc9f605b9beab320e91

RemcosRAT

bc43be5068b67c7cc3c27c943ae7cf4b912112d57358b699584b5053a4684ebe

RemcosRAT

+ 11'517 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost persistence rat

Link:

https://tria.ge/reports/220510-efmj1shfgp/

Behaviour

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Adds Run key to start application

Loads dropped DLL

Executes dropped EXE

Remcos

Malware Config

C2 Extraction:

172.94.88.13:5888

Unpacked files

SH256 hash:

85b6ab786e2734cf0bbc6b5008363b6829978b43a4b84b493ca25d8e5dd10fc4

MD5 hash:

6604897b0923e0badf2c95017fc04016

SHA1 hash:

7a3335a905270c54841e747f68534b2d042455c8

Detections:

win_remcos_auto

Link:

https://www.unpac.me/results/63cea4e4-1d2d-4fae-aa49-011684d2f324/

Parent samples :

ba8d32d0c7844fdd2e5c4311fc6dc7a400d7c1ff97bebd9760d62308c669fb8f
576183a33f5247a852bc65a4dc4cbca5762bfbad1291a82572681f7075dc6123
6debeb4cbf5037ee3b4d23e3a005dc58ebb0f26ac5f5266e910187a66760a4a0
a9391048b93070a9917724955f78d6946074d241ed6c543ad0f36243830ee02b

SH256 hash:

1d6ed9e9767d62883009fe9318ae308e68b2034fbc68f5b7aa6cdf156b275933

MD5 hash:

aa72cde542cbe8060d61876752e6787b

SHA1 hash:

7f2a6703cb99eb267d1d981305051c4d9b60d513

Link:

https://www.unpac.me/results/63cea4e4-1d2d-4fae-aa49-011684d2f324/

SH256 hash:

6debeb4cbf5037ee3b4d23e3a005dc58ebb0f26ac5f5266e910187a66760a4a0

MD5 hash:

723775e2c2939d11d3a97be870a4f1ad

SHA1 hash:

f0f9db57f7816b4024fdb15f9f3b700c29c62745

Link:

https://www.unpac.me/results/63cea4e4-1d2d-4fae-aa49-011684d2f324/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6debeb4cbf50/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6debeb4cbf5037ee3b4d23e3a005dc58ebb0f26ac5f5266e910187a66760a4a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

exe 6debeb4cbf5037ee3b4d23e3a005dc58ebb0f26ac5f5266e910187a66760a4a0

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample