MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b054b0a613909898688c3a25ebc355d1e62289641b1103fa4d1defb1c04aa9a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	b054b0a613909898688c3a25ebc355d1e62289641b1103fa4d1defb1c04aa9a2
SHA3-384 hash:	ec17254403f3bf40993b1619480bae29aa7fa07afc4ad51f165cfd5a32657473547c46e2e45cbb962851e8f6cae5b533
SHA1 hash:	63ebb50416aceec61f76ff449722326935a50845
MD5 hash:	b5ab1547cf4885cf02c21788475d6fc7
humanhash:	kilo-grey-ten-mobile
File name:	b5ab1547cf4885cf02c21788475d6fc7.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	792'576 bytes
First seen:	2022-01-29 15:58:29 UTC
Last seen:	2022-01-29 17:44:00 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	08e6d2fa4c8e2c03d84de0dc6beecd41 (1 x RemcosRAT)
ssdeep	12288:l1kr9M3FoTt00zZDkRCwPw4euTkir7ZwwmLjnEiCHcFaLcpXAAAAAAAAAAAAAAAW:lAmG00zZDDw4dcTr7Z9KjRd
Threatray	1'668 similar samples on MalwareBazaar
TLSH	T124F49E52E6E08836F41B5F389C9F57B8A9297E013A48F98636E03D8E1F34351746BD93
File icon (PE):
dhash icon	48958834524ae410 (6 x RemcosRAT, 4 x DBatLoader, 3 x AveMariaRAT)
Reporter	abuse_ch
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

313

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

b5ab1547cf4885cf02c21788475d6fc7.exe

Verdict:

Malicious activity

Analysis date:

2022-01-29 16:01:49 UTC

Tags:

installer rat remcos keylogger

Link:

https://app.any.run/tasks/e53d8ed1-69fb-4397-96fd-975e09468cbb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/225808/

Detection(s):

SecuriteInfo.com.Variant.Zusy.413319.7922.15575.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

DNS request

Sending a custom TCP request

Creating a file

Launching a process

Creating a file in the %AppData% subdirectories

Reading critical registry keys

Creating a file in the %temp% directory

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Stealing user critical data

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/5473/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control.exe greyware keylogger

Link:

https://www.filescan.io/uploads/61f5644906e7677a1913e12b/reports/55e39afc-c997-46ac-8488-195cfaa7c5e1/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2c441b9d-cc51-4a63-b502-a83dfc9c85fa

Result

Threat name:

Remcos

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/930175

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Creates a thread in another existing process (thread injection)

Delayed program exit found

Detected Remcos RAT

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Remcos RAT

Yara detected WebBrowserPassView password recovery tool

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b054b0a613909898688c3a25ebc355d1e62289641b1103fa4d1defb1c04aa9a2/

Threat name:

Win32.Trojan.Remcos

Status:

Malicious

First seen:

2022-01-29 15:58:57 UTC

File Type:

PE (Exe)

Extracted files:

100

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wbklbjqtscmjq2emhis6xq2v2htcfcledmiqh6sndxx3dqckvgra._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

41d511392fc1e9e37a96d7e0d1e2a947d3de3da299d1a0fab9f522b98e38b659

RemcosRAT

502f18997fa73c5af97c3f8f3cd7a8a12d7d648642bd238b4eb15c0457e879a1

RemcosRAT

75d58f5b4293ffc19d29586f96508fe473b3688503ab75a9fecf8b280af3b55a

RemcosRAT

8f1eefd14608fae865576d9f7a24be116eb9d8dcebf89c954e2e645b06174c4e

RemcosRAT

9f87aa938179953b88e6d47d4f2d07f82ec683a90ff0d77d8f50ad67ab55ad89

RemcosRAT

cd43f136f1d3221cd64fc792a37744dfa9656a9ea5889e52929275c05eb4e33b

RemcosRAT

ed78db064dfb4ae791498b2d08410a69bdad684ff709319d179c2383dd8e2f1c

RemcosRAT

f26f9e3fccab0e855f132f00715cfdbaa9efbbc923fc702961d826987d7c15aa

RemcosRAT

+ 1'658 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost persistence rat

Link:

https://tria.ge/reports/220129-te3xyadbfj/

Behaviour

Suspicious use of WriteProcessMemory

Adds Run key to start application

Remcos

Malware Config

C2 Extraction:

freelife.mywire.org:2404
freelife1.mywire.org:2404
freelife2.mywire.org:2404
freelife01.mywire.org:2404
freelife3.mywire.org:2404
freelife4.mywire.org:2404
freelife5.mywire.org:2404

Unpacked files

SH256 hash:

d56dcedfe9f4d0a030a551f94424ce1948fb419d114429019e2c0b769b7bfcf7

MD5 hash:

0c0de81954d7c4ac102c28514739efb7

SHA1 hash:

1820e2812b38be4bdbe40349d05e65c9f81f4a60

Detections:

win_dbatloader_w0

Link:

https://www.unpac.me/results/35a5bae2-5c02-481f-99c7-ba5878bb7d59/

Parent samples :

074991cefc03a7683cb3c81e83c383010f45c130fdc6dafa13469bfffaf87867
15697b64ded63ae55e1a224cb4309a49a9cc475ae98f0ddfa951804afc3ee32e
ac24ac478aaa88087714b8249c93d92d5edbc511bdb04c6b623479ed8fc6c8de
527036f9e449de86dc23ca03f80ea7da2d0ee7d7752203bbfad4ffb9237a19a8
b054b0a613909898688c3a25ebc355d1e62289641b1103fa4d1defb1c04aa9a2
69142989b11074332c57d4f64b2ce684dbc998af67928c3f38a2f7a6b05644c0
28562d1e97597dbe302d550277e91bd4aa6869bd3d356668bc7c48b2b6eaa3d1
aac09011a3c3e7adce5c2fa1672b428d6a565993641bf350dd65f8c0319dbfd8
09effc5108b5ca6e852a9712180ad493ad2e4aa5e3693056953583fbce18cf92
fcdf1e07c91a675bb415f4406e709795964d3a177e6c6afc68437be8f6013d6a
8dcd0243ce72784ad2782b0021d6692133fe314cdd1cf7b44ded3ac7c04b36b0
b324d1babd989b4a671dff38634d8eaba21673730315b40f2005b28c4732a5b6
799ad611c58e732adb2d296f4f4050b9d7b869ab34272ae51fc2c1c818be33f1
e576b18c7eb5581bb16e0e0f9e69b2f1462b491669a2a82d0fb6df7e55f7b3cc
1108f751687ce7947a548233e2c57fc9d2bdc71df78fb757d3d8c7820ddbbe90
3245f88de02600ae1053fa8260fa02a63e46bf9d8f50aeba8ceea66b7b6488a5
4877dd469af0e1ac31efa295325a3024d10abdc0a7eeaf74fe5b4eb9d0518bd9
c180bb8451472fc5931d0dc3aac6ef18ca417665b958d1480dd0787ba3de238a
09be7801c1d01256f48f6c72beb080dc5947487b3e54260a2d5b16ad127e5091
b1d4e3af02c434b479ff7305d57cb5d1e64a6411fe4cc5d5335cc4eb5e7cf8f4
568cfb6f770f6fbec1f18595bb78183e1fb5d2e7086f747230f2706ce29ed381
cc455bbac9ab070aa72fb73ea9dea1215cae08f8d14fb45b9f86468e27a3a20b
51673b1856a0e3342e6ecb4dabdddbeb84ae4323de1e1f8b9da92eab74cc2758
23d09e266528b3ffbd4fc656743303461b9c8a5780d02e28b666243406915401
a75badb1c9ed280cc239b0d7659799d31cf2c63c609667c69a0e5d9d06d53896
74d2b78e8ac7268cf8c0c1b97aa0ea37fde7945cd1867587f3c9de7a898d7f74
8b7ae9f195b075a789d6d8277d500d27754bfa3c53ecca8db7beac8ccd07884f
f677570815857242b83340d50410dfbc9da7d77b87dff3ce887b0cf47b16095e
0f93f8bfa92a0387d3076d636200ce5a4f474a1bfaf591d17c40111816c4de8b
5f079a7612eb05e8574d8604154ea233b8da905cc59ba6fbaa4485c99fc2933e
31fa37041b3f218ac8e44e16ae4bc549e962ce1cda58a1df870179ee94ed1753
60bf53eb4a1c93e2956fb3bb5f60a18579aeb270206ce6c4a3b32c6c4e9165d2
3de53b4ea3e4c8c8522ca9fc9d38a1556cf645298b0fe18c937b0f307dba129f
36d637499adcbc01c5783e66b5d9a2678426c7e8265087b8db47a002816d6fd4
2179647ebf96503deb5fae78827c5d99757f2926f0226cb5a6e4181e2f0c1a07
98e33ebe79b9c93602af7b79bb4f3f63c2f3c1417b1c41be6e814a9930e43b3e
faa817223ef389f3ee864d27cf1ec44f2c09b51686b0957cd344fe18e5144635
ee66580c236649c4fa02f530ea8c5bd2eecc290e46d5a562bae98858ba1bc893
ea222f4ca18d4bd57e605742a68c0f6b40436d9219700a75ade966e9488db34e
177b480007813a30ee6c8e267b76848fe9f66b11557eb3e7422e680b46368b03
aa38c8327df5d1755de504ea0eccf988a34c786d80f0becb3e99491527289089
edae9d57ca54a66ec71baef31fff690098c5196b44f1140f897f3bc02caeef1c
5c8973990d63bf969c6fca63d2856c35641d63774d3b362123059fbb5a74a578
be910ed7df930a3d74f01ac74e72f8c3ed89d791f29b731cb2076d632b6ce9cd
10b8fbcea2f59c78bdbf498297dbbe4c8156f80b371bf1bee8cedd196e911d27
a0c5d20304a9b2339bd9ed8ec0eca757bb7f69fecc7167857600cf4853f7b2c2

SH256 hash:

b054b0a613909898688c3a25ebc355d1e62289641b1103fa4d1defb1c04aa9a2

MD5 hash:

b5ab1547cf4885cf02c21788475d6fc7

SHA1 hash:

63ebb50416aceec61f76ff449722326935a50845

Link:

https://www.unpac.me/results/35a5bae2-5c02-481f-99c7-ba5878bb7d59/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/b054b0a61390/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b054b0a613909898688c3a25ebc355d1e62289641b1103fa4d1defb1c04aa9a2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/225808/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample