MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a53d11281e99e8c8a4d0ff272ffd32a43e20e5717e484587788060c71795d9da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a53d11281e99e8c8a4d0ff272ffd32a43e20e5717e484587788060c71795d9da
SHA3-384 hash: 64004ebc4e9978d720eddbc852bd91d765ea44c67009e17c776ddd64d5883cce04afd454772111c415ffa55f19a7502a
SHA1 hash: 5b361fb7c2219a8400ba08728472e7f9f4d9d415
MD5 hash: 98ccb619eb1a02f1a2e95cd0518cf5eb
humanhash: apart-uranus-low-thirteen
File name:YUM DK-25 DEL.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:566'784 bytes
First seen:2023-09-02 09:25:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:oGuhPRUEYFZ/G0T513A15yvB5unvEBqITV7xzloOd8WJK8ap7K0Y9fcv:xuhPeHFp33/vKveqITJxelp8ap7o9U
Threatray 2'522 similar samples on MalwareBazaar
TLSH T14EC4239A43CC0FB3DAA968F684F3199107D5C43A8907E75F949148739F27BCA8E129C7
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 74f4d4d4cce4e8e0 (27 x AgentTesla, 19 x Formbook, 17 x DBatLoader)
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
91.193.75.175:6609

Intelligence

File Origin
# of uploads :
1
# of downloads :
356
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
YUM DK-25 DEL.exe
Verdict:
Malicious activity
Analysis date:
2023-09-02 09:27:23 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/153776d7-12da-4197-8766-75ce50413bf2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/445729/
Detection(s):
SecuriteInfo.com.Variant.Cerbu.138179.2250.17525.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Running batch commands
Creating a file
Searching for synchronization primitives
Sending a custom TCP request
Creating a file in the %temp% subdirectories
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm obfuscated packed packed smartassembly
Link:
https://www.filescan.io/uploads/64f2ffabc95366b9effd860b/reports/5673b0ab-eec6-4bde-b439-0d5e63669937/overview
Verdict:
Malicious
Labled as:
Cerbu.Generic
Link:
https://www.hybrid-analysis.com/sample/a53d11281e99e8c8a4d0ff272ffd32a43e20e5717e484587788060c71795d9da
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c32decfc-88b1-408a-93f8-2bb3be9fa3d7
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1302079
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1302079 Sample: YUM_DK-25_DEL.exe Startdate: 02/09/2023 Architecture: WINDOWS Score: 100 71 Snort IDS alert for network traffic 2->71 73 Found malware configuration 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 8 other signatures 2->77 7 YUM_DK-25_DEL.exe 2 2->7         started        10 Phtos.exe 1 2->10         started        12 Phtos.exe 2->12         started        14 Phtos.exe 2->14         started        process3 signatures4 79 Writes to foreign memory regions 7->79 81 Allocates memory in foreign processes 7->81 83 Injects a PE file into a foreign processes 7->83 16 vbc.exe 3 13 7->16         started        20 cmd.exe 2 7->20         started        22 cmd.exe 3 7->22         started        31 2 other processes 7->31 85 Multi AV Scanner detection for dropped file 10->85 87 Machine Learning detection for dropped file 10->87 25 cmd.exe 10->25         started        27 cmd.exe 1 10->27         started        33 2 other processes 10->33 29 cmd.exe 12->29         started        35 3 other processes 12->35 process5 dnsIp6 57 moremoney.myftp.org 91.193.75.175, 49719, 6609 DAVID_CRAIGGG Serbia 16->57 59 geoplugin.net 178.237.33.50, 49720, 80 ATOM86-ASATOM86NL Netherlands 16->59 61 Contains functionality to bypass UAC (CMSTPLUA) 16->61 63 Contains functionality to steal Chrome passwords or cookies 16->63 65 Contains functionality to modify clipboard data 16->65 69 2 other signatures 16->69 67 Uses schtasks.exe or at.exe to add and modify task schedules 20->67 37 conhost.exe 20->37         started        55 C:\Users\user\AppData\Local\...\Phtos.exe, PE32 22->55 dropped 39 conhost.exe 22->39         started        49 2 other processes 25->49 41 conhost.exe 27->41         started        51 2 other processes 29->51 43 conhost.exe 31->43         started        45 schtasks.exe 1 31->45         started        47 conhost.exe 33->47         started        53 2 other processes 35->53 file7 signatures8 process9
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a53d11281e99e8c8a4d0ff272ffd32a43e20e5717e484587788060c71795d9da/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-09-02 08:53:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uu6rcka6thumrjgq74ts77jsuq7cbzlrpzeelb3yqbqmof4v3hna._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0a1d374fc74a19fafd920caee9a08e1a999e633d098b8ed02aebf7ad9a66281a
RemcosRAT
50360abbc508d169cda7d1a79ad2032827b553f0b9ed82c7b1609d074c20a112
RemcosRAT
5e95168687b15de3724b3c8240c0b40cdb61c75b440d11a7fa72c2b247c920ae
RemcosRAT
61a3e788d1ae18d12df0bf7198a922c14e998c195b520a5543b43814b8bcbfa0
RemcosRAT
6d69abf704c0ac0c71d7d35cc0eaa5b0ba230b7538ee159ad415b06798143c33
RemcosRAT
8bf8b980381fd607ec9065bfbcd572973770ee77c815354a35455c10651516d5
RemcosRAT
9bf55d8f3b892e6b8706ec526eaa51cc8a1a727b45759494e2e388979a5708b8
RemcosRAT
b2d5e15268cb130c995118e17afa1198ca19604a20b91f1907a7ef18210db30f
RemcosRAT
d31044022de445b61ba735083a47c5fd1f4d5c8dfcf544da489572ce3fafdc79
RemcosRAT
e029bc85866faf62332458961316cf1561c335b06076936f9e1ae87cbc0a868e
RemcosRAT
+ 2'512 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:777777 rat
Link:
https://tria.ge/reports/230902-ld69zaca68/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Executes dropped EXE
Uses the VBS compiler for execution
Remcos
Malware Config
C2 Extraction:
moremoney.myftp.org:6609
Unpacked files
SH256 hash:
552e2368917416b803a0749e1a68c1a04e6db5c51e0c08ce2ff5fad83a050b7d
MD5 hash:
5da1518394e59f7623ebe64208ba764f
SHA1 hash:
4f3ebbcb9f9aab6750878dc776ca156de920c78e
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/31cf2697-eecc-4640-8c1d-f717e8b45fdd/
SH256 hash:
a39bb11da5ef7fcd45c78def7718f5855afc8a5159fa39bb9750a6fdc8a69d6a
MD5 hash:
00d233b746409b742835ff8fe07b6d35
SHA1 hash:
4f23639b234c2ff7458903954595ba6e1ba9f127
Link:
https://www.unpac.me/results/31cf2697-eecc-4640-8c1d-f717e8b45fdd/
SH256 hash:
a53d11281e99e8c8a4d0ff272ffd32a43e20e5717e484587788060c71795d9da
MD5 hash:
98ccb619eb1a02f1a2e95cd0518cf5eb
SHA1 hash:
5b361fb7c2219a8400ba08728472e7f9f4d9d415
Link:
https://www.unpac.me/results/31cf2697-eecc-4640-8c1d-f717e8b45fdd/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a53d11281e99/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a53d11281e99e8c8a4d0ff272ffd32a43e20e5717e484587788060c71795d9da

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/445729/

Comments