MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f930ad707464ff08068026c219b7d470da3adedf984f0b0897e1adb4126440d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7f930ad707464ff08068026c219b7d470da3adedf984f0b0897e1adb4126440d
SHA3-384 hash: 702ddc7a39db7577f409d77af440fea4aeaa656cd52844827c02c3a1cac4583c4aa8864f33c9fef3218467aac5c507b9
SHA1 hash: a3ff72985c4f14fdc40ada9c5b27af2ddf4f0fbb
MD5 hash: 1f2ae45ed64b04681408b3c1c954587b
humanhash: south-apart-stairway-blue
File name:1f2ae45ed64b04681408b3c1c954587b.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:876'544 bytes
First seen:2023-05-08 08:38:06 UTC
Last seen:2023-05-13 22:41:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:Q02Jxssz34h6mrtC14jNdDKxAy5ZY9vDMX1N+l0wuD3iZ+Yvc3Z1hGtkWj3Z:Qm76MqCmx+v+N+lGUfkMiWL
Threatray 2'703 similar samples on MalwareBazaar
TLSH T13E152259B2F68EF3C60E89FA1438F9662372309755C1D7E04D39A5C85FEAF014E0866B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 285430d4d0305428 (10 x Loki, 7 x AgentTesla, 6 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
268
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1f2ae45ed64b04681408b3c1c954587b.exe
Verdict:
Malicious activity
Analysis date:
2023-05-08 08:42:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/28856d67-cd70-496d-bbf0-77cdcba6bfc6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/387479/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
clipbanker comodo darkkomet packed remcos
Link:
https://www.filescan.io/uploads/6458b5286bfa3326714e2169/reports/cfa49900-c926-4ab9-a53e-a13d34d7f33b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/7f930ad707464ff08068026c219b7d470da3adedf984f0b0897e1adb4126440d
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b0e47088-abc1-4f06-b658-b5f17dbcb7d2
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1228104
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7f930ad707464ff08068026c219b7d470da3adedf984f0b0897e1adb4126440d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-08 05:28:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=p6jqvvyhizh7badiajwcdg35i4g2hlpn7gcpbmejpynnwqjgiqgq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1abe11cf0a879b99c092a403e9efedf7ecda8e92c6708c31c799ce36c2da26a8
RemcosRAT
2010a7e1a136a9881ba4db4beb99088ea77ea2997d36e6d1d16fc696b34fda8b
RemcosRAT
2b4c534df5fe4c7ee7a402f384109cb60b54c7f301ef8644e7b1eba397d89f2b
RemcosRAT
32fcd31207c5e310957801fca81578c9dcba9ed3515809f62a7d50d93ad033db
RemcosRAT
3c2ffc42864aba9e07bb8cd494141ea7125a2d24a8717f0cf0a33da8020dbdfb
RemcosRAT
aa2caafd9a1d53df2112c9081fb5686e04283be0da13d94bacdfc8c9addf0c34
RemcosRAT
cadf95355bd6ea18fdd3555ea3f85d102f40b3df0dc36b332f9ad8b505105f6e
RemcosRAT
edd0bc79de9c5ecb3d4903d20259b356171aa41af2df2a43aad0bf36bda95c7b
RemcosRAT
f3c280a30bfcb13a09179451fc8a2885ea9a95258ee5b52bfd24a1caf7896e54
RemcosRAT
+ 2'693 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/230508-kkaznshg52/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Remcos
Malware Config
C2 Extraction:
bmarch459.sytes.net:6110
Unpacked files
SH256 hash:
be10c1250bb2c4896197bf144d64a21cbe83478cc0325a16fb505234a418e998
MD5 hash:
0400c7d2e422244e988a080f8362d48f
SHA1 hash:
b5d53aa38b08a527d29b8b9ea31adeb54556d361
Link:
https://www.unpac.me/results/a61c582e-72bb-4c0d-a2ae-102488e57137/
SH256 hash:
1a74b799c1a40a793e526da7e8e0de843cd00a39fd21736888fa42ed399de005
MD5 hash:
4d61d1ba711188097ea6d10b4175a7ec
SHA1 hash:
91c0382c4470028b26f4ba4d96bf09556827663c
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/a61c582e-72bb-4c0d-a2ae-102488e57137/
Parent samples :
3d35655b8a265b213dba9d23a9542e024895cba4c18dbfb782cb844125c23654
23b3b5a24a51826ddb55a28333f4bfb9455f891f946e7d71a8d1eb3bab1f02f2
7f930ad707464ff08068026c219b7d470da3adedf984f0b0897e1adb4126440d
59d9df7e128711ba9e34b6a6cac31cd50e25c5e350849abfc1b53e8c25854719
27d5b86fa6821ac78a1ad2ad6dbc94cd34d24e461ebc1fa15a0014acd4cd71d6
fe5441d6898cf0dea8ca087588a0b8cbc0154a011f4b81de03d370a237b86ebf
SH256 hash:
cd6b4acabb4531bc86511347f0a0891047311b714ebeeab7be1e96717177bbcd
MD5 hash:
a4cdc6e0e3011d8c27d3f0f85a337292
SHA1 hash:
2ad98506d32e8dd317d53d1c25d067687ab49558
Link:
https://www.unpac.me/results/a61c582e-72bb-4c0d-a2ae-102488e57137/
SH256 hash:
b52c29ba9ef8996bdf721950d900db96f1befb9883eb38c2075528e60c7aabd4
MD5 hash:
7b6143d9d94c8b80d191b77d8b6d1ba2
SHA1 hash:
1c91704ff6da2a9dd8aaa2ff2d5a5f69a445f76b
Link:
https://www.unpac.me/results/a61c582e-72bb-4c0d-a2ae-102488e57137/
SH256 hash:
7d4d2727af16bd43a8b84684fcf9471ffac7adb5a99bab3476951c16dcdfa4c3
MD5 hash:
48f25f70764858909ab7fa96721f9d01
SHA1 hash:
1a8628d1c7ea6cf1d06dbfc58cbca14d32139fbd
Link:
https://www.unpac.me/results/a61c582e-72bb-4c0d-a2ae-102488e57137/
SH256 hash:
7f930ad707464ff08068026c219b7d470da3adedf984f0b0897e1adb4126440d
MD5 hash:
1f2ae45ed64b04681408b3c1c954587b
SHA1 hash:
a3ff72985c4f14fdc40ada9c5b27af2ddf4f0fbb
Link:
https://www.unpac.me/results/a61c582e-72bb-4c0d-a2ae-102488e57137/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7f930ad70746/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:pe_imphash
Create hunting rule
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 7f930ad707464ff08068026c219b7d470da3adedf984f0b0897e1adb4126440d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2260834/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/387479/

Comments