MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2d5e15268cb130c995118e17afa1198ca19604a20b91f1907a7ef18210db30f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2d5e15268cb130c995118e17afa1198ca19604a20b91f1907a7ef18210db30f
SHA3-384 hash: 46c642cb6624df5c080c06ce4bdeb87dd4ae5af02bbd883965dbbce85dfb0bc403832d437fcce7054ac9f7a652260cd0
SHA1 hash: 43df013242f0172059e8df21e29215b14c1837c9
MD5 hash: 1becaa0726bae1f669da8d39ac13509b
humanhash: item-east-iowa-sink
File name:HB23090003.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:601'600 bytes
First seen:2023-09-01 12:30:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a0157d3b2852cca44553b58241d89d57 (2 x RedLineStealer, 2 x Tofsee, 2 x Smoke Loader)
ssdeep 12288:kBkhRxDIusx/JyqVMdFYiUgam+XodmA+Ae+cgLUeL/:OkhbZsRJy8Md6iUNnX1RZgLHL/
Threatray 353 similar samples on MalwareBazaar
TLSH T196D45B4392E17D58EA258B729F1FCAFC770DF5B08E097BA932189E2B04B1176C263715
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 1070c09030381000 (1 x RemcosRAT)
Reporter cocaman
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
289
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
HB23090003.exe
Verdict:
Malicious activity
Analysis date:
2023-09-01 12:31:40 UTC
Tags:
rat remcos remote keylogger
Link:
https://app.any.run/tasks/902c4a4b-5e42-4009-9f0c-4a73ce267fbd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/445604/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed remcos
Link:
https://www.filescan.io/uploads/64f1d988b3b7d7c782d25da9/reports/c368ea35-a5a2-419d-9a98-1a2e62042b99/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/b2d5e15268cb130c995118e17afa1198ca19604a20b91f1907a7ef18210db30f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6b0e4713-da57-4560-989f-a3df4f806fc7
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1301590
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b2d5e15268cb130c995118e17afa1198ca19604a20b91f1907a7ef18210db30f/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-09-01 10:48:35 UTC
File Type:
PE (Exe)
Extracted files:
85
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wlk6cutizmjqzgkrddqxv6qrtdfbsyckec4r6gihu7xrqiinwmhq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0a1d374fc74a19fafd920caee9a08e1a999e633d098b8ed02aebf7ad9a66281a
RemcosRAT
50360abbc508d169cda7d1a79ad2032827b553f0b9ed82c7b1609d074c20a112
RemcosRAT
61a3e788d1ae18d12df0bf7198a922c14e998c195b520a5543b43814b8bcbfa0
RemcosRAT
6d69abf704c0ac0c71d7d35cc0eaa5b0ba230b7538ee159ad415b06798143c33
RemcosRAT
846ae70abd97cfc15d14a0261e9c6c38643e071dddf73fafe3bc3e5d3769511b
RemcosRAT
8bf8b980381fd607ec9065bfbcd572973770ee77c815354a35455c10651516d5
RemcosRAT
9bf55d8f3b892e6b8706ec526eaa51cc8a1a727b45759494e2e388979a5708b8
RemcosRAT
e029bc85866faf62332458961316cf1561c335b06076936f9e1ae87cbc0a868e
RemcosRAT
f2b2a8bc43696328f9650d218fe0e57e7c55c0e4799a1f28721b85e37e85eaf4
RemcosRAT
+ 343 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:working rat
Link:
https://tria.ge/reports/230901-pp2emsfa28/
Behaviour
Suspicious use of SetWindowsHookEx
Program crash
Remcos
Malware Config
C2 Extraction:
37.139.129.251:2404
Unpacked files
SH256 hash:
cbd1380b19ffce42a7b58bd7a4ab7aa6be358f1775917f161149dd5cfd5baf0f
MD5 hash:
c76c99c1ac8deae5a2cf041eec32b953
SHA1 hash:
f38ab0591a342658883fb561aab8aeee3e6735b6
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/8509009f-d313-46ad-a99d-b130e617f24b/
SH256 hash:
b2d5e15268cb130c995118e17afa1198ca19604a20b91f1907a7ef18210db30f
MD5 hash:
1becaa0726bae1f669da8d39ac13509b
SHA1 hash:
43df013242f0172059e8df21e29215b14c1837c9
Link:
https://www.unpac.me/results/8509009f-d313-46ad-a99d-b130e617f24b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b2d5e15268cb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b2d5e15268cb130c995118e17afa1198ca19604a20b91f1907a7ef18210db30f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

7z 5450af8cdb916003b5ef00f39783067b58f165ce50417545d09934da358cc0c7

RemcosRAT

Executable exe b2d5e15268cb130c995118e17afa1198ca19604a20b91f1907a7ef18210db30f

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 5450af8cdb916003b5ef00f39783067b58f165ce50417545d09934da358cc0c7
Cape
Cape
https://www.capesandbox.com/analysis/445604/
  
Dropped by
MD5 9f2ee9d2c770b085c485c887c4ac66d1

Comments