MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a4b3aacae75e9cfe374cbdcf74f6b1b0dc2dea8bd57833f82a1a3ef21e9b6c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 11 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a4b3aacae75e9cfe374cbdcf74f6b1b0dc2dea8bd57833f82a1a3ef21e9b6c3
SHA3-384 hash: 5721d803aa2c8d1cc542ec3a2059aa182d0c45b00f045b6bd29cf97f53a276cc741447413f3b3edb066adcc5d6d3e80b
SHA1 hash: bb94843afeb84cc9f7969752acbe2640734638eb
MD5 hash: 952bd800d4e8fb93e98e0df539565bd6
humanhash: harry-fix-violet-spring
File name:952bd800d4e8fb93e98e0df539565bd6
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'278'464 bytes
First seen:2023-02-19 04:30:00 UTC
Last seen:2023-02-19 06:27:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:RDK+1/nG5Gt48czIyUxk35WKrYsoJ0p/u0uSWhTPXeRHMDZCuXiAfjHceifda9gs:RL437vga95eAQuvmn
Threatray 2'746 similar samples on MalwareBazaar
TLSH T18A45ADB501437E8AE7A70CFAE54037328C64716753E8C154FDC80FE9B5E9624DEA98B8
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 182b4d5d84f0f0b2 (9 x Formbook, 8 x AgentTesla, 6 x RemcosRAT)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
265
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
952bd800d4e8fb93e98e0df539565bd6
Verdict:
Malicious activity
Analysis date:
2023-02-19 04:32:14 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/0ff437ff-2c87-4cc4-b2eb-975b772e2039

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/368188/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65540712.15952.17112.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/63f1a5cc42bf85850e3df72c/reports/a0345d4b-7859-4381-adce-9274ea2be184/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/7a4b3aacae75e9cfe374cbdcf74f6b1b0dc2dea8bd57833f82a1a3ef21e9b6c3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/10d3765a-5655-419f-a693-983878b5d021
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1178764
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates an undocumented autostart registry key
Delayed program exit found
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Uses dynamic DNS services
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7a4b3aacae75e9cfe374cbdcf74f6b1b0dc2dea8bd57833f82a1a3ef21e9b6c3/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-02-16 20:28:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
21 of 39 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pjftvlfooxu47y3uzpopot3ldmg4fxvixvlygp4cugr66ipjw3bq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
03541b2cf3bf022eda584b9ead6b6edeb7a47e8ccaa99b2415ee56694c9868cb
RemcosRAT
08bc96eb8f857b9e84b4536d96ddb85e8be8329f8572b8b91d4d645e79a84ccc
RemcosRAT
221784974f49f2b54c90c63ce6cf9550d94b15c3442c29c959300dbbf5b91f61
RemcosRAT
305e9aa2df19b77ad92b897543e803b5dea0c851b37cf8c9b4e2206282343946
RemcosRAT
3a20e81b1f0bf0699007470e5a8e2a9a0d6507ea99696f0df9bd99b80910d656
RemcosRAT
5ca676b334d8a3f4542877a696a7092b29dbdeddabcd70af2a80e5c8384a75b6
RemcosRAT
7e82cf496170e81178aa01bb117531aaf096b2ee9797e5d82e6e141ad550c0ef
RemcosRAT
9846c8ffd0aec6ff3c8b8db350032e4d9586ac6aa22b06944672c837d3bbcf28
RemcosRAT
+ 2'736 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:enginehost rat
Link:
https://tria.ge/reports/230219-e4tm8seb4z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
infoprokaps.ddns.net:6838
Unpacked files
SH256 hash:
33c5fc0aaecc9ed62a53d18eadb5f2b23133604e9dfc49c6f0430f31c0c647ad
MD5 hash:
9aa478d20a9a1d739440d083f05bf16b
SHA1 hash:
dafbb3bc13cdbc88077d8f40f9632bc83aec79bb
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/f47f736a-a5de-473d-9238-18ccb2869f25/
SH256 hash:
4bf944063e838e357b698af62262e682e920cd380bd5760fa95f386842c9c2d9
MD5 hash:
0f0437111ac3fa20ea51f3d3795e3d03
SHA1 hash:
b1b819e20e5427f45abd306c04e373bad7908e3a
Link:
https://www.unpac.me/results/f47f736a-a5de-473d-9238-18ccb2869f25/
SH256 hash:
77c04ef865c31f3b6262d8c0d8192bc909b5a8903a31618a2aebad5e196e0bba
MD5 hash:
8be70fc3fa529d0db59e1a7213aa8220
SHA1 hash:
6ca96ee02bf9c4e092404748babcbeaf9ee9a02d
Link:
https://www.unpac.me/results/f47f736a-a5de-473d-9238-18ccb2869f25/
SH256 hash:
c0959344ff2f760b1b92fd2a30202dce8b06e8cbacf9371479b0027bacad557a
MD5 hash:
32aeed29962809dafda3e223708272a1
SHA1 hash:
17500e7ecfb405be8617344a06e1c150aa730adb
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/f47f736a-a5de-473d-9238-18ccb2869f25/
SH256 hash:
7a4b3aacae75e9cfe374cbdcf74f6b1b0dc2dea8bd57833f82a1a3ef21e9b6c3
MD5 hash:
952bd800d4e8fb93e98e0df539565bd6
SHA1 hash:
bb94843afeb84cc9f7969752acbe2640734638eb
Link:
https://www.unpac.me/results/f47f736a-a5de-473d-9238-18ccb2869f25/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7a4b3aacae75/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a4b3aacae75e9cfe374cbdcf74f6b1b0dc2dea8bd57833f82a1a3ef21e9b6c3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:pe_imphash
Create hunting rule
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 7a4b3aacae75e9cfe374cbdcf74f6b1b0dc2dea8bd57833f82a1a3ef21e9b6c3

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/368188/
  
URLhaus
https://urlhaus.abuse.ch/url/2544478/

Comments


Avatar
zbet commented on 2023-02-19 04:30:05 UTC

url : hxxp://172.245.142.41/2313/vbc.exe