MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9caf57d3683dade55209a1635696000cd4cea5f9261a88a2f010eb1cd2c56fa9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9caf57d3683dade55209a1635696000cd4cea5f9261a88a2f010eb1cd2c56fa9
SHA3-384 hash: 9f918cc027298ba83fa54d721200b29d035cae40ff1239a22cb37426964bd4a9bfa8b25f8f6b6fb12273fd1db15c0efc
SHA1 hash: 7c23d7600765a4fcc8ecf04fa15bb761691e95a6
MD5 hash: be54e9aaac2041df5f5164fa1751a657
humanhash: oxygen-golf-friend-single
File name:be54e9aaac2041df5f5164fa1751a657.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:4'296'192 bytes
First seen:2022-08-31 18:26:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 24b92ccf1e266e626a6cc7126f975fe5 (7 x RemcosRAT)
ssdeep 98304:SiElsQcBRrrssBI/7gUy2IoBCJFCIR9JVTQtEMrZIz:TEOlpssBI/P/ILj9JQhVIz
TLSH T19116237742561287D4E589368A37FFC171F6137E4F83ACB8B6C96AC326665E0E312843
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
349
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/306974/
Detection(s):
SecuriteInfo.com.Trojan.Heur.TP.@J0@bGKZgWki.13826.8335.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Setting a keyboard event handler
Creating a window
DNS request
Creating a file in the %temp% subdirectories
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/630fa884e87b88e71be85f31/reports/f76e14d8-e1ed-493f-8cde-110614d9c9fb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/26dd7ffa-8ca6-4e82-99ae-3c6f518e5c3d
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
rans.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1061857
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9caf57d3683dade55209a1635696000cd4cea5f9261a88a2f010eb1cd2c56fa9/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2022-08-31 10:56:35 UTC
File Type:
PE (Exe)
AV detection:
27 of 40 (67.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tsxvpu3ihww6kuqjufrvnfqabtkm5jpzeynirixqcdvrzuwfn6uq._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos rat
Link:
https://tria.ge/reports/220831-w3q96abhb2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Remcos
Unpacked files
SH256 hash:
170add3a4e2e863ba406743cf6729745923590d07bdd984c534b1568e0b6f734
MD5 hash:
208511984837198c6b0f90a4ab06bfe1
SHA1 hash:
ae22348a12829740bad0e485186daaa7a9c4d5a7
Link:
https://www.unpac.me/results/2f267ea8-0a41-4b39-893a-4a87ab2d31f9/
SH256 hash:
9caf57d3683dade55209a1635696000cd4cea5f9261a88a2f010eb1cd2c56fa9
MD5 hash:
be54e9aaac2041df5f5164fa1751a657
SHA1 hash:
7c23d7600765a4fcc8ecf04fa15bb761691e95a6
Link:
https://www.unpac.me/results/2f267ea8-0a41-4b39-893a-4a87ab2d31f9/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9caf57d3683d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9caf57d3683dade55209a1635696000cd4cea5f9261a88a2f010eb1cd2c56fa9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 9caf57d3683dade55209a1635696000cd4cea5f9261a88a2f010eb1cd2c56fa9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2276782/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2276802/
Cape
Cape
https://www.capesandbox.com/analysis/306974/

Comments