MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70d6e951bd55244ca98fe522042be5209783c38dbe261d9f4c577da2cc6939cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 70d6e951bd55244ca98fe522042be5209783c38dbe261d9f4c577da2cc6939cd
SHA3-384 hash: 79864011ac97d5e99d4f3e98063958e81bad2b5911412eac44730f0f2fe1b7e7a0b6c9e4833569a9868eb556bff39a88
SHA1 hash: c8b4193545674c1b1a16d6e40cc1882ddeb5d77d
MD5 hash: 23336d6098194ab66fca6dc27d94e17b
humanhash: north-asparagus-equal-muppet
File name:SecuriteInfo.com.Win32.PWSX-gen.5601.32011
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'344'000 bytes
First seen:2022-10-04 04:16:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:X+3heLn/dVHlBVSn8YoPt32F4rWLmLVzyM:OYL/YnTo1GFjLmL5y
Threatray 2'598 similar samples on MalwareBazaar
TLSH T12055E02132F5090FD16A42F04891C2F06BB58F69A6A9C2CF4DD5BDCF78F6B52A750A13
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0c4aed2f2aec4f0 (4 x Loki, 1 x SnakeKeylogger, 1 x RemcosRAT)
Reporter SecuriteInfoCom
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
249
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316290/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.5601.32011.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Unauthorized injection to a system process
Gathering data
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e2d9902a-9913-499f-99fb-5193d3eb9dc8
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1082933
Signature
.NET source code contains potential unpacker
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 715490 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 04/10/2022 Architecture: WINDOWS Score: 84 19 Malicious sample detected (through community Yara rule) 2->19 21 Multi AV Scanner detection for submitted file 2->21 23 Yara detected AntiVM3 2->23 25 4 other signatures 2->25 6 SecuriteInfo.com.Win32.PWSX-gen.5601.32011.exe 3 2->6         started        process3 file4 17 SecuriteInfo.com.W....5601.32011.exe.log, ASCII 6->17 dropped 9 vbc.exe 6->9         started        11 vbc.exe 6->11         started        13 vbc.exe 6->13         started        15 2 other processes 6->15 process5
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/70d6e951bd55244ca98fe522042be5209783c38dbe261d9f4c577da2cc6939cd/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2022-10-04 04:17:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
153
AV detection:
12 of 26 (46.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=odlosun5kusezkmp4uraik7feclyhq4nxytb3h2mk562ftdjhhgq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
04a15b34b627794caf34f7277c8663ea7a75d32576f6484dc85ba2bfcbe39bfd
RemcosRAT
0773f517b40992fd3e6291eb906558588f1de9e3887bb2433f95bb4ea9f5904a
RemcosRAT
3ab2ca682019279e28525a8ff1a72e08badba1c0f3012f926bad1528b2b0944a
RemcosRAT
3e0bcdfffded9aaede7644824841490767cf472e2dafebdc04b090870853d8ac
RemcosRAT
788a6a0d67e10a4235043d0f12cc5841ab77bac0518842aea964e720318f674d
RemcosRAT
a4f1f9124305cce82a6b8c70ccde9b4d646103f5b320bd766ad53fcd5a19ff08
RemcosRAT
c751eef24ba7492781e43c5034f1175ec098ebc72602e68822fd4c09cac0b9bb
RemcosRAT
ce4085be9c0cea2fdaa6145e86166b051222fcc96eac12e1668d803a6b97ebfe
RemcosRAT
da780e7f18a59bf4184769099656b951986ff9915e684a7d9c063f471f4f6876
RemcosRAT
+ 2'588 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221004-ewc1hsbhdr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses the VBS compiler for execution
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/86c40a5e-e348-4223-b502-1d38d2474e88
Unpacked files
SH256 hash:
4c565f789e34d0cf9d6cb7361ad45a5a2ffa01f664dcd49a1da2e25be36f5682
MD5 hash:
ba07eb52ad32844e2a34c9a30e92d4f9
SHA1 hash:
e87c52e3fd76d2120f671c8f3163255fbeec564f
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/b90427c8-abd4-4f7b-ba7e-d382573e981d/
Parent samples :
32cc036ec39f8778c6920c98f1e8c5adb49419c51f8e828df32f9d6ff98c483b
15194ffa05cc42d107aa2dd6e87f93a2377182044d9f525df362f12ace6fd72f
535250e39240c6587646ad1876e2ed517e86f90d18099dab5e667cae2ef507e2
70d6e951bd55244ca98fe522042be5209783c38dbe261d9f4c577da2cc6939cd
d7af53e976dcd39bc14d8e6c594c32bd33b7567b24148c924b4314b5c6327907
56bc72f3b4276309ba8b16991e1534895eb11195fe2fdb4ae9d9afb8aafe43db
8e143cf495b03daa40f3e69a8df37ef5298a75ebc25620557065975a5cdd35c1
SH256 hash:
a04c799fa302c78d04acc3b4be8ccbde2f7fa00fe515daf18a2fc7e65fad3b13
MD5 hash:
d76812ec4cbc45e1e26ed36691596f7e
SHA1 hash:
c854fe9792694fb464a0bed51c737ff61ccef736
Link:
https://www.unpac.me/results/b90427c8-abd4-4f7b-ba7e-d382573e981d/
SH256 hash:
3b6e51c53453ffaa52c246651fe320fed4c1e41a84affee1f7436d768403e96c
MD5 hash:
37d6ec2a0988ea7293015d3b819edb67
SHA1 hash:
ab01d727f75b7a1ea728f419dda1d50389b3ee2c
Link:
https://www.unpac.me/results/b90427c8-abd4-4f7b-ba7e-d382573e981d/
SH256 hash:
04baa4a6d4728182b7373b5552ec6f984f26d640a39475849fad7ea651834f4c
MD5 hash:
1bdd03f0e85f7e2c438b4b92acceb1eb
SHA1 hash:
681fd9a0c427f3191f5a69b04d1d91c9dc2f368b
Link:
https://www.unpac.me/results/b90427c8-abd4-4f7b-ba7e-d382573e981d/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/b90427c8-abd4-4f7b-ba7e-d382573e981d/
SH256 hash:
70d6e951bd55244ca98fe522042be5209783c38dbe261d9f4c577da2cc6939cd
MD5 hash:
23336d6098194ab66fca6dc27d94e17b
SHA1 hash:
c8b4193545674c1b1a16d6e40cc1882ddeb5d77d
Link:
https://www.unpac.me/results/b90427c8-abd4-4f7b-ba7e-d382573e981d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/70d6e951bd55/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/70d6e951bd55244ca98fe522042be5209783c38dbe261d9f4c577da2cc6939cd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_imphash
Create hunting rule
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/316290/

Comments