MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ed0c218b751ec93293b5922e783b7a9b147a3c7cd6070022cd707050108d321. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ed0c218b751ec93293b5922e783b7a9b147a3c7cd6070022cd707050108d321
SHA3-384 hash: 40fc7e92360aa4047744ca6d2a335acc8095ad8baa108da312ad930ffeb966ad88338066ebef1622152bb11262869121
SHA1 hash: 44780713a7026b9b0ff3cadeaffacb3cc3584eca
MD5 hash: 6f92f923d8f87afe5fe757ff2ff56951
humanhash: yellow-beer-fourteen-alanine
File name:Slf.msi
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:3'581'440 bytes
First seen:2024-11-30 00:21:34 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:vm5X8r6F5mCmR+juZZZL+H9IyKficUAG595WpZsNAaudSIuvLZ8:co6wZLSIX6cZGZWUNAaudgZ
TLSH T137F5F115B3C3C922C15D027BF459FE0E5438EEA3473451E7BAF5799F88B08C1A2B9A52
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter aachum
Tags:msi RemcosRAT


Avatar
iamaachum
m/Kroby5444/Jim/raw/refs/heads/main/Slf.msi

Remcos C2: 185.157.162.126:1995

Intelligence

File Origin
# of uploads :
1
# of downloads :
113
Origin country :
ES ES
Vendor Threat Intelligence
Detection(s):
Win.Trojan.Penguish-10015880-0
Create hunting rule

SecuriteInfo.com.Troj.Inject-EAO.957.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=674a5c6ce64d1c722d7a4663
Tags:
shellcode virus gates
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
cmd evasive fingerprint hijackloader lolbin remote wix
Link:
https://www.filescan.io/uploads/674a5aabb0c1f225b44a857a/reports/2cd70d87-49e0-4acb-95d0-9279332aa9a5/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/6ed0c218b751ec93293b5922e783b7a9b147a3c7cd6070022cd707050108d321
Result
Threat name:
Clipboard Hijacker, MicroClip, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1565486
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found API chain indicative of debugger detection
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Clipboard Hijacker
Yara detected MicroClip
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1565486 Sample: Slf.msi Startdate: 30/11/2024 Architecture: WINDOWS Score: 100 64 185.157.162.126 OBE-EUROPEObenetworkEuropeSE Sweden 2->64 78 Found malware configuration 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 Antivirus detection for dropped file 2->82 84 9 other signatures 2->84 9 msiexec.exe 23 50 2->9         started        12 RaftelibeGasrss.exe 11 2->12         started        15 EHttpSrv.exe 1 2->15         started        17 2 other processes 2->17 signatures3 process4 file5 56 C:\Windows\Installer\MSI4502.tmp, PE32 9->56 dropped 58 C:\Windows\Installer\MSI44C3.tmp, PE32 9->58 dropped 60 C:\Windows\Installer\MSI44A2.tmp, PE32 9->60 dropped 62 6 other files (4 malicious) 9->62 dropped 19 Updwork.exe 18 9->19         started        23 EHttpSrv.exe 1 9->23         started        25 msiexec.exe 9->25         started        98 Writes to foreign memory regions 12->98 100 Allocates memory in foreign processes 12->100 102 Tries to detect virtualization through RDTSC time measurements 12->102 106 3 other signatures 12->106 27 WerFault.exe 12->27         started        104 Maps a DLL or memory area into another process 15->104 29 cmd.exe 2 15->29         started        31 cmd.exe 1 17->31         started        signatures6 process7 file8 50 C:\Users\user\AppData\Local\...\zlib1.dll, PE32 19->50 dropped 86 Antivirus detection for dropped file 19->86 88 Multi AV Scanner detection for dropped file 19->88 90 Writes to foreign memory regions 19->90 96 4 other signatures 19->96 33 WerFault.exe 19->33         started        92 Maps a DLL or memory area into another process 23->92 94 Switches to a custom stack to bypass stack traces 23->94 36 cmd.exe 4 23->36         started        52 C:\Users\user\AppData\Local\...\bgbhtsgyxsvqc, PE32 29->52 dropped 39 EHttpSrv.exe 29->39         started        41 conhost.exe 29->41         started        43 conhost.exe 31->43         started        signatures9 process10 file11 66 Found API chain indicative of debugger detection 33->66 54 C:\Users\user\AppData\Local\Temp\fcpumhrmyq, PE32 36->54 dropped 68 Writes to foreign memory regions 36->68 70 Found hidden mapped module (file has been removed from disk) 36->70 72 Maps a DLL or memory area into another process 36->72 74 Switches to a custom stack to bypass stack traces 36->74 45 EHttpSrv.exe 36->45         started        48 conhost.exe 36->48         started        76 Found direct / indirect Syscall (likely to bypass EDR) 39->76 signatures12 process13 signatures14 108 Found direct / indirect Syscall (likely to bypass EDR) 45->108
Score:
91%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/6ed0c218b751ec93293b5922e783b7a9b147a3c7cd6070022cd707050108d321
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6ed0c218b751ec93293b5922e783b7a9b147a3c7cd6070022cd707050108d321/
Threat name:
Win32.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2024-11-29 14:45:21 UTC
File Type:
Binary (Archive)
Extracted files:
301
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n3imegfxkhwjgkj3leropa5xvgyupi6hzvqhaarm24dqkaii2mqq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
error
RemcosRAT
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader family:remcos botnet:v2 discovery loader persistence privilege_escalation rat
Link:
https://tria.ge/reports/241130-anw17stpex/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates connected drives
Detects HijackLoader (aka IDAT Loader)
HijackLoader
Hijackloader family
Remcos
Remcos family
Malware Config
C2 Extraction:
185.157.162.126:1995
Verdict:
Malicious
Tags:
Win.Trojan.Penguish-10015880-0
YARA:
n/a
Link:
https://app.threat.zone/submission/e82aa182-7fee-4d84-b62b-02b6578df28f
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6ed0c218b751/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6ed0c218b751ec93293b5922e783b7a9b147a3c7cd6070022cd707050108d321

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_LATAM_MSI_Banker
Create hunting rule
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Microsoft Software Installer (MSI) msi bdb79800e4177b59b3830ae7cc996a41fc2b560593e7b51e02408c062f8d4449

RemcosRAT

Microsoft Software Installer (MSI) msi 6ed0c218b751ec93293b5922e783b7a9b147a3c7cd6070022cd707050108d321

(this sample)

  
Link
https://tria.ge/241130-alrcyaylcl/
  
Dropped by
SHA256 bdb79800e4177b59b3830ae7cc996a41fc2b560593e7b51e02408c062f8d4449
  
Delivery method
Distributed via web download
  
Dropped by
SHA256 23723f9b4239194a21bf0df559f9e9df8aec1399899346311c09cdcd91a9f1b0
  
Dropped by
MD5 183d51767fe58e2bd256688315d25709
  
Dropped by
MD5 028578212baa7456aae40d4bdb5792e5

Comments