MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85e1ad6c1503ecfec6e03b38c24b93ce7c92a08f3c84f43db8946359054938c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85e1ad6c1503ecfec6e03b38c24b93ce7c92a08f3c84f43db8946359054938c6
SHA3-384 hash: abb358f28a0bc499574cbc7c2c6d81cc6f0327089b79cb3235755e07dd91b345f1741f7679e15bf64dc788481fc6e38e
SHA1 hash: c49374c3fb298a8c64f212641ca496bbd7d44c04
MD5 hash: dd801c9810d646f04c1ebaa46784fbe9
humanhash: october-washington-pizza-one
File name:FG133.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'508'352 bytes
First seen:2023-12-30 07:36:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 948cc502fe9226992dce9417f952fce3 (1'182 x CredentialFlusher, 446 x Formbook, 231 x AgentTesla)
ssdeep 24576:PqDEvCTbMWu7rQYlBQcBiT6rprG8aRDlbgs7nwkKX4iS/SvCNowh:PTvC/MTQYxsWR7aRDtgs7nnKX4ifz
TLSH T19065C0023791CD67FFAB91720F5AF611477C6A260123A51F12B8297AF9701721E3EB63
TrID 68.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
12.5% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon ecd8f0e88cb6aaa2 (2 x AgentTesla, 1 x RemcosRAT, 1 x Formbook)
Reporter cocaman
Tags:exe QUOTATION RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
466
Origin country :
CH CH
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Generic.33203615.28472.17882.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
autoit bladabindi control darkkomet greyware keylogger lolbin packed remcos shell32 threat
Link:
https://www.filescan.io/uploads/658fc89fffafd83ebc9fe79a/reports/69f53460-5071-45ef-9895-cc2e5b211810/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/85e1ad6c1503ecfec6e03b38c24b93ce7c92a08f3c84f43db8946359054938c6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LockBit Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0ff9f963-1bad-4efa-94bb-f06d32c65c60
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad.rans.phis
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1368220
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to modify clipboard data
Drops VBS files to the startup folder
Found API chain indicative of sandbox detection
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/85e1ad6c1503ecfec6e03b38c24b93ce7c92a08f3c84f43db8946359054938c6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/85e1ad6c1503ecfec6e03b38c24b93ce7c92a08f3c84f43db8946359054938c6/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-12-28 23:37:57 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qxq223avapwp5rxahm4mes4tzz6jfiephscpipnysrrvsbkjhdda._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231230-jfs41sccan/
Behaviour
Suspicious use of WriteProcessMemory
AutoIT Executable
Drops startup file
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
a739f75be90696d11429b7b5003af6ae0318009bdabdecdcd49b18d80c60d946
MD5 hash:
2ba2baa0a9f2917074f70a50f10ddee9
SHA1 hash:
5e32eb53c8ff82ef5dfe9fa41158af2c131998e4
Detections:
Remcos
Create hunting rule
win_remcos_w0
Create hunting rule
win_remcos_auto
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
win_remcos_rat_unpacked
Create hunting rule
Link:
https://www.unpac.me/results/4e925722-6f07-42ea-92e2-1c3eab3086bd/
Parent samples :
a739f75be90696d11429b7b5003af6ae0318009bdabdecdcd49b18d80c60d946
85e1ad6c1503ecfec6e03b38c24b93ce7c92a08f3c84f43db8946359054938c6
1862317879e1cfcaff8a4c2355f8d88b0911a4c848773f54bcb82c48f20480e6
62bfc227410b8cc5e8a3f6b6a7344e9ce2a91481278c7d0d2afae8ea3eb095ce
7cfbfe371912b59dec9a22cb39790c9f94774124ac786b48d493ec46830a0c1c
f72233b9518367bd3858ba7a54c631dfcb7090b3e8dac552ca4e7928cc9ea68a
be58907253b68299ffaa7d7bb9104e1faa2671ddd6e18f4b53261537895c87e8
449ecf2471ec8a48d115b252928053edc56f2bbf622a88db78274bdf3cc574ac
SH256 hash:
85e1ad6c1503ecfec6e03b38c24b93ce7c92a08f3c84f43db8946359054938c6
MD5 hash:
dd801c9810d646f04c1ebaa46784fbe9
SHA1 hash:
c49374c3fb298a8c64f212641ca496bbd7d44c04
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/4e925722-6f07-42ea-92e2-1c3eab3086bd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/85e1ad6c1503ecfec6e03b38c24b93ce7c92a08f3c84f43db8946359054938c6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip da392819f729c30ac6bed9b8fef78c3f3c48d16259b675a5ca13aa69e60143f5

RemcosRAT

Executable exe 85e1ad6c1503ecfec6e03b38c24b93ce7c92a08f3c84f43db8946359054938c6

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 da392819f729c30ac6bed9b8fef78c3f3c48d16259b675a5ca13aa69e60143f5
  
Dropped by
MD5 8beae521ffc5328ae64c9115c8b12f24

Comments