MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8645e36eb1542409a86fca23f57dfc5d56aeffa19c4a1c8d94a97e5310762107. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 18


Intelligence 18 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8645e36eb1542409a86fca23f57dfc5d56aeffa19c4a1c8d94a97e5310762107
SHA3-384 hash: 4f8eed56260ec8590a412b4e61836f697199e7f1e5ab0acf0f890ae2f460661e380f720deaa9ba9de74c91dc8cd9ce8f
SHA1 hash: f5a6d4888d0de42e86bfcd28f8d04f2984eb6411
MD5 hash: bb446580a3dbda7c6d33409087b48963
humanhash: massachusetts-april-triple-friend
File name:bb446580a3dbda7c6d33409087b48963.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:498'176 bytes
First seen:2023-12-21 07:20:37 UTC
Last seen:2023-12-21 09:15:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:KROMtvQ8FuujQOikfVyaaYCG9YGEnh4Xvbfn3Q3XUal:dYTFikctYC7GEmf3QnU
Threatray 325 similar samples on MalwareBazaar
TLSH T1DFB412106AB9AB16E6BA43FB9521122183F5B90F2921D21C4CEB71CD1A6BF011FD1F77
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
194.147.140.222:2025

Intelligence

File Origin
# of uploads :
2
# of downloads :
373
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bb446580a3dbda7c6d33409087b48963.exe
Verdict:
Suspicious activity
Analysis date:
2023-12-21 07:21:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/da335e6f-78b2-4e3b-86f5-543f12bf1629

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/468749/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6583e7606b1c246046ff465b/reports/c98afef7-a50e-43ed-8a86-ececd95cfc16/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/8645e36eb1542409a86fca23f57dfc5d56aeffa19c4a1c8d94a97e5310762107
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/46618d7b-ed1d-4195-9321-cbb3cf8bb13e
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1365444
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to modify clipboard data
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates an autostart registry key pointing to binary in C:\Windows
Detected Remcos RAT
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1365444 Sample: e0glxD6X3W.exe Startdate: 21/12/2023 Architecture: WINDOWS Score: 100 51 ascoitaliasasummer.duckdns.org 2->51 57 Snort IDS alert for network traffic 2->57 59 Multi AV Scanner detection for domain / URL 2->59 61 Found malware configuration 2->61 65 15 other signatures 2->65 11 e0glxD6X3W.exe 3 2->11         started        14 Windows Sessions Pause.exe 2 2->14         started        16 Windows Sessions Pause.exe 2->16         started        signatures3 63 Uses dynamic DNS services 51->63 process4 signatures5 79 Detected Remcos RAT 11->79 81 Contains functionality to detect virtual machines (IN, VMware) 11->81 83 Contains functionality to steal Chrome passwords or cookies 11->83 89 5 other signatures 11->89 18 e0glxD6X3W.exe 2 5 11->18         started        22 e0glxD6X3W.exe 11->22         started        85 Injects a PE file into a foreign processes 14->85 24 Windows Sessions Pause.exe 14->24         started        27 Windows Sessions Pause.exe 14->27         started        87 Drops executables to the windows directory (C:\Windows) and starts them 16->87 29 Windows Sessions Pause.exe 16->29         started        process6 dnsIp7 49 C:\Windows\...\Windows Sessions Pause.exe, PE32 18->49 dropped 67 Detected Remcos RAT 18->67 69 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->69 71 Creates an autostart registry key pointing to binary in C:\Windows 18->71 31 cmd.exe 1 18->31         started        34 SIHClient.exe 6 18->34         started        55 ascoitaliasasummer.duckdns.org 194.147.140.222, 2025, 49738, 49742 PTPEU unknown 24->55 73 Installs a global keyboard hook 24->73 file8 signatures9 process10 signatures11 99 Uses ping.exe to sleep 31->99 101 Uses ping.exe to check the status of other devices and networks 31->101 36 Windows Sessions Pause.exe 3 31->36         started        39 PING.EXE 1 31->39         started        42 conhost.exe 31->42         started        process12 dnsIp13 75 Detected Remcos RAT 36->75 77 Injects a PE file into a foreign processes 36->77 44 Windows Sessions Pause.exe 2 1 36->44         started        53 127.0.0.1 unknown unknown 39->53 signatures14 process15 signatures16 91 Detected Remcos RAT 44->91 93 Writes to foreign memory regions 44->93 95 Allocates memory in foreign processes 44->95 97 Injects a PE file into a foreign processes 44->97 47 iexplore.exe 44->47         started        process17
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8645e36eb1542409a86fca23f57dfc5d56aeffa19c4a1c8d94a97e5310762107
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8645e36eb1542409a86fca23f57dfc5d56aeffa19c4a1c8d94a97e5310762107/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-12-21 07:21:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
21 of 23 (91.30%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qzc6g3vrkqsatkdpzir7k7p4lvlk575btrfbzdmuvf7fgedweedq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
56fee643ba39ac908309688827397099ca6b707c45154eb14da1b693f6b16571
RemcosRAT
64d3136fc3cee6e521fe4e2f9b291a86d747da7a657ac0b8e3afdfd607627a6c
RemcosRAT
9acd14f51f44097e8f00ff0bf413ffdd856c2d7d762064843040a2cde4df3f60
RemcosRAT
c851749fd6c9fa19293d8ee2c5b45b3dc8561115ddfe7166fbaefcb9b353b7c4
RemcosRAT
ce4962d3126223b4bd68704159cbdc7479fb2df4263fb9f3d57492e770b74a94
RemcosRAT
d061bccf32fbb8184f85439a17e4fcece7f816ea93681a80c7506e159f043cbf
RemcosRAT
d45d40989488d330e82db097aa2d857ea5d620526171cd8fb145ef62cb4ea701
RemcosRAT
d72b99be6c28cec8f3672df1ef58a69cb08524e181fb7ba53edbdab73f3ccf44
RemcosRAT
f79d3098bfb090b6aaa390943e247178f3acff7c8214467df000cd3f102a2382
RemcosRAT
+ 315 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:christmas persistence rat
Link:
https://tria.ge/reports/231221-h6m51saff6/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Remcos
Malware Config
C2 Extraction:
ascoitaliasasummer.duckdns.org:2025
Unpacked files
SH256 hash:
afdd5d08c53b6c7f92ac57e960407ffe68042865dddf700f411cd41a9b9bdce7
MD5 hash:
b75cf561eacc25bb3e4be0e839d862a0
SHA1 hash:
ae8273fdb9970136214eeb190753ef6948486b5c
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
win_remcos_g0
Create hunting rule
Remcos
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Link:
https://www.unpac.me/results/ed0002c1-e1d4-46f4-9b98-e5037aff498d/
SH256 hash:
acc583951d426d4cc271556f5246ae09b0362dc5afb47c86ccfc3b44c5582d09
MD5 hash:
9d6e95a9eae913470dd9b095f51c4549
SHA1 hash:
cf86b5764cda90fe236e536945a64a1cccfe136b
Link:
https://www.unpac.me/results/ed0002c1-e1d4-46f4-9b98-e5037aff498d/
SH256 hash:
ae010ad44eb9755ba7470320111f8467dcb2ae542adb470f39b1d4887e7bce0b
MD5 hash:
e593c8424bf411fa8725b5b8c88ee73c
SHA1 hash:
a2afc8036480b8113e55176279ba17daa93e3f54
Link:
https://www.unpac.me/results/ed0002c1-e1d4-46f4-9b98-e5037aff498d/
SH256 hash:
c88cbfd2a5bd5e6b46abef43056ab9e14af424de84239d3bff3e9654a5ccd34f
MD5 hash:
f105495e56459175bd7cecee0e96fd91
SHA1 hash:
94d6b482d7790931b6d5d12966ab0f7f8f06c64a
Link:
https://www.unpac.me/results/ed0002c1-e1d4-46f4-9b98-e5037aff498d/
SH256 hash:
8645e36eb1542409a86fca23f57dfc5d56aeffa19c4a1c8d94a97e5310762107
MD5 hash:
bb446580a3dbda7c6d33409087b48963
SHA1 hash:
f5a6d4888d0de42e86bfcd28f8d04f2984eb6411
Link:
https://www.unpac.me/results/ed0002c1-e1d4-46f4-9b98-e5037aff498d/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8645e36eb154/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.99
Link:
https://yomi.yoroi.company/submissions/8645e36eb1542409a86fca23f57dfc5d56aeffa19c4a1c8d94a97e5310762107

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 8645e36eb1542409a86fca23f57dfc5d56aeffa19c4a1c8d94a97e5310762107

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2722669/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/468749/

Comments