MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 905bd3872269255c88f05afff2eedaf2986300d8fe0ac44cd3651bf19c86fc76. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 905bd3872269255c88f05afff2eedaf2986300d8fe0ac44cd3651bf19c86fc76
SHA3-384 hash: 45e1c8ecfb1dc18b06e5023cab41f47dca8d132c656adefedec0721ecc4eae4f12c9936b67678c98692632f2b575574f
SHA1 hash: 80f9c1acc14b22e34690c0820e483f0618e026d3
MD5 hash: 1d8362bdb62a5be46683444118e402ac
humanhash: pasta-utah-hotel-social
File name:SecuriteInfo.com.Trojan-Downloader.Autoit.gen.14236.26445
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'544'704 bytes
First seen:2024-01-26 11:44:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:VAHnh+eWsN3skA4RV1Hom2KXMmHauRlqblDZeBpwxQl/a6Av6uQAc45:Eh+ZkldoPK8YauHqbcpIY7Av6g
TLSH T19D65AE13BB96ACB1EE575DF35A19BD4106B8A81C03AF491F224C2B68787177112BF2D3
TrID 63.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
11.6% (.EXE) Win64 Executable (generic) (10523/12/4)
7.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 71e0aab2b2e8f071 (1 x RemcosRAT)
Reporter SecuriteInfoCom
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
325
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/473021/
Detection(s):
SecuriteInfo.com.Trojan-Downloader.Autoit.gen.14236.26445.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
autoit fingerprint keylogger lolbin packed remcos shell32
Link:
https://www.filescan.io/uploads/65b39b46fc0458d7ffdcaed1/reports/4760fae8-dc4c-44ae-944f-bde234db6332/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/905bd3872269255c88f05afff2eedaf2986300d8fe0ac44cd3651bf19c86fc76
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LockBit Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1ab1017a-2533-468e-a509-292fcbe78236
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad.rans.phis.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1381608
Signature
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Drops VBS files to the startup folder
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1381608 Sample: SecuriteInfo.com.Trojan-Dow... Startdate: 26/01/2024 Architecture: WINDOWS Score: 100 68 Multi AV Scanner detection for domain / URL 2->68 70 Found malware configuration 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 8 other signatures 2->74 14 SecuriteInfo.com.Trojan-Downloader.Autoit.gen.14236.26445.exe 6 2->14         started        18 wscript.exe 1 2->18         started        process3 file4 66 C:\Users\user\AppData\...\proximobuccal.exe, PE32 14->66 dropped 96 Binary is likely a compiled AutoIt script file 14->96 20 proximobuccal.exe 3 14->20         started        98 Windows Scripting host queries suspicious COM object (likely to drop second stage) 18->98 24 proximobuccal.exe 2 18->24         started        signatures5 process6 file7 64 C:\Users\user\AppData\...\proximobuccal.vbs, data 20->64 dropped 80 Binary is likely a compiled AutoIt script file 20->80 82 Machine Learning detection for dropped file 20->82 84 Drops VBS files to the startup folder 20->84 26 proximobuccal.exe 2 20->26         started        29 proximobuccal.exe 2 24->29         started        signatures8 process9 signatures10 90 Binary is likely a compiled AutoIt script file 26->90 31 proximobuccal.exe 2 26->31         started        34 proximobuccal.exe 2 29->34         started        process11 signatures12 100 Binary is likely a compiled AutoIt script file 31->100 36 proximobuccal.exe 2 31->36         started        39 proximobuccal.exe 2 34->39         started        process13 signatures14 78 Binary is likely a compiled AutoIt script file 36->78 41 proximobuccal.exe 2 36->41         started        44 proximobuccal.exe 39->44         started        process15 signatures16 88 Binary is likely a compiled AutoIt script file 41->88 46 proximobuccal.exe 2 41->46         started        49 proximobuccal.exe 44->49         started        process17 signatures18 94 Binary is likely a compiled AutoIt script file 46->94 51 proximobuccal.exe 2 46->51         started        54 proximobuccal.exe 49->54         started        process19 signatures20 76 Binary is likely a compiled AutoIt script file 51->76 56 proximobuccal.exe 2 51->56         started        59 proximobuccal.exe 54->59         started        process21 signatures22 86 Binary is likely a compiled AutoIt script file 56->86 61 proximobuccal.exe 2 56->61         started        process23 signatures24 92 Binary is likely a compiled AutoIt script file 61->92
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/905bd3872269255c88f05afff2eedaf2986300d8fe0ac44cd3651bf19c86fc76
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/905bd3872269255c88f05afff2eedaf2986300d8fe0ac44cd3651bf19c86fc76/
Threat name:
Win32.Trojan.Nymeria
Create hunting rule
Status:
Malicious
First seen:
2024-01-26 11:46:07 UTC
File Type:
PE (Exe)
Extracted files:
25
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sbn5hbzcnesvzchqll77f3w26kmggagy7yfmitgtmun7dheg7r3a._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240126-nwry4seccl/
Unpacked files
SH256 hash:
6edc7cb5271655eb893ef15120eff10cc6cc139512a0c242f91b90fba27076af
MD5 hash:
fb706c71306d377d489c6f7f4e4e3232
SHA1 hash:
52864807a001f968c7d7ce929d70793bf86bc6aa
Detections:
Remcos
Create hunting rule
win_remcos_w0
Create hunting rule
win_remcos_auto
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Link:
https://www.unpac.me/results/4f6fb7a5-3f3b-4b7a-a66f-2b2dd532326d/
Parent samples :
905bd3872269255c88f05afff2eedaf2986300d8fe0ac44cd3651bf19c86fc76
20a6b7999fb3ff90688026a1c27ba38b36a2b164f949fc340373832388abf727
9495e0f3e772cc191122fe78219f48ecba27aabb814d9c9c5116e019ff37dbf7
063e8dc308fea1f6ab248e3704894c8311b85959301e6389ae5ee55726e3ba2a
d49d62c643b50bf3244c59a483309cfbd227386bc68a95fbae0adbad87aa34af
f73e8d1f28812d763bbe7854b60a34b6b86b997944135480862304e9893830dc
3e21b228b8e069458460dc632de5d378f51ff7438a26197c50193580ec68e78d
e55772f5522dfeefe0f5004aa6781c10290d3fb4e0fdf246c0893114baec051c
a6a3d95c04dca683d66b1e6dcf729a7ad0811c7bd7f9c19aa7076ba28f66fd0b
7fe4e53ab09ec648bd7cf8e6563dded6ae5591988cbfd05062420dceeb2ce2f2
15dab0e3dfa44f1bee01b858a4a32cd2b4dd83c4b059450adb60cd68ef6d7a59
a745120f8c630fc43742d0127740278ea80a9f397833f2aef584d20924588191
42460c32bf624fab49e385e8bb9efe77dc1f3c73ab82401fd072433268aa9ec5
ba3620d676a6fc5516ac7c962349ce9cafe964489080c00a4a0d38d4372bad67
5fe1de0adf99f8dff660c75a7e9f2c1d0720f6694f63a7aa406fc16f8bf498d3
2a27d03dbf5754170f5b096506af34a6ad46fa386bf05500b559c6cd210eb4f7
7946865787ec14985dbeb9fd9b08f426a2aabe834e5110b9f22f3c6dcede79b2
7589ffb799213de396869e27f027e07fc5f04177401255af211079a594c09a09
60f400af52d794d640cf91ea3ad8ce901fbee155039a442abe15a2d79fd053d9
SH256 hash:
905bd3872269255c88f05afff2eedaf2986300d8fe0ac44cd3651bf19c86fc76
MD5 hash:
1d8362bdb62a5be46683444118e402ac
SHA1 hash:
80f9c1acc14b22e34690c0820e483f0618e026d3
Detections:
AutoIT_Compiled
Create hunting rule
SUSP_Imphash_Mar23_3
Create hunting rule
Link:
https://www.unpac.me/results/4f6fb7a5-3f3b-4b7a-a66f-2b2dd532326d/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/473021/

Comments