MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f6d7329e0948b935011c95d6f3899c917279086347ad85ddf4494ada1970ec6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f6d7329e0948b935011c95d6f3899c917279086347ad85ddf4494ada1970ec6
SHA3-384 hash: d5e06d5a4c9f6535ea69e29e1a4724a7604ecc59a29493e5262d63dff4214947e8e7362d2332f74ab6aec2d86c4a04e8
SHA1 hash: 02f5692852f578404bc2d6d940875cda5becc8be
MD5 hash: 79064eba32981da8c9491a8950fdb4ab
humanhash: don-spring-victor-helium
File name:file
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:885'298 bytes
First seen:2023-06-13 14:20:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a9ae3b9e456386a599470301040fc189 (1 x DCRat, 1 x RemcosRAT)
ssdeep 24576:WkGg/LQ5iJEp6hzSwccu/SKj3XFqDWX7EzMIfDNhS/oGi:WSk5i+p6h2wccTKj3XF5wzMINg0
Threatray 862 similar samples on MalwareBazaar
TLSH T13915AF33DA60310AF963847069B565A725266C3A6454AD07F7C2BF4C60729C3BEF632F
TrID 77.2% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
6.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 009b9b9bbaa69a00 (2 x RemcosRAT, 1 x DCRat)
Reporter jstrosch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
285
Origin country :
US US
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-06-13 14:22:18 UTC
Tags:
remcos
Link:
https://app.any.run/tasks/c9444f13-7295-461d-869f-268275a6b7d9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/398441/
Detection(s):
SecuriteInfo.com.Trojan.Heur.2m3@b9TR5Yni.5564.15987.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Launching a process
Searching for synchronization primitives
Creating a file
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
evasive lolbin overlay packed
Link:
https://www.filescan.io/uploads/64887b5708b287b7595b7679/reports/cd4ebeaf-1a55-4c90-aa9e-cc636fbc2e3b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a108d9e5-6f7e-47f9-9227-401d2376ff59
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1253740
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6f6d7329e0948b935011c95d6f3899c917279086347ad85ddf4494ada1970ec6/
Threat name:
Win32.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2023-06-13 14:21:10 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
26 of 36 (72.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n5wxgkpassfzguarzfow6oezzelspeeggr5nqxo7iskk3imxb3da._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
2efdfea9644c378bb7e04dac7b7a2b4760ef9a4925026a3a23d804efefd2f26a
RemcosRAT
4107b6df1884a4eb7aeabe55741c01e486ba0b4454c99caaec0ed647018a6125
RemcosRAT
56386224d3f2d9dea8cce5f9dafcdce3012a548d824f4e9af162bc2397bb5916
RemcosRAT
64eb3d68103cc47e6c3af8880d7cec9371cfd787a396ea0f3ac1418e0b80ff47
RemcosRAT
b564ce75ebda7ddfe0c1be6becd119905c850c6703bb81af1d0ca8d8b9dcb86a
RemcosRAT
c06613844bf5641d98c53c9536a3103b686a3123b44a147046fad162a1f164e0
RemcosRAT
c3f58fc7e4e51a2d4c6551fd6cebac7d8c0bf79d83f1235e7570c2db574df0f6
RemcosRAT
c9e9f4d1945fc9cb9daf5b4a72032a00ba7040154e3fe44be5371fbb7da695ea
RemcosRAT
+ 852 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/230613-rn1stsgf29/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Remcos
Malware Config
C2 Extraction:
192.168.175.1:1800
Unpacked files
SH256 hash:
c3f58fc7e4e51a2d4c6551fd6cebac7d8c0bf79d83f1235e7570c2db574df0f6
MD5 hash:
1c9ff0b44e4db1fc5a2f5a84c6add5af
SHA1 hash:
09a4f3776beec99ccdb6260c5e48a5eab5c8244b
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/455224f1-e8d5-48f1-8755-ce160af297f1/
Parent samples :
2efdfea9644c378bb7e04dac7b7a2b4760ef9a4925026a3a23d804efefd2f26a
4d20cc81fe3369624b78b05419fea8efdf9f147fa13ff541561ae4298b3c5ad8
6f6d7329e0948b935011c95d6f3899c917279086347ad85ddf4494ada1970ec6
c3f58fc7e4e51a2d4c6551fd6cebac7d8c0bf79d83f1235e7570c2db574df0f6
SH256 hash:
6f6d7329e0948b935011c95d6f3899c917279086347ad85ddf4494ada1970ec6
MD5 hash:
79064eba32981da8c9491a8950fdb4ab
SHA1 hash:
02f5692852f578404bc2d6d940875cda5becc8be
Link:
https://www.unpac.me/results/455224f1-e8d5-48f1-8755-ce160af297f1/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6f6d7329e094/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6f6d7329e0948b935011c95d6f3899c917279086347ad85ddf4494ada1970ec6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 6f6d7329e0948b935011c95d6f3899c917279086347ad85ddf4494ada1970ec6

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/398441/

Comments