MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac901bf5882f14e9e07235b8488b6479b4519addda6dbfb89147401c1e9e6e4f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac901bf5882f14e9e07235b8488b6479b4519addda6dbfb89147401c1e9e6e4f
SHA3-384 hash: 09dde4c3886439038246b84b53da3aa1fc27ebce3f096698655612682f86abe8840da4c94eaa2eb4312831cf33bbb1bb
SHA1 hash: 1ad9e9761fd6935c0cf5048c9615d0383baac48e
MD5 hash: da9534900ee0d11c9b30cf33152ea03c
humanhash: mexico-september-batman-comet
File name:da9534900ee0d11c9b30cf33152ea03c
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:721'920 bytes
First seen:2023-07-19 07:41:13 UTC
Last seen:2023-08-25 17:28:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:k8/HoptmKv8x10D+dHr73q/6pd7UB5k6d5EK7IS5SE/84a:1x1eML76ypZ/6d5bSIO
Threatray 2'263 similar samples on MalwareBazaar
TLSH T136E49C6F9DD06AAACD9089F4FD609474DFBD1C1B13C1D94CE8AA79CB793F8085242E12
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 90e4c8d8dcdcdca2 (1 x CoinMiner, 1 x RemcosRAT)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
283
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
da9534900ee0d11c9b30cf33152ea03c
Verdict:
Malicious activity
Analysis date:
2023-07-19 07:44:11 UTC
Tags:
keylogger remcos rat
Link:
https://app.any.run/tasks/9fb6f5af-dc4b-4292-af04-3185ad4f7439

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/424519/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.68242337.20401.3632.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin msbuild packed remcos
Link:
https://www.filescan.io/uploads/64b793cb8ca71f19e08939b5/reports/51a677ef-ad6a-4319-8690-23034bd230c0/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/ac901bf5882f14e9e07235b8488b6479b4519addda6dbfb89147401c1e9e6e4f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aedde20f-c947-4ad3-b502-5b188757f373
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1275749
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Set autostart key via New-ItemProperty Cmdlet
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ac901bf5882f14e9e07235b8488b6479b4519addda6dbfb89147401c1e9e6e4f/
Threat name:
ByteCode-MSIL.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-07-18 14:34:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
22 of 25 (88.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vsibx5mif4kotydsgw4erc3epg2fdgw53jw37oeri5abyhu6nzhq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0f611b87697a816d5b37f745fa94c89315327ba3458c190fe41efd891ccd5196
RemcosRAT
4b402fc22d549d386739470a310d2b3df617cea9667d950fe26fd58f49cd89e4
RemcosRAT
4fa02ec602055dfbdb1d639b3d265d8f7b20d6cd328fdb62dd77b7a1aad5829a
RemcosRAT
9d8282d54901d4e795f0469a5191242b2e7b3b0c51f810f71c739bfff52de8d5
RemcosRAT
af4302878827cd62e91d7f42d963b213f4dbb220b28148f86f63a799666b1931
RemcosRAT
b5ca34b966549dfee1a824ab645c66b17217aadda4ccea96731b8cb0cfb03a27
RemcosRAT
be40fed3aab989152192cb8feeb5d77a880c6bd65b525af2231e53e09f650c8a
RemcosRAT
f7ecefbcf3572d8b3f40ab5c23b1a62366bb8d49b603b3d54e4b46bcd6779eee
RemcosRAT
+ 2'253 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat
Link:
https://tria.ge/reports/230719-jktaksge86/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
91.192.100.10:11010
Unpacked files
SH256 hash:
7ad35b6eaf1881aa5c1711b9388a6d6c33fd269ced398553b79bdb725f4a80e7
MD5 hash:
2d8587f24d31d93d8435d13f8dcfd560
SHA1 hash:
b6fb9b0e6cf985daa47f8cade7c4c718f0edafb9
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/f262d494-1d12-431d-9f60-6ae4e1a453de/
SH256 hash:
fd56a07f2da75c84337cbf94e0acafc09fb909cfb187a0ae214827ce2c4708bb
MD5 hash:
d93c5f59ddc41313bf36f106a2f1fe17
SHA1 hash:
97c5cd9d0689c1cd74685bc979122a13eba3fcc9
Link:
https://www.unpac.me/results/f262d494-1d12-431d-9f60-6ae4e1a453de/
SH256 hash:
ac901bf5882f14e9e07235b8488b6479b4519addda6dbfb89147401c1e9e6e4f
MD5 hash:
da9534900ee0d11c9b30cf33152ea03c
SHA1 hash:
1ad9e9761fd6935c0cf5048c9615d0383baac48e
Link:
https://www.unpac.me/results/f262d494-1d12-431d-9f60-6ae4e1a453de/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ac901bf5882f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ac901bf5882f14e9e07235b8488b6479b4519addda6dbfb89147401c1e9e6e4f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:pe_imphash
Create hunting rule
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe ac901bf5882f14e9e07235b8488b6479b4519addda6dbfb89147401c1e9e6e4f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2685671/
Cape
Cape
https://www.capesandbox.com/analysis/424519/

Comments


Avatar
zbet commented on 2023-07-19 07:41:14 UTC

url : hxxp://84.54.50.31/Ari/choileety.exe