MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0dc108bb4d6bc2c36acf6f8ad2333cffdff1e2276ddd55eb8225edb6e8c0cd7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a0dc108bb4d6bc2c36acf6f8ad2333cffdff1e2276ddd55eb8225edb6e8c0cd7
SHA3-384 hash: 5bcfbe129a57c392dbfe388c83fafa4fd2ba11513089df69660c110605419c5ad7cc5181fdffd7d198f6a41ccf616a71
SHA1 hash: a07a36ecd6c60e5f58e5a9acaca88808c830b6a8
MD5 hash: e6a3d9a7a1dcb17bb0ac367b602a834e
humanhash: beryllium-undress-california-chicken
File name:SRL 2023-06-21 0211003_02283930.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:439'296 bytes
First seen:2023-06-21 15:54:43 UTC
Last seen:2023-06-22 07:25:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash dd79210c843d26dc67ae66f05ffeb768 (1 x RemcosRAT, 1 x GCleaner)
ssdeep 12288:AHU6ofa1Is3KrZnnC6s1hE/lmUytTgdQD:AaS1ZEnfs1mlmHg
Threatray 54 similar samples on MalwareBazaar
TLSH T11094E10327907C71D5A68B72DE2EC6D5362FF1508F286B9B223C992F29B01B1C577356
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0044607074606640 (1 x RemcosRAT)
Reporter James_inthe_box
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
7
# of downloads :
293
Origin country :
US US
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
SRL 2023-06-21 0211003_02283930.exe
Verdict:
Malicious activity
Analysis date:
2023-06-21 15:56:56 UTC
Tags:
remcos
Link:
https://app.any.run/tasks/49e7fc1c-b1fe-4c69-9bb2-8091396d1074

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/401463/
Detection(s):
SecuriteInfo.com.Win32.RansomX-gen.10717.14838.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Win32.RansomX-gen.10367.5335.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/64931d579d44d31f835bfc87/reports/8f50f476-0ba4-4bb5-83c6-b17ea823a250/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a0dc108bb4d6bc2c36acf6f8ad2333cffdff1e2276ddd55eb8225edb6e8c0cd7
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/83151ad3-02b6-469f-aed8-22f6621f3666
Result
Threat name:
Remcos, PrivateLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1259170
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected PrivateLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a0dc108bb4d6bc2c36acf6f8ad2333cffdff1e2276ddd55eb8225edb6e8c0cd7/
Threat name:
Win32.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2023-06-21 10:28:42 UTC
File Type:
PE (Exe)
Extracted files:
31
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=udobbc5u226cynvm634k2iztz7676hrco3o5kxvyejpnw3umbtlq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
3e6ec18ecee467ac76807198be9c02531fd7091545056260ef164354846e59a6
RemcosRAT
3f07585c2ab00f3f8cb68b6c3a461c0b267c52531a5bca15d59a6cad1cbbc6f7
RemcosRAT
6e3cf5c7cccc4369fbed86c4de5bb59d7bb40c1ced10cab8b0bc733299d45ea1
RemcosRAT
a4a9151dee1026abcaec06ec7596983a05cc7df43c37d5646e17ae02e2902445
RemcosRAT
c1bcaa3723fd87f8a0a537c14ecf7e5852a69d33995333b40a7a475eb2e1696c
RemcosRAT
c1ccc7e57074fb432d2de187fca944ac480e5b2ad68ad7cc52388e3381990396
RemcosRAT
ea2f8aca010aba1f0ebb0b5af2de53b2a4106d5feb147f34e0a8e615eccd77c1
RemcosRAT
f2b2a8bc43696328f9650d218fe0e57e7c55c0e4799a1f28721b85e37e85eaf4
RemcosRAT
+ 44 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/230621-tcrrwsbe8t/
Behaviour
Program crash
Remcos
Malware Config
C2 Extraction:
64.112.85.218:4888
Unpacked files
SH256 hash:
b09563ae7159ccf6c7426bacd158f5da4ca33d930a93521496ad469d8d36b8f4
MD5 hash:
ffb10827433d860bef8fe4e84230c473
SHA1 hash:
5d7b02a5d22fcaf973399f3a1363715f1508f4ab
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/4d7af353-f47f-45dd-b2ac-8fe08dfe6aca/
Parent samples :
6e3cf5c7cccc4369fbed86c4de5bb59d7bb40c1ced10cab8b0bc733299d45ea1
3e6ec18ecee467ac76807198be9c02531fd7091545056260ef164354846e59a6
3f07585c2ab00f3f8cb68b6c3a461c0b267c52531a5bca15d59a6cad1cbbc6f7
a0dc108bb4d6bc2c36acf6f8ad2333cffdff1e2276ddd55eb8225edb6e8c0cd7
SH256 hash:
a0dc108bb4d6bc2c36acf6f8ad2333cffdff1e2276ddd55eb8225edb6e8c0cd7
MD5 hash:
e6a3d9a7a1dcb17bb0ac367b602a834e
SHA1 hash:
a07a36ecd6c60e5f58e5a9acaca88808c830b6a8
Link:
https://www.unpac.me/results/4d7af353-f47f-45dd-b2ac-8fe08dfe6aca/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a0dc108bb4d6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a0dc108bb4d6bc2c36acf6f8ad2333cffdff1e2276ddd55eb8225edb6e8c0cd7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

rar 195696ffd6def79f55f1e35be071c1da33bfec5b187ac920495c36e1fca7f202

RemcosRAT

Executable exe a0dc108bb4d6bc2c36acf6f8ad2333cffdff1e2276ddd55eb8225edb6e8c0cd7

(this sample)

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/401463/
  
Dropped by
SHA256 195696ffd6def79f55f1e35be071c1da33bfec5b187ac920495c36e1fca7f202
  
Dropped by
MD5 5efe6176a8a612301be758f70ff9871e

Comments