MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4de787d10b719474c2276e98e3471e5791aaec733cdc7259fc73b95ff602d7b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	b4de787d10b719474c2276e98e3471e5791aaec733cdc7259fc73b95ff602d7b
SHA3-384 hash:	5cc42f6f396c44b7c03ac386e32d04f1c3e3735290ec76baf9a0035c207dc36312b78abca5bc3eb60c4b96ce230a1f4b
SHA1 hash:	e1327c368948d4a2ca1a271ace18231a59b31f65
MD5 hash:	9d60cc8708f6f86365a5150cb4b28bc9
humanhash:	music-three-black-enemy
File name:	SecuriteInfo.com.Variant.Lazy.262626.1137.29884
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	2'236'416 bytes
First seen:	2022-11-16 05:40:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:zdfWyIwY55BKRB9BzZ5yLyjo167y6z3ue2JEKFhXnZAr0f/WgyY5+2+iJBoUrG5g:IwY55eB95koa1EKNnmoyYQWvoH+BMAf
Threatray	12'491 similar samples on MalwareBazaar
TLSH	T1F7A5BFD4EEEDB537C0D5827327602615BEF26D6527918FDA84B930AFF6E7807980E021
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	851a98b4909864c4 (58 x AgentTesla, 43 x Formbook, 34 x RedLineStealer)
Reporter	SecuriteInfoCom
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

185

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

SecuriteInfo.com.Variant.Lazy.262626.1137.29884

Verdict:

Malicious activity

Analysis date:

2022-11-16 05:42:40 UTC

Tags:

rat remcos

Link:

https://app.any.run/tasks/4752c635-17a3-4831-a1f5-6972000f5d05

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/334643/

Detection(s):

SecuriteInfo.com.Variant.Lazy.262626.1137.29884.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/637477f607c3f5e84a016144/reports/04eacca1-6192-4b87-acc3-03b2eda042d0/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/c522cbed-f1a0-44ff-8834-c4b5b0fae3e7

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1114522

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Creates an undocumented autostart registry key

Detected Remcos RAT

Encrypted powershell cmdline option found

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b4de787d10b719474c2276e98e3471e5791aaec733cdc7259fc73b95ff602d7b/

Threat name:

ByteCode-MSIL.Backdoor.Remcos

Status:

Malicious

First seen:

2022-11-16 00:44:32 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wtphq7iqw4muotbco3uy4ndr4v4rvlwhgpg4ojm7y45zl73afv5q._file

Verdict:

malicious

Label(s):

remcos

masslogger

RemcosRAT

15170d0dbe467efc4e38156ed4e03702ae19af44c100d7df7a75c6dbdb7ac587

RemcosRAT

34ff7d92c1c335d251ad12780ccc8fb3a10430fc20cfbb0ff55c40128ffe9a81

RemcosRAT

55f447e7b379e9332e0a455094ae5b45385f5ac2c2c1cc7234faa198f088e7c5

RemcosRAT

623b8e8bd35d6cd14fedbd4d4413a182c41ed764ce147ca3a8b479df4254883e

RemcosRAT

da2ecd61ea932ccab4bcfdeb3be25ad01a54765e5110ed47541ac29204276c83

RemcosRAT

+ 12'481 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:favour rat

Link:

https://tria.ge/reports/221116-gdfd2ahd34/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Remcos

Malware Config

C2 Extraction:

46.183.216.163:8107
127.0.0.1:8107
10.26.173.68:8107

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/6b79f989-70af-4774-8f35-55c07279f377

Unpacked files

SH256 hash:

91582a69989acabd4e51b813aaae85bbe3a261d3bbdf9c5bec2dba43131d9429

MD5 hash:

5f0e9b1d7982234bbcf3b6d322273ea2

SHA1 hash:

3e93d0100c340f7a1d1cd61047af6389dce08971

Detections:

Remcos

win_remcos_auto

win_remcos_g0

Link:

https://www.unpac.me/results/344ded7b-f5e7-42d9-827f-a35c6cddf601/

Parent samples :

b7998afdd3784b6ef4128d34cc899377dd1c0457992b04ac71158cc3b6c9706c
df76218154f23a4c1c4dd04fe03fd8aa71b7a9952d77c1ac7cb0e6d944c7917f
b4de787d10b719474c2276e98e3471e5791aaec733cdc7259fc73b95ff602d7b
8af3401ca749e33217eca7aaeb904b7ef9d11ee8c4e1f28d884905c09ba66cbb
a760f8ab66668a69a921639dd9e44bf2bbac1084fd37ed1dc69b68e383c00253
c731fbba9859cc6b6d0f1cca4bce52221618c4f367b52d0c59e8fb9e4a321412
b1f20f0bdd4738cc508084689dfdc0897cb9f5d7f798d66542d22b78921c43ac

SH256 hash:

4855855b5b397b96faa343a87bcac10aadec05b054b3be9f3804fe62a2aba587

MD5 hash:

0d02f2e82c5beb0d3053a0a7d806c357

SHA1 hash:

15f3189bd5ffef15f2bc86a3e0138b7bc44d30a5

Link:

https://www.unpac.me/results/344ded7b-f5e7-42d9-827f-a35c6cddf601/

SH256 hash:

b4de787d10b719474c2276e98e3471e5791aaec733cdc7259fc73b95ff602d7b

MD5 hash:

9d60cc8708f6f86365a5150cb4b28bc9

SHA1 hash:

e1327c368948d4a2ca1a271ace18231a59b31f65

Link:

https://www.unpac.me/results/344ded7b-f5e7-42d9-827f-a35c6cddf601/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b4de787d10b7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b4de787d10b719474c2276e98e3471e5791aaec733cdc7259fc73b95ff602d7b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/334643/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample