MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab122c5daa471c2dee1cc58e3a63b3a05be7e66b52faa1542a528dd81c62fed3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab122c5daa471c2dee1cc58e3a63b3a05be7e66b52faa1542a528dd81c62fed3
SHA3-384 hash: aa048a487b3ea7eb8ba0230702dfaa4674bb16961640fdf8e98806fcc01a005a17d2d1dbf5aeddcc138445bc4c641d76
SHA1 hash: f740f806ede408b8692fbad6fbaa682b107b1146
MD5 hash: 7bc8c2521bcfbff7e6b904e2ca3edd15
humanhash: berlin-whiskey-juliet-low
File name:file
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:557'618 bytes
First seen:2023-06-13 14:19:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 29f80c0e4273b0a59832a8448f2ef8a1 (1 x DCRat, 1 x RemcosRAT)
ssdeep 12288:7xOiRcPy/8Y83Lt6xqpbxbUVJhlPq36NY7QjuaBW:7xO4a1LwANxbUV1q36SQiN
Threatray 863 similar samples on MalwareBazaar
TLSH T100C4122D2DB85E5AE0E4C3B584E57067B500EC2D3ADF9D1F25C62B1859B390729E322F
TrID 82.3% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
5.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.5% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter jstrosch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
280
Origin country :
US US
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-06-13 14:34:40 UTC
Tags:
remcos
Link:
https://app.any.run/tasks/2d48389e-0569-48ab-a16a-499e31b0a530

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/398422/
Detection(s):
SecuriteInfo.com.Variant.Lazy.350119.23386.16079.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Running batch commands
Creating a process with a hidden window
Sending a custom TCP request
Launching a process
Searching for synchronization primitives
Searching for the window
Creating a file
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
cmd.exe lolbin overlay packed trickbot
Link:
https://www.filescan.io/uploads/64887b1a9f45f940f553d12f/reports/fef1602e-7ba4-4efe-b71d-61a13f5ef71a/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/ab122c5daa471c2dee1cc58e3a63b3a05be7e66b52faa1542a528dd81c62fed3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b9013be9-61ce-4542-a9cc-4802f68970f1
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1253774
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab122c5daa471c2dee1cc58e3a63b3a05be7e66b52faa1542a528dd81c62fed3/
Threat name:
Win32.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2023-06-13 14:20:10 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vmjcyxnki4oc33q4ywhduy5tubn6pztlkl5kcvbkkkg5qhdc73jq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
2efdfea9644c378bb7e04dac7b7a2b4760ef9a4925026a3a23d804efefd2f26a
RemcosRAT
4107b6df1884a4eb7aeabe55741c01e486ba0b4454c99caaec0ed647018a6125
RemcosRAT
56386224d3f2d9dea8cce5f9dafcdce3012a548d824f4e9af162bc2397bb5916
RemcosRAT
64eb3d68103cc47e6c3af8880d7cec9371cfd787a396ea0f3ac1418e0b80ff47
RemcosRAT
6f6d7329e0948b935011c95d6f3899c917279086347ad85ddf4494ada1970ec6
RemcosRAT
b564ce75ebda7ddfe0c1be6becd119905c850c6703bb81af1d0ca8d8b9dcb86a
RemcosRAT
c3f58fc7e4e51a2d4c6551fd6cebac7d8c0bf79d83f1235e7570c2db574df0f6
RemcosRAT
c9e9f4d1945fc9cb9daf5b4a72032a00ba7040154e3fe44be5371fbb7da695ea
RemcosRAT
+ 853 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/230613-rnfgwsge96/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Remcos
Malware Config
C2 Extraction:
127.0.0.1:2404
Unpacked files
SH256 hash:
a04f3475f9708b9e9f306c573602878c62e5454b8265e97eec11e4cd11f8fb62
MD5 hash:
335876ea4e1fb05e5ad28b29e67c4f3c
SHA1 hash:
34d9a1d7bdeae3005486925076f2ba0aaec3de65
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/be82cfcb-53e5-4a21-a5c0-4fbdf8b871ec/
SH256 hash:
ab122c5daa471c2dee1cc58e3a63b3a05be7e66b52faa1542a528dd81c62fed3
MD5 hash:
7bc8c2521bcfbff7e6b904e2ca3edd15
SHA1 hash:
f740f806ede408b8692fbad6fbaa682b107b1146
Link:
https://www.unpac.me/results/be82cfcb-53e5-4a21-a5c0-4fbdf8b871ec/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ab122c5daa47/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.89
Link:
https://yomi.yoroi.company/submissions/ab122c5daa471c2dee1cc58e3a63b3a05be7e66b52faa1542a528dd81c62fed3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe ab122c5daa471c2dee1cc58e3a63b3a05be7e66b52faa1542a528dd81c62fed3

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/398422/

Comments