MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a25c4d0ef5afa1991e30cedabbc3d4104dee76cbe92ed788b508a3f595f0ced3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a25c4d0ef5afa1991e30cedabbc3d4104dee76cbe92ed788b508a3f595f0ced3
SHA3-384 hash: 10d4b5f216388bc126e19af5ae6ee9f8237fca20d96798c5accd851bc112e3d6d6c0959d46882dc992855007c3b6d049
SHA1 hash: d44987fe7c02076edbbbe870bf1ef48ef9ebf985
MD5 hash: ee3a0cf9337a6f0bfbcb3b2c54818f85
humanhash: three-massachusetts-massachusetts-moon
File name:ee3a0cf9337a6f0bfbcb3b2c54818f85.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'488'896 bytes
First seen:2022-11-09 07:11:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:hx61Jz5fNfOzEj5ph3W40id6ml1LbuE37Ukkl9PN4GWGx:Crz5fNfOzEtW40idll1GSUke9PN4G9
Threatray 6'641 similar samples on MalwareBazaar
TLSH T10D65E138A2E3ED23E75E07B2D0D5A860173E7E5195EDE64E129431D84933B82FA09F53
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
ee3a0cf9337a6f0bfbcb3b2c54818f85.exe
Verdict:
Malicious activity
Analysis date:
2022-11-09 07:20:29 UTC
Tags:
trojan rat remcos keylogger
Link:
https://app.any.run/tasks/eb90e0ba-a8dd-44a3-8d05-cdd0d5698718

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/331037/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Setting a keyboard event handler
DNS request
Connecting to a non-recommended domain
Sending a custom TCP request
Sending an HTTP GET request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/636b52c882dd9f2e26531c4b/reports/c1c45e1a-6aa5-4636-a8f6-4808d305b3b5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f458f49f-4ab8-433d-8abf-324fba0d91b2
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1109053
Signature
.NET source code contains method to dynamically call methods (often used by packers)
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a25c4d0ef5afa1991e30cedabbc3d4104dee76cbe92ed788b508a3f595f0ced3/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-11-08 14:10:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
36
AV detection:
24 of 41 (58.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ujoe2dxvv6qzshrqz3nlxq6ucbg645wl5exnpcfvbcr7lfpqz3jq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
4bd1f385e71c2b0c8bb27ce271cfd26c696e3049e3e92cd150ba62666bc6221f
RemcosRAT
4c26268e01117b5cf41d2f14689452912d708e64af0040ed75a40c94b0a943ea
RemcosRAT
592f15fec50eda79baadcb6bc5c4cb79de60e5bb285f20fb8e8927477495f065
RemcosRAT
7f89f38c1c2a3e42e7fe2d1c286816361fe77aa49d1d474de200df6eb2dbda81
RemcosRAT
9d724226a2a3c8676d4a58b64b636d9dcc178c1d40fcf321309afa14505cf285
RemcosRAT
ad87f3ad6fb14d2b79d7b7aac1b38bc04fd20757460da0f02cac139408df9969
RemcosRAT
e1eb708f47303b831f6eb0ddc846e21782e8f727dcb0088fcb997c3bf0d4dbd3
RemcosRAT
e68ebc948356b0560fee06f52939504005fd848a93ccc41b4840c1db318a5409
RemcosRAT
+ 6'631 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/221109-h1jweagcgl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Remcos
Malware Config
C2 Extraction:
mesa67279.sytes.net:9900
Unpacked files
SH256 hash:
fd7e36da5c3d47818b83f04915d40455e2cbac6c690fb710450468ca7f0dab05
MD5 hash:
d3bec52e389d70214bf7e868bcfd3373
SHA1 hash:
d0432f7872be0d79891b25f8beb3c4ef4eb1e74a
Link:
https://www.unpac.me/results/1707e735-5191-431c-a805-caf33e5d78f1/
SH256 hash:
f5cc5fb51bf63d64a20269994e8fd125ac6718acd52090bab263ca22c97bf88e
MD5 hash:
a2445fbef6c2c0f1f659308cffc9caf1
SHA1 hash:
c2a7291f89d1698d79bf6ce67dd74f1234db8b1b
Link:
https://www.unpac.me/results/1707e735-5191-431c-a805-caf33e5d78f1/
SH256 hash:
ee37e7edd8770e0f0bfc0e5ef84217d7cb7908100671ca443c29d443c12d55b9
MD5 hash:
e13e2e3e743268b236a1ff37e3c17cc2
SHA1 hash:
56bfd4700398aa305cdee8b415850142bf8c842d
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/1707e735-5191-431c-a805-caf33e5d78f1/
Parent samples :
1c64ec517c691c29d701145d08a3eae4d783b73d6c79aef024ff9d801c54bcd1
7337db69a20a40af35453369ceabe00d6bff13e5ba8199a294f7bad7c0ee007d
2c59459ca6467913297ed13460ee6f5ec2aa85b4824d339a8f9ac01d83b86dea
8a30ec1b66ef03adde9757a0b8c1fb554bd0a09a9ff5d2486da51a4a1ab7d940
a25c4d0ef5afa1991e30cedabbc3d4104dee76cbe92ed788b508a3f595f0ced3
bb1d45eb0cad32a9458ba080b0fd48cc19f0170002cd0f1a62adf644106e4563
f7f7a09c83f4a5ae327e02aa2eacc52ec0460d3f7dc8fc60c13039f14c9a539f
3b6230848d1a806ee90954b3e2a6ccaf020ed90d91eb29f231badf12cebf0dcf
4071b98e8bf44161cebf8c60bf244913ecab7144f97500ff285445f29d6045c6
SH256 hash:
cfc16a2dbb933b1b85807d48966e9301b9fc34f4c44e7357713ca88b54bf4ab4
MD5 hash:
aabd0bdc81026ade6c57383f21d5c227
SHA1 hash:
4b26936bb8c03be6d7963184215a5ab594ecb765
Link:
https://www.unpac.me/results/1707e735-5191-431c-a805-caf33e5d78f1/
SH256 hash:
92bd802a0f7eb1213758a6c1a4c07302e0320c3a2aeb6273b0303dd3bbdefe90
MD5 hash:
046e97119545e5abde2f40b5dc3a0344
SHA1 hash:
3e69b67ddff2554c8cd72e129d4da9c8acd9d331
Link:
https://www.unpac.me/results/1707e735-5191-431c-a805-caf33e5d78f1/
SH256 hash:
a25c4d0ef5afa1991e30cedabbc3d4104dee76cbe92ed788b508a3f595f0ced3
MD5 hash:
ee3a0cf9337a6f0bfbcb3b2c54818f85
SHA1 hash:
d44987fe7c02076edbbbe870bf1ef48ef9ebf985
Link:
https://www.unpac.me/results/1707e735-5191-431c-a805-caf33e5d78f1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a25c4d0ef5af/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a25c4d0ef5afa1991e30cedabbc3d4104dee76cbe92ed788b508a3f595f0ced3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe a25c4d0ef5afa1991e30cedabbc3d4104dee76cbe92ed788b508a3f595f0ced3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2260834/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/331037/

Comments