MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a4d0d31bb0250759bfcc1c939db0df5c90e55dc5a17510552e0a273d88dbee8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 17

Intelligence 17 IOCs YARA 7 File information Comments

SHA256 hash:	7a4d0d31bb0250759bfcc1c939db0df5c90e55dc5a17510552e0a273d88dbee8
SHA3-384 hash:	d38dde04633ce3ae0e565901299a114c28badb7f708f2a1ad46cb58956ce800eebb68f5d8b4b404f752299d099af13cc
SHA1 hash:	d224349847d85cd452fd726f5b746d3ccb8ae4e0
MD5 hash:	229502d4721e20ab0408887d21bd594b
humanhash:	nebraska-lake-grey-hydrogen
File name:	hesaphareketi-01.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	519'117 bytes
First seen:	2023-02-13 11:23:13 UTC
Last seen:	2023-02-13 12:55:50 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep	12288:xYUMCtQsUqF9LfnXHURNEhTyAKRmnMz917Vr:xYUMCt0kfnEROhQ4nMJ17B
Threatray	2'641 similar samples on MalwareBazaar
TLSH	T146B423B89697E44BF49319734C3B922EA8FCE6020D9C97AF131057D47B171D9EA2B603
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	52f0e8cce8f07132 (11 x SnakeKeylogger, 2 x RemcosRAT)
Reporter	abuse_ch
Tags:	exe geo RemcosRAT TUR

Intelligence

File Origin

# of uploads :

# of downloads :

219

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

hesaphareketi-01.exe

Verdict:

Malicious activity

Analysis date:

2023-02-13 11:23:59 UTC

Tags:

rat remcos keylogger

Link:

https://app.any.run/tasks/6ea7bd93-e947-41f8-9cc8-4cf0f32fd62b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/365013/

Detection(s):

SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.2583.12024.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a process from a recently created file

Creating a file in the %AppData% subdirectories

Сreating synchronization primitives

Setting a keyboard event handler

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Unauthorized injection to a recently created process by context flags manipulation

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

overlay packed remcos shell32.dll

Link:

https://www.filescan.io/uploads/63ea1dd419bdad8346359202/reports/1354c54a-519f-43cc-ac42-b9fb17c447e5/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/7a4d0d31bb0250759bfcc1c939db0df5c90e55dc5a17510552e0a273d88dbee8

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/61046dbd-f493-483f-bb6c-55ffc3c56a92

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1173284

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to bypass UAC (CMSTPLUA)

Contains functionality to detect sleep reduction / modifications

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Uses dynamic DNS services

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/7a4d0d31bb0250759bfcc1c939db0df5c90e55dc5a17510552e0a273d88dbee8/

Threat name:

Win32.Trojan.Nsisx

Status:

Malicious

First seen:

2023-02-13 09:11:28 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 38 (47.37%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=pjgq2mn3ajihlg74yhettwyn6xeq4vo4lilvcbks4crhhwenx3ua._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

62f4359aef9d0d604c03c099da375debd0d98f20cf4f673a5a32bd64989076ca

RemcosRAT

7f957a63ff320cf43b53f9f8e7a11ffd327c12a63704cc7fdf11a9a1111ed8f7

RemcosRAT

808bb32f710ae23d2a4b53b873f766bf56d905dbe8e51810edd15ff79538cd94

RemcosRAT

d542654502d1d20bd12562b35902d69e78236e4fc1246617788bb8d0d695b86c

RemcosRAT

d735fd2abee0e57fd410a4d0978305703f8cfcb3b990e342df3b66d86a65d04d

RemcosRAT

e0bf2af1713abe4f3c276ff977a8405ad655b4cf43def74cea14b06540d5ca00

RemcosRAT

+ 2'631 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost persistence rat

Link:

https://tria.ge/reports/230213-nhpxlacc7z/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Executes dropped EXE

Loads dropped DLL

Remcos

Malware Config

C2 Extraction:

report1.duckdns.org:5890

Unpacked files

SH256 hash:

6cea4d7d647c601cb9c8e770601e59586ee662befeccd06b9331bca966a045cf

MD5 hash:

31b45dc5565a2df3d9f6e9ef0a9e8036

SHA1 hash:

afe8a585139f4b1c473aa9d1bc3645862e0da7e9

Link:

https://www.unpac.me/results/7463878d-590c-436d-ab14-132df210820c/

SH256 hash:

7a4d0d31bb0250759bfcc1c939db0df5c90e55dc5a17510552e0a273d88dbee8

MD5 hash:

229502d4721e20ab0408887d21bd594b

SHA1 hash:

d224349847d85cd452fd726f5b746d3ccb8ae4e0

Link:

https://www.unpac.me/results/7463878d-590c-436d-ab14-132df210820c/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7a4d0d31bb02/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7a4d0d31bb0250759bfcc1c939db0df5c90e55dc5a17510552e0a273d88dbee8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	iexplorer_remcos Create hunting rule
Author:	iam-py-test
Description:	Detect iexplorer being taken over by Remcos

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM Create hunting rule
Author:	ditekSHen
Description:	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Windows_Trojan_Remcos_b296e965 Create hunting rule
Author:	Elastic Security

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/365013/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample