MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6352db3ea00691d158c0d6b5acf6f84fbb9dbb8f9584c6d722529acdf246eaa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	a6352db3ea00691d158c0d6b5acf6f84fbb9dbb8f9584c6d722529acdf246eaa
SHA3-384 hash:	a1895fa57e73e77b15ba8f26b8b09939d4d72533bdd56abe8f4aee4aa8dde859e1f0afa142c49b4ac03277de4a18d758
SHA1 hash:	aeab8f69ba4af197412bce03a81e6272227ee5a6
MD5 hash:	317a11eea27c6dab06e30e7b60bedbbb
humanhash:	moon-maine-october-victor
File name:	N.° 78 - Orden de Compra - la-Sante Licitación Privada.JPEG.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'302'528 bytes
First seen:	2022-12-13 16:59:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	24576:Y9U00/nRN6w81BjCOndGIWypobrAnbd5ApmqgWntShSw59QS4G3r5/oOi3bJhxVI:Y9U08RN65B4B04uoTTS8w59
TLSH	T17A55BF0131B745A3F59766B24050BACC2F383D22A5D1E21B39753AC5623266BFFA4F63
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	3b3b3b2125036107 (24 x AgentTesla, 3 x SnakeKeylogger, 2 x AveMariaRAT)
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

209

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

N.° 78 - Orden de Compra - la-Sante Licitación Privada.JPEG.exe

Verdict:

Malicious activity

Analysis date:

2022-12-13 17:00:19 UTC

Tags:

rat remcos

Link:

https://app.any.run/tasks/30d06f01-fa71-4a68-b0d0-90d8d6ce4c16

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/345934/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.48217.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Creating a process from a recently created file

Creating a file

Setting a keyboard event handler

DNS request

Sending an HTTP GET request

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6398af94d4d7598ad9055163/reports/4a2a29b2-0865-4769-9b28-19b587b7de9d/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b11ded33-a98d-4667-ae60-42ac6fadf2e4

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1133601

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Yara detected AntiVM3

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a6352db3ea00691d158c0d6b5acf6f84fbb9dbb8f9584c6d722529acdf246eaa/

Threat name:

ByteCode-MSIL.Trojan.Leonem

Status:

Malicious

First seen:

2022-12-13 17:00:09 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uy2s3m7kabur2fmmbvvvvt3pqt53tw5y7fmey3lseuu2zxzen2va._file

Verdict:

malicious

Label(s):

remcos

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:2nd-host rat

Link:

https://tria.ge/reports/221213-vhzv5afb94/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Remcos

Malware Config

C2 Extraction:

eaidali101.ddns.net:6060

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/f534d26c-8c20-44b3-aba3-98318b37c234

Unpacked files

SH256 hash:

303f0d6773074f1d8e7b350b5ca9a6696f38aed4b768c04d66da93e6e1030bd4

MD5 hash:

92d12d86adc90660fe237937666431a7

SHA1 hash:

fc0da306ca5a9d6b11fb8e5ef3e228182f802649

Detections:

Remcos

win_remcos_auto

Link:

https://www.unpac.me/results/0110ee13-c9a0-4d74-84ec-e82b3556b08d/

Parent samples :

35285d5b859dd9b900b3fa09955edb78f80e7c707f4d3c2afb8c23de379fb37b
b27423d7fe1e3ff9aaa24ddd0201535f7c2cfd3722e7e4ff0a71ff28b6504dc1
12050271ba333bbc55aca8540cb433b317c8b043fcc4f49e2013706f03834851
a5e3a5a5abe4d46785deadb6630c0df664155bc61400ccec33881adbee9604d7
a6352db3ea00691d158c0d6b5acf6f84fbb9dbb8f9584c6d722529acdf246eaa
ce371c5ca3163e9bbd957b31ad7aee83a7c3a467188968340d28a52cf2be0b40
c6c950ca8ee414fcb5d1d28227799a1eec9a277f73c7eb0403052563a9f80468
e395bd1544cb6f8eeacdaed668d95be91d479734a2aabe4b2c3e7b2ec5d0d316
a4ff98fa6eba586e41aa9004c4d97d16568fb6a8745a172f96d7a1188fbb0b0d

SH256 hash:

35cad145efd0b5b6396491150d2e307d4cb5e06d4f1b41aa310393c6dce520b9

MD5 hash:

56f8354a2e307e73243ff0056295fedd

SHA1 hash:

ed3257769ea438e1b5e86c3ef033e2deca86e239

Link:

https://www.unpac.me/results/0110ee13-c9a0-4d74-84ec-e82b3556b08d/

SH256 hash:

d4b259a7dcacd3632fd79f2b4efb29e5081d0b1a46d42ef65a4c5b9d2f075727

MD5 hash:

bb6ca4a5c42691d9009e65fe50552361

SHA1 hash:

ba148cf41ba70eead53230c5cd5bb13c98b72091

Link:

https://www.unpac.me/results/0110ee13-c9a0-4d74-84ec-e82b3556b08d/

SH256 hash:

eee69f94823210f7f6f82ddddb95c4b6e7a660ea84df92fd71e7b990eb44f12a

MD5 hash:

a84cb55aaa5b2bf8adad3c0f818cad72

SHA1 hash:

99f089c869fa793addeeeb1fdb53201c94d84c76

Link:

https://www.unpac.me/results/0110ee13-c9a0-4d74-84ec-e82b3556b08d/

SH256 hash:

46fc917debc4a9b6dda587c5a3c89f0e4db7ec3c4f5b6e63ae5ad66709c0a07e

MD5 hash:

242625d9534add8db4288f210c42cb71

SHA1 hash:

18939d8244498c25a9624d027b13fdaec9a99cf4

Link:

https://www.unpac.me/results/0110ee13-c9a0-4d74-84ec-e82b3556b08d/

SH256 hash:

a6352db3ea00691d158c0d6b5acf6f84fbb9dbb8f9584c6d722529acdf246eaa

MD5 hash:

317a11eea27c6dab06e30e7b60bedbbb

SHA1 hash:

aeab8f69ba4af197412bce03a81e6272227ee5a6

Link:

https://www.unpac.me/results/0110ee13-c9a0-4d74-84ec-e82b3556b08d/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a6352db3ea00/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a6352db3ea00691d158c0d6b5acf6f84fbb9dbb8f9584c6d722529acdf246eaa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/345934/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample