MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82703bb5de0f44978e23f29a593094ae3951c3a623bb40bfd54238978e3c8819. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	82703bb5de0f44978e23f29a593094ae3951c3a623bb40bfd54238978e3c8819
SHA3-384 hash:	1bd911ce85f3ed93a665d6fca54988cb52aa0aa0f801e4bbb334b729790cbcd481371a7be2f4af28415c929e85fc8609
SHA1 hash:	9beb4752fda28760a6177640f47a76c2b1d04a3e
MD5 hash:	78d83cd2d31606e0971a81c93c8b5f74
humanhash:	low-music-jig-bulldog
File name:	SecuriteInfo.com.Win32.TrojanX-gen.6565.10197
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'219'072 bytes
First seen:	2023-12-14 17:48:10 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	24576:YOa7TgpKC3lThaLNygugD5QI8yJxf0jJPjS00EgxQ:Ja7Te3hha5yg5v8e90RT3y
TLSH	T1B045CF0371AC5B8EE47A57F97174103083B2AE47643AE71A7DC1ECEF09A5B190A42BD7
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4505/5/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	ecec889ce6d8e8f0 (40 x Formbook, 21 x AgentTesla, 12 x SnakeKeylogger)
Reporter	SecuriteInfoCom
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

323

Origin country :

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

SecuriteInfo.com.Win32.TrojanX-gen.6565.10197

Verdict:

Malicious activity

Analysis date:

2023-12-14 17:49:43 UTC

Tags:

rat remcos remote stealer

Link:

https://app.any.run/tasks/0c6ee607-f350-42d8-92c5-b193c051ec35

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/467494/

Detection(s):

SecuriteInfo.com.Win32.TrojanX-gen.6565.10197.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Launching a process

Restart of the analyzed sample

Unauthorized injection to a recently created process

Adding an exclusion to Microsoft Defender

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed remcos

Link:

https://www.filescan.io/uploads/657b40143636548f374ff66f/reports/2dd30faa-b1f4-4990-abde-a79980920470/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/82703bb5de0f44978e23f29a593094ae3951c3a623bb40bfd54238978e3c8819

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6632f087-ff43-4502-be2c-01911842e81f

Result

Threat name:

Remcos

Detection:

malicious

Classification:

rans.phis.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1362300

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to bypass UAC (CMSTPLUA)

Contains functionality to modify clipboard data

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Sigma detected: Scheduled temp file as task from temp location

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Yara detected WebBrowserPassView password recovery tool

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/82703bb5de0f44978e23f29a593094ae3951c3a623bb40bfd54238978e3c8819

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/82703bb5de0f44978e23f29a593094ae3951c3a623bb40bfd54238978e3c8819/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-12-14 17:49:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

16 of 23 (69.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qjydxno6b5cjpdrd6knfsmeuvy4vdq5geo5ubp6vii4jpdr4ramq._file

Verdict:

malicious

Label(s):

remcos

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/231214-wd1gjafeej/

Unpacked files

SH256 hash:

9946ce7158b9e59b30b39b8f31d9ff6bf756582722839d300779a39550083da5

MD5 hash:

448767083916eca951cfab1963d4a466

SHA1 hash:

c566c30873281e981cebfdd40691139ed2aa1b65

Detections:

Remcos

win_remcos_w0

win_remcos_auto

malware_windows_remcos_rat

INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

win_remcos_rat_unpacked

Link:

https://www.unpac.me/results/a1dd541b-4d2d-4e03-b634-0ebdd7197af5/

Parent samples :

42a8ee6a8e2f9efccdac2959f5672d3512b63432baa50760de9f18d2ba912852
fe9955148a165861ad47ac4f169e07daa2ff129edb2ce52b98027e30d4057ae4
82703bb5de0f44978e23f29a593094ae3951c3a623bb40bfd54238978e3c8819

SH256 hash:

d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5

MD5 hash:

579197d4f760148a9482d1ebde113259

SHA1 hash:

cf6924eb360c7e5a117323bebcb6ee02d2aec86d

Link:

https://www.unpac.me/results/a1dd541b-4d2d-4e03-b634-0ebdd7197af5/

SH256 hash:

c5328f7af843244b56d6a208c322a9315daea139d1b255cda993b243e4394ecf

MD5 hash:

160f4669c06c6496d79a92ea9d33e89b

SHA1 hash:

baae226fdb2a9739f118db781bdc74f2efc6a585

Link:

https://www.unpac.me/results/a1dd541b-4d2d-4e03-b634-0ebdd7197af5/

SH256 hash:

2043479b6d7a4c682c6a78f4c92e65eb58f998868be5e19bb350d90760a15c27

MD5 hash:

7fc4e108bc0526bcfa6e7bb6bd15968c

SHA1 hash:

a899c17a91cf31751c9e54b94c90e47ae794e7dd

Link:

https://www.unpac.me/results/a1dd541b-4d2d-4e03-b634-0ebdd7197af5/

SH256 hash:

82703bb5de0f44978e23f29a593094ae3951c3a623bb40bfd54238978e3c8819

MD5 hash:

78d83cd2d31606e0971a81c93c8b5f74

SHA1 hash:

9beb4752fda28760a6177640f47a76c2b1d04a3e

Link:

https://www.unpac.me/results/a1dd541b-4d2d-4e03-b634-0ebdd7197af5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/82703bb5de0f44978e23f29a593094ae3951c3a623bb40bfd54238978e3c8819

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/467494/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample