MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b27423d7fe1e3ff9aaa24ddd0201535f7c2cfd3722e7e4ff0a71ff28b6504dc1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	b27423d7fe1e3ff9aaa24ddd0201535f7c2cfd3722e7e4ff0a71ff28b6504dc1
SHA3-384 hash:	314daab5f5f10acecb7f49f8720a3018499adf1eb0dcca387f77391276bdf7bd325bbe3bc15bfb05658a966164ee22d1
SHA1 hash:	53efbf87967004e285096f52f43d12bebddb5c2b
MD5 hash:	2920f297246f9016c06fc29912848fbc
humanhash:	berlin-nebraska-fillet-single
File name:	Ziraat Bankası - LC-2257ITVA22001508 Referanslı Dosya Açılışı Hk..exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'127'424 bytes
First seen:	2022-10-24 12:24:43 UTC
Last seen:	2022-10-29 15:57:22 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'746 x AgentTesla, 19'624 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:St1dGhj82NCYSRSA7dDBdQwhUclih4r4:782NCXTDBVlli
Threatray	2'282 similar samples on MalwareBazaar
TLSH	T16D35BE39275E4F07D0D9CE38A870D1F01BA69D7BB86E8B86C6C47CF779162A09A1C147
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	7e30585d27510101 (1 x RemcosRAT, 1 x AgentTesla, 1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe geo RAT RemcosRAT TUR ZiraatBank

Intelligence

File Origin

# of uploads :

# of downloads :

209

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Ziraat Bankası - LC-2257ITVA22001508 Referanslı Dosya Açılışı Hk..exe

Verdict:

No threats detected

Analysis date:

2022-10-24 12:30:02 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/18fbbac2-6c80-4d46-91f3-9a9c3118854b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/323392/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.738.13802.8737.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/288a6e41-bb4e-4237-b526-493b7959bce0

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1097041

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Yara detected AntiVM3

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b27423d7fe1e3ff9aaa24ddd0201535f7c2cfd3722e7e4ff0a71ff28b6504dc1/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2022-10-24 11:15:36 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 41 (58.54%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wj2chv76dy77tkvcjxoqeaktl56cz7jxelt6j7ykoh7srnsqjxaq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

0773f517b40992fd3e6291eb906558588f1de9e3887bb2433f95bb4ea9f5904a

RemcosRAT

31edb5c9a0590d100f941cfcb0c142abf141fba4a90c6bddb6c7fc59b4475f28

RemcosRAT

3e0bcdfffded9aaede7644824841490767cf472e2dafebdc04b090870853d8ac

RemcosRAT

788a6a0d67e10a4235043d0f12cc5841ab77bac0518842aea964e720318f674d

RemcosRAT

a4f1f9124305cce82a6b8c70ccde9b4d646103f5b320bd766ad53fcd5a19ff08

RemcosRAT

ad87f3ad6fb14d2b79d7b7aac1b38bc04fd20757460da0f02cac139408df9969

RemcosRAT

c751eef24ba7492781e43c5034f1175ec098ebc72602e68822fd4c09cac0b9bb

RemcosRAT

da780e7f18a59bf4184769099656b951986ff9915e684a7d9c063f471f4f6876

RemcosRAT

+ 2'272 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/221024-pllvsagdg4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

303f0d6773074f1d8e7b350b5ca9a6696f38aed4b768c04d66da93e6e1030bd4

MD5 hash:

92d12d86adc90660fe237937666431a7

SHA1 hash:

fc0da306ca5a9d6b11fb8e5ef3e228182f802649

Detections:

Remcos

win_remcos_auto

Link:

https://www.unpac.me/results/652dc9ea-a864-4832-8257-1a9521133ec1/

Parent samples :

35285d5b859dd9b900b3fa09955edb78f80e7c707f4d3c2afb8c23de379fb37b
b27423d7fe1e3ff9aaa24ddd0201535f7c2cfd3722e7e4ff0a71ff28b6504dc1
12050271ba333bbc55aca8540cb433b317c8b043fcc4f49e2013706f03834851
a5e3a5a5abe4d46785deadb6630c0df664155bc61400ccec33881adbee9604d7
a6352db3ea00691d158c0d6b5acf6f84fbb9dbb8f9584c6d722529acdf246eaa
ce371c5ca3163e9bbd957b31ad7aee83a7c3a467188968340d28a52cf2be0b40
c6c950ca8ee414fcb5d1d28227799a1eec9a277f73c7eb0403052563a9f80468
e395bd1544cb6f8eeacdaed668d95be91d479734a2aabe4b2c3e7b2ec5d0d316
a4ff98fa6eba586e41aa9004c4d97d16568fb6a8745a172f96d7a1188fbb0b0d

SH256 hash:

3ba16a92b2b40d38c6e5e30f882a4c60b3838611868d990b7d986eb4018c17cb

MD5 hash:

16d6f358cc62b12dc869da8a59b03eda

SHA1 hash:

5eaf3662fbd4193086df2ba7233e9652542be8a3

Link:

https://www.unpac.me/results/652dc9ea-a864-4832-8257-1a9521133ec1/

SH256 hash:

cfc16a2dbb933b1b85807d48966e9301b9fc34f4c44e7357713ca88b54bf4ab4

MD5 hash:

aabd0bdc81026ade6c57383f21d5c227

SHA1 hash:

4b26936bb8c03be6d7963184215a5ab594ecb765

Link:

https://www.unpac.me/results/652dc9ea-a864-4832-8257-1a9521133ec1/

SH256 hash:

b2c323ae7499643aa0d13148d970cbc0b10d6f6f09b2d5e65e85ffcac2dc1d73

MD5 hash:

8f1ebc9fc6887fc5962c524b413c3ff9

SHA1 hash:

3a6a10b79cf1ed67342c5c1da162307eb1348b6c

Link:

https://www.unpac.me/results/652dc9ea-a864-4832-8257-1a9521133ec1/

SH256 hash:

57cabb76700ad99b151bf5dddf85ea4ede798a4cae418bcd79b8c0ed4bb20a74

MD5 hash:

8d886c55fe979138cf21f5c212ce705c

SHA1 hash:

024bca6f1c9e4da8e3f86d8db5bf905a7c1afa47

Link:

https://www.unpac.me/results/652dc9ea-a864-4832-8257-1a9521133ec1/

SH256 hash:

b27423d7fe1e3ff9aaa24ddd0201535f7c2cfd3722e7e4ff0a71ff28b6504dc1

MD5 hash:

2920f297246f9016c06fc29912848fbc

SHA1 hash:

53efbf87967004e285096f52f43d12bebddb5c2b

Link:

https://www.unpac.me/results/652dc9ea-a864-4832-8257-1a9521133ec1/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b27423d7fe1e3ff9aaa24ddd0201535f7c2cfd3722e7e4ff0a71ff28b6504dc1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/323392/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample