MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a63c26783dee7bb580a5cc5267a5b3e84ee9601b776d797175cfd70911135a76. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 18


Intelligence 18 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a63c26783dee7bb580a5cc5267a5b3e84ee9601b776d797175cfd70911135a76
SHA3-384 hash: 8678073a19c1c99b7842939e873bb47f65ee52d72cea1f401c8a55e477cc186cd07919070327615b86b7fcc827472fa5
SHA1 hash: 0a3aa2d8c65e2e03c900b8a148c1ad53f65289fd
MD5 hash: 0f7e8e737582613d9ec805ea627bd1ff
humanhash: tango-carpet-solar-florida
File name:rem.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'143'296 bytes
First seen:2024-11-28 06:20:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:XCPQ3X6wOmeEXfz0ty9qXo93AkC4rhp3pZ:XC4azmeEvz14Xo95zZ
Threatray 84 similar samples on MalwareBazaar
TLSH T18735173E19B9622BB1B5C766FBE48527F0709AEFF151AD64D0EB43694302A0374C326D
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lontze7
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
429
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
rem.exe
Verdict:
Malicious activity
Analysis date:
2024-11-28 06:22:10 UTC
Tags:
remcos rat evasion
Link:
https://app.any.run/tasks/8c7bccb9-b566-4b32-9b1e-483a8a5ebe4a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.BackDoor.AgentTeslaNET.38.5771.10977.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67480cd4b31374f0983554e2
Tags:
remcos packed virus remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed packed packer_detected remcos
Link:
https://www.filescan.io/uploads/67480bd18f37cc1861ff4b1e/reports/9f3abe92-5776-49f3-872d-b1b9edd456d8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a63c26783dee7bb580a5cc5267a5b3e84ee9601b776d797175cfd70911135a76
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d4ad4edb-d15f-49f1-8ff5-da81fbd76956
Result
Threat name:
Remcos, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1564313
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Remcos
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1564313 Sample: rem.exe Startdate: 28/11/2024 Architecture: WINDOWS Score: 100 87 sni1gl.wpc.nucdn.net 2->87 89 scdn1f005.wpc.ad629.nucdn.net 2->89 91 geoplugin.net 2->91 119 Suricata IDS alerts for network traffic 2->119 121 Found malware configuration 2->121 123 Malicious sample detected (through community Yara rule) 2->123 125 15 other signatures 2->125 11 rem.exe 4 2->11         started        15 WinUpdate.exe 2->15         started        17 WinUpdate.exe 2->17         started        19 msedge.exe 2->19         started        signatures3 process4 file5 81 C:\Users\user\AppData\Local\...\rem.exe.log, ASCII 11->81 dropped 147 Contains functionality to bypass UAC (CMSTPLUA) 11->147 149 Contains functionalty to change the wallpaper 11->149 151 Contains functionality to steal Chrome passwords or cookies 11->151 155 4 other signatures 11->155 21 rem.exe 1 4 11->21         started        25 powershell.exe 23 11->25         started        27 rem.exe 11->27         started        29 rem.exe 11->29         started        153 Injects a PE file into a foreign processes 15->153 31 WinUpdate.exe 15->31         started        33 WinUpdate.exe 15->33         started        35 WinUpdate.exe 17->35         started        37 msedge.exe 19->37         started        40 2 other processes 19->40 signatures6 process7 dnsIp8 75 C:\Users\user\AppData\Local\...\WinUpdate.exe, PE32 21->75 dropped 77 C:\Users\...\WinUpdate.exe:Zone.Identifier, ASCII 21->77 dropped 127 Detected Remcos RAT 21->127 129 Creates autostart registry keys with suspicious names 21->129 42 WinUpdate.exe 4 21->42         started        131 Loading BitLocker PowerShell Module 25->131 45 conhost.exe 25->45         started        97 sb.scorecardresearch.com 18.165.220.57, 443, 49807 MIT-GATEWAYSUS United States 37->97 99 s-part-0035.t-0009.t-msedge.net 13.107.246.63, 443, 49708, 49711 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 37->99 101 14 other IPs or domains 37->101 79 C:\Users\user\AppData\Local\...\Cookies, SQLite 37->79 dropped file9 signatures10 process11 signatures12 139 Multi AV Scanner detection for dropped file 42->139 141 Attempt to bypass Chrome Application-Bound Encryption 42->141 143 Tries to steal Mail credentials (via file registry) 42->143 145 Adds a directory exclusion to Windows Defender 42->145 47 WinUpdate.exe 3 30 42->47         started        52 powershell.exe 23 42->52         started        process13 dnsIp14 103 45.138.48.25, 3333, 49703, 49705 ASDETUKhttpwwwheficedcomGB Germany 47->103 105 geoplugin.net 178.237.33.50, 49709, 80 ATOM86-ASATOM86NL Netherlands 47->105 107 127.0.0.1 unknown unknown 47->107 73 C:\ProgramData\WinUpdat\WinUpdat.dat, data 47->73 dropped 109 Detected Remcos RAT 47->109 111 Tries to harvest and steal browser information (history, passwords, etc) 47->111 113 Maps a DLL or memory area into another process 47->113 115 Installs a global keyboard hook 47->115 54 WinUpdate.exe 47->54         started        57 WinUpdate.exe 47->57         started        59 WinUpdate.exe 47->59         started        65 3 other processes 47->65 117 Loading BitLocker PowerShell Module 52->117 61 conhost.exe 52->61         started        63 WmiPrvSE.exe 52->63         started        file15 signatures16 process17 dnsIp18 133 Tries to steal Instant Messenger accounts or passwords 54->133 135 Tries to steal Mail credentials (via file / registry access) 54->135 137 Tries to harvest and steal browser information (history, passwords, etc) 57->137 83 192.168.2.7, 123, 138, 3333 unknown unknown 65->83 85 239.255.255.250 unknown Reserved 65->85 68 chrome.exe 65->68         started        71 msedge.exe 65->71         started        signatures19 process20 dnsIp21 93 googlehosted.l.googleusercontent.com 172.217.19.225, 443, 49740, 49779 GOOGLEUS United States 68->93 95 clients2.googleusercontent.com 68->95
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a63c26783dee7bb580a5cc5267a5b3e84ee9601b776d797175cfd70911135a76
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a63c26783dee7bb580a5cc5267a5b3e84ee9601b776d797175cfd70911135a76/
Threat name:
ByteCode-MSIL.Trojan.PureLogStealer
Create hunting rule
Status:
Malicious
First seen:
2024-11-27 16:15:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uy6cm6b55z53laffzrjgpjnt5bhosya3o5wxs4lvz7lqseitlj3a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
unknown_loader_037
Create hunting rule
Similar samples:
3c313c19ce509197f848990ef3837d2fdf55ed5d9eb2ddf2f1cd9f35e41bd664
RemcosRAT
4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004
RemcosRAT
886699a7b1f864a18f767b1f3c95d860bced175c6e9bf2a5186119b698b5de23
RemcosRAT
b3a40331524394846d2782f1e52e1410ce1681283f8c715373bab73c84fa30ec
RemcosRAT
b44d0c9a344be2637aca53e7b556241d5611f8e807fc053f6f134dfe11ebbfc2
RemcosRAT
b6331431d23acf4528527316a993890117bac208c604b054622efee21cbffcf5
RemcosRAT
error
RemcosRAT
+ 74 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:document collection credential_access discovery execution persistence rat spyware stealer
Link:
https://tria.ge/reports/241128-g4bhrsvlcj/
Behaviour
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Uses browser remote debugging
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Remcos
Remcos family
Malware Config
C2 Extraction:
45.138.48.25:3333
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/43c9cf03-daae-42b3-b25c-f35c688d1177
Unpacked files
SH256 hash:
6a9ebbb127188bd881d92c767a47805ff07dae928c98146650eb46a17ecd7384
MD5 hash:
673de77641ab78ffdb0904a3b4c505b1
SHA1 hash:
afb77f44a51fe83cb77e7f4e480831c4c2843432
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
win_remcos_w0
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
win_remcos_rat_unpacked
Create hunting rule
Link:
https://www.unpac.me/results/66534c38-dc3d-45cd-b192-57ee445241a8/
Parent samples :
0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e
a63c26783dee7bb580a5cc5267a5b3e84ee9601b776d797175cfd70911135a76
e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32
SH256 hash:
bb4b80b7673964cbfd6b67da8a057c8a219640e69fee383362e2f4693e02c0a7
MD5 hash:
5fbd911063bac988140232e3476b483a
SHA1 hash:
6f2fb6ce1a868d00c43bae6cd7a9947af47626a8
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/66534c38-dc3d-45cd-b192-57ee445241a8/
SH256 hash:
d991fd32b60c1b9fd1437323396a88c9e29d00bd5730b6eec28a8a8d143af3c4
MD5 hash:
4a87795ce82f759e326a33dc03261d32
SHA1 hash:
126b213518ca376d8cb495d8097434a98a2da553
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/66534c38-dc3d-45cd-b192-57ee445241a8/
Parent samples :
868a520694e9477aeb67c350fb599752c94d5b541dcf14a334422b7b020e5d92
3420372e13d30995161a73ca1b87f59273f2e9986e6763b87527d91ed53df8ce
006caf81989c17e5473fcb3a5b1d6dcc586a6f85ef1feab122f051f125568931
9f7bbe4b657f8a881b586469be5915b8e677b5a9bc111a5296e90030c7ed0ffe
dda809f369a6369d2d26e75ff6cf321d2fe052f3eb0074f227065906bb2af531
a63c26783dee7bb580a5cc5267a5b3e84ee9601b776d797175cfd70911135a76
86cfac3955af9eb6cc14f7fdcffaf83be9b9240f9a87240886227108d36a3f53
e6d7aab1f11c4a43a5291bd51e4aad8deee26333be85454161f6f85660433c4a
679d4adfa31562efe8999c9cbe785be55016ae18b38c31d66afcf705cb74a0c1
e9be7f50bd810d3b8a459a54c2310b567dd7065cb52803306cc5e6132eb9e12f
20b88c89c50d71a77a0f2e1007a39cdb0b78f44c8507d3b492e8875a44861279
SH256 hash:
a63c26783dee7bb580a5cc5267a5b3e84ee9601b776d797175cfd70911135a76
MD5 hash:
0f7e8e737582613d9ec805ea627bd1ff
SHA1 hash:
0a3aa2d8c65e2e03c900b8a148c1ad53f65289fd
Link:
https://www.unpac.me/results/66534c38-dc3d-45cd-b192-57ee445241a8/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a63c26783dee/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a63c26783dee7bb580a5cc5267a5b3e84ee9601b776d797175cfd70911135a76

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe a63c26783dee7bb580a5cc5267a5b3e84ee9601b776d797175cfd70911135a76

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3309928/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments