MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 930fdedab0dcc5bbd3a1ab3e50a3675e4ba0823b601ca2b9602b92657b1de006. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 930fdedab0dcc5bbd3a1ab3e50a3675e4ba0823b601ca2b9602b92657b1de006
SHA3-384 hash: 4a0cfb68c93fa64a6bc23d6b3a6e90496b0458b82abdb73e3d17aa7a8e26427eb7d3aec5351d8d8056ddf365e0d9474b
SHA1 hash: 0800c4b079b6277aa86f434b78175da72366de3f
MD5 hash: 2ad6b435964c1607e848b2cbde8885ee
humanhash: mike-crazy-double-eighteen
File name:930fdedab0dcc5bbd3a1ab3e50a3675e4ba0823b601ca2b9602b92657b1de006
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'145'856 bytes
First seen:2025-01-10 14:16:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:PjvV3Mn2jgnuHsOzj4j85M1hUQDAxzJX4YH:PjV8BusOzj4jGM1aK4FX
Threatray 4'465 similar samples on MalwareBazaar
TLSH T1F335020F1BDA4190E4FE5E30A7F945A953F5A71B9862F3BE118403F5CE6170AA5223B3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
317
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
930fdedab0dcc5bbd3a1ab3e50a3675e4ba0823b601ca2b9602b92657b1de006
Verdict:
Malicious activity
Analysis date:
2025-01-10 16:57:31 UTC
Tags:
remcos rat
Link:
https://app.any.run/tasks/40682415-3617-4ac3-91af-cfa0b7bee2eb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.26874.15689.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67812bec1e9cdec7dbbb73c4
Tags:
virus msil remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Launching a process
Creating a file
DNS request
Connection attempt
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
keylogger obfuscated snake vbnet
Link:
https://www.filescan.io/uploads/67812be3d0ec437b47a708ee/reports/b21008e9-873e-4a90-9c23-2c86cd9dfca6/overview
Verdict:
Malicious
Labled as:
MSIL.Pretoria.Generic
Link:
https://www.hybrid-analysis.com/sample/930fdedab0dcc5bbd3a1ab3e50a3675e4ba0823b601ca2b9602b92657b1de006
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/55db25f3-66e6-4a06-832d-04a34d640401
Result
Threat name:
Remcos, DarkTortilla
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1588846
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Tries to delay execution (extensive OutputDebugStringW loop)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/930fdedab0dcc5bbd3a1ab3e50a3675e4ba0823b601ca2b9602b92657b1de006
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/930fdedab0dcc5bbd3a1ab3e50a3675e4ba0823b601ca2b9602b92657b1de006/
Threat name:
Win32.Trojan.Pretoria
Create hunting rule
Status:
Malicious
First seen:
2024-12-23 09:17:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
34
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=smh55wvq3tc3xu5bvm7fbi3hlzf2bar3maokfolafojgk6y54ada._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0057db49e4ec9c7538a5f49de24b6cdea3af5cf98357266d0a398fc8a7f804d7
RemcosRAT
57738c267a1b4151e020c2b803cb97ec90adf53163e3936abe58a8c58cf5d9be
RemcosRAT
7ab339d868c58faf80fc2b88b8094c94bf9fd7f1f70f15e773f69c6453f498f9
RemcosRAT
8229d257d6699ced69f12743b735628872ca89d62501ea4283d976206e4b10de
RemcosRAT
a202a3843b54121f7d345b48af88393440cee64240dda50ece88cb7bd395b71c
RemcosRAT
a4b167bf02353592347c3bbbd0deeb54cce5178918ca6a1e7bf49bffffa85123
RemcosRAT
a7e6a1eccebd20cd5940fb92b1a3d8227270c180d9ab60635f0f6aa91c9bbddc
RemcosRAT
ae5c7c5f680e962071211f744fac2af5ad9a508ffe60f4bd747e885f017fbeae
RemcosRAT
d9737abe95686b73b24bab3b431da3d9a774393f8a228265eb7d4bd6b0f992dd
RemcosRAT
error
RemcosRAT
+ 4'455 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:bin discovery rat
Link:
https://tria.ge/reports/250110-rlp9bawpev/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Remcos
Remcos family
Malware Config
C2 Extraction:
cjmancool.dynamic-dns.net:3764
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/58b4f7a0-b4c2-4523-8c9d-09c58b28d0e4
Unpacked files
SH256 hash:
2cb5b8fbcd0994c8371837858c1f6dfe8e0de017e86437c7aee38d710209f10a
MD5 hash:
4f5880d558000b383fbb6efb21100997
SHA1 hash:
d2ceb9140d797b0f4db46a0a02c274e4fe89f349
Link:
https://www.unpac.me/results/bdcc3df3-1fc6-47a6-abcc-409721c7518f/
SH256 hash:
da4cb91d96214c7134a9e8799fdf241bd6b8103eecd4efb1b8c228ca3c8e7e91
MD5 hash:
9a06e083cd0531927dcd616b9b601ffa
SHA1 hash:
9584f7e1c8ab7be5900762abcaedf20cb92e4ae7
Link:
https://www.unpac.me/results/bdcc3df3-1fc6-47a6-abcc-409721c7518f/
SH256 hash:
76117dac2f50e295d6b4977cb5480924ece778499e7ac8096134a2d510ac03ce
MD5 hash:
b70c8c24a29f40caa670a16bb4d02424
SHA1 hash:
67fb7a73810320c7ad2422a21c0901950104a896
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
win_remcos_w0
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
win_remcos_rat_unpacked
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Link:
https://www.unpac.me/results/bdcc3df3-1fc6-47a6-abcc-409721c7518f/
SH256 hash:
c42a2ceff4a3437dd6340d83cdd6ae7b1026fd1909796531f2f29a9059cfd471
MD5 hash:
4bd2d64d9e2028aeefeb70ad88a47461
SHA1 hash:
4554a3d24b3fc477853428b4567757c9df6e7231
Link:
https://www.unpac.me/results/bdcc3df3-1fc6-47a6-abcc-409721c7518f/
SH256 hash:
930fdedab0dcc5bbd3a1ab3e50a3675e4ba0823b601ca2b9602b92657b1de006
MD5 hash:
2ad6b435964c1607e848b2cbde8885ee
SHA1 hash:
0800c4b079b6277aa86f434b78175da72366de3f
Link:
https://www.unpac.me/results/bdcc3df3-1fc6-47a6-abcc-409721c7518f/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments