MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85072c1047d2354b40e07b8ad6628f86208fb392a56cd868b9d166f7f6b462c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85072c1047d2354b40e07b8ad6628f86208fb392a56cd868b9d166f7f6b462c7
SHA3-384 hash: 79d48d7147a118376e0130834ae6a369a72072fe32ff9947d33659494f4baa623a0398a260e5b7f0c1d3b0991dc88648
SHA1 hash: 313422ac19b51cd0f0827414a6d743639ae8d892
MD5 hash: 668ab80274e478146789a6e13930cae8
humanhash: golf-vermont-winter-california
File name:PRE ALERT DOCS.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:535'851 bytes
First seen:2023-02-07 14:28:52 UTC
Last seen:2023-02-13 07:07:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 431 x GuLoader)
ssdeep 12288:/YNggj0rkQK1tX11pfh8hK5W747mAShDh8Ho1DwccpXo6B6Wdu+xoqw0c:/YNgiGKXzpfh8hKfmAStoU0VBwUlwb
Threatray 2'599 similar samples on MalwareBazaar
TLSH T134B42310BA4E99B7C0B686710EB99376D8E6A948013147AB6354FD8C76F3052CB9E33C
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter James_inthe_box
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
5
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
PRE ALERT DOCS.exe
Verdict:
Malicious activity
Analysis date:
2023-02-07 14:30:23 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/b935946c-3cb6-4ef4-aa60-ab97fb30c70e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/361390/
Detection(s):
SecuriteInfo.com.Gen.Variant.Nemesis.1862.718.16483.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/66105/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
nemesis overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63e260311c9cbf7d62566b30/reports/d3b93345-3e10-48bf-b265-ef693a42d08c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/85072c1047d2354b40e07b8ad6628f86208fb392a56cd868b9d166f7f6b462c7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5da5041e-6f9c-4497-a382-92b487deee09
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1167737
Signature
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/85072c1047d2354b40e07b8ad6628f86208fb392a56cd868b9d166f7f6b462c7/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-02-07 12:49:17 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qudsyech2i2uwqhapofnmyupqyqi7m4suvwnq2fz2ftpp5vumldq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
03541b2cf3bf022eda584b9ead6b6edeb7a47e8ccaa99b2415ee56694c9868cb
RemcosRAT
62f4359aef9d0d604c03c099da375debd0d98f20cf4f673a5a32bd64989076ca
RemcosRAT
631e26376c6eec5070da9a40c576e0aa99fdc91cc53d0e0ee96d68b8cf3f97e6
RemcosRAT
808bb32f710ae23d2a4b53b873f766bf56d905dbe8e51810edd15ff79538cd94
RemcosRAT
a4da37e92ca54c8851ad144fba875b61e2018f69bbe43b11926d8f8d831b56f0
RemcosRAT
aecb74252f3ae4e3d912c1983de70c06ac29c69b287b31e45d29fbee0ccb5772
RemcosRAT
d542654502d1d20bd12562b35902d69e78236e4fc1246617788bb8d0d695b86c
RemcosRAT
+ 2'589 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/230207-rtknsscb64/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Remcos
Malware Config
C2 Extraction:
45.87.61.104:3033
Unpacked files
SH256 hash:
403c50737f275b28d65dcbd8d9decf20d7df84bc1e6f5c0bc9e567dfb98270a0
MD5 hash:
9957e15d7a3889ed0dbdbf93baa86211
SHA1 hash:
f461b82981884154bea5e41dbae65a5e899ab05b
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/7b7279b2-8611-4ec3-ac1e-6b8412e80d97/
Parent samples :
85072c1047d2354b40e07b8ad6628f86208fb392a56cd868b9d166f7f6b462c7
186f0d4f01e510e5f09833366eb78f32542c8614a74d9101a927b0970fde4937
2b15cca7549feeb9015dc13eaa7d6aa7042afbc254798965444f1190b4453b10
SH256 hash:
9ce4fdfbfd64b2da086e1a28cbb5952c59874fd90ff67396dde004775d92ea6d
MD5 hash:
15b2694d49e36aa75d5bf108bcf6f7b0
SHA1 hash:
845b9bf6d6f70ab3876737dd78234fa30016ef0a
Link:
https://www.unpac.me/results/7b7279b2-8611-4ec3-ac1e-6b8412e80d97/
SH256 hash:
85072c1047d2354b40e07b8ad6628f86208fb392a56cd868b9d166f7f6b462c7
MD5 hash:
668ab80274e478146789a6e13930cae8
SHA1 hash:
313422ac19b51cd0f0827414a6d743639ae8d892
Link:
https://www.unpac.me/results/7b7279b2-8611-4ec3-ac1e-6b8412e80d97/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/85072c1047d2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/85072c1047d2354b40e07b8ad6628f86208fb392a56cd868b9d166f7f6b462c7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip e97db1a43d22792a68bbce2da701de10ead84e43157604b1411811ec7cdc80df

RemcosRAT

Executable exe 85072c1047d2354b40e07b8ad6628f86208fb392a56cd868b9d166f7f6b462c7

(this sample)

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/361390/
  
Dropped by
SHA256 e97db1a43d22792a68bbce2da701de10ead84e43157604b1411811ec7cdc80df
  
Dropped by
MD5 25040a9aa67c35512f4a8f641fbcd3b2

Comments