MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5ca34b966549dfee1a824ab645c66b17217aadda4ccea96731b8cb0cfb03a27. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b5ca34b966549dfee1a824ab645c66b17217aadda4ccea96731b8cb0cfb03a27
SHA3-384 hash: d9af6854f41324baa6977a47592afbe9f0135947b4de3fcc8b570ce2db75e0682fc22653c8cd5344ea9456587167a4e2
SHA1 hash: 4b5fc334afe2eb333f72fb7a7c84c81496c4ff1b
MD5 hash: fe7b14ca4f21d3a8e7dd188c25f347b7
humanhash: oklahoma-cold-apart-early
File name:fe7b14ca4f21d3a8e7dd188c25f347b7
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:620'082 bytes
First seen:2023-06-13 10:38:41 UTC
Last seen:2023-06-13 11:58:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 99f47294d1e2f8b32ac2a7da095da450 (1 x RemcosRAT)
ssdeep 12288:4iSl9ETT0a58OBHqW2BpKTMONVbg2PO/XkFl:4RaX58Oxq3KYOUcO/Xkf
Threatray 1'979 similar samples on MalwareBazaar
TLSH T1C9D4022E2DB48D55E4C4CBB154E2B463B464BC2D26DF5C2FB1C7BB6816B6A03119322F
TrID 77.2% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
6.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
302
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
fe7b14ca4f21d3a8e7dd188c25f347b7
Verdict:
Malicious activity
Analysis date:
2023-06-13 10:39:16 UTC
Tags:
remcos
Link:
https://app.any.run/tasks/bb9a792b-37be-4df5-b85c-8e4dde1ba5e2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/398242/
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Launching a process
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Sending an HTTP GET request
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6488474c75982cb51ad5c97f/reports/ea9bdc9c-b88d-47ee-93e5-ae5fceb863a1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b5ca34b966549dfee1a824ab645c66b17217aadda4ccea96731b8cb0cfb03a27
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/763c63ce-afaf-4ca1-b866-3bfbe69fb203
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1253532
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Writes to foreign memory regions
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b5ca34b966549dfee1a824ab645c66b17217aadda4ccea96731b8cb0cfb03a27/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-06-13 10:39:08 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wxfdjolgkso75yniesvwixdgwfzbpkw5utgovfttdoglbt5qhitq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
3e6ec18ecee467ac76807198be9c02531fd7091545056260ef164354846e59a6
RemcosRAT
3f07585c2ab00f3f8cb68b6c3a461c0b267c52531a5bca15d59a6cad1cbbc6f7
RemcosRAT
58fb573c639d62595f7d87b34b86ad790e1031308953aeeaa7598aa690aa7731
RemcosRAT
6e3cf5c7cccc4369fbed86c4de5bb59d7bb40c1ced10cab8b0bc733299d45ea1
RemcosRAT
a4a9151dee1026abcaec06ec7596983a05cc7df43c37d5646e17ae02e2902445
RemcosRAT
aa6646da5d47bbfffce88075205a5e6c1af6107a9dae7dec98b14e7c3d022219
RemcosRAT
af4302878827cd62e91d7f42d963b213f4dbb220b28148f86f63a799666b1931
RemcosRAT
c1bcaa3723fd87f8a0a537c14ecf7e5852a69d33995333b40a7a475eb2e1696c
RemcosRAT
c1ccc7e57074fb432d2de187fca944ac480e5b2ad68ad7cc52388e3381990396
RemcosRAT
ea2f8aca010aba1f0ebb0b5af2de53b2a4106d5feb147f34e0a8e615eccd77c1
RemcosRAT
+ 1'969 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:layouts rat
Link:
https://tria.ge/reports/230613-mpyyeafg79/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Remcos
Malware Config
C2 Extraction:
datbuggy.servepics.com:58003
Unpacked files
SH256 hash:
5f65e6dce916f151f57210ee20f0a1d6b3c8375f372feb2cb84f7e02405eee4e
MD5 hash:
4c027072ca5148d77ee9dcd78f97b3e7
SHA1 hash:
a1f0bc2e10725147111de815b2e52d07d1341486
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/738e72ea-7897-4649-92e2-f0618580e894/
SH256 hash:
b5ca34b966549dfee1a824ab645c66b17217aadda4ccea96731b8cb0cfb03a27
MD5 hash:
fe7b14ca4f21d3a8e7dd188c25f347b7
SHA1 hash:
4b5fc334afe2eb333f72fb7a7c84c81496c4ff1b
Link:
https://www.unpac.me/results/738e72ea-7897-4649-92e2-f0618580e894/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b5ca34b96654/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/b5ca34b966549dfee1a824ab645c66b17217aadda4ccea96731b8cb0cfb03a27

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe b5ca34b966549dfee1a824ab645c66b17217aadda4ccea96731b8cb0cfb03a27

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2659038/
Cape
Cape
https://www.capesandbox.com/analysis/398242/

Comments


Avatar
zbet commented on 2023-06-13 10:38:42 UTC

url : hxxp://51.79.49.73/crc/d.exe