MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6d46263696ceeab50c8a9088bf3cedecad1bf4f8d8f452c1b1773f877d8e4a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b6d46263696ceeab50c8a9088bf3cedecad1bf4f8d8f452c1b1773f877d8e4a0
SHA3-384 hash: 09c3ac37ce364838fb09e5bcc482b91e3852cb0bba6ff312d55b5b03406518dc7ee1ce03300b30a74f80e53ef931545a
SHA1 hash: 716135a18594c01c65b070882b84d6bfd86f4336
MD5 hash: dcf3ab79e1986e24e824fc92ae59b0ae
humanhash: cat-fruit-magnesium-juliet
File name:SecuriteInfo.com.W32.AIDetect.malware2.8771.22620
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:726'016 bytes
First seen:2022-07-09 06:40:36 UTC
Last seen:2022-07-11 07:17:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 24e8fe5246bc3b8b27140febee755311 (3 x RemcosRAT)
ssdeep 12288:rHj7H0HXmY+XAx9c36I5Y7mhVGXc/tcm0LdJt5UCCj/BUN7W:rD4roJwXcVcmIdJt5Ij/BUh
Threatray 1'668 similar samples on MalwareBazaar
TLSH T1C7F49E12E2A284F6CC636B3CDD5B52ADD437BD202D2C688F6BE93CD85B35291351B253
TrID 42.9% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
29.1% (.EXE) Win32 Executable Borland Delphi 5 (451463/56/28)
16.9% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
7.5% (.OCX) Windows ActiveX control (116521/4/18)
0.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
File icon (PE):PE icon
dhash icon c730d4c4c4d430c7 (4 x RemcosRAT, 2 x Formbook)
Reporter SecuriteInfoCom
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
374
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/285763/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.8771.22620.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Launching a process
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/24708/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger packed
Link:
https://www.filescan.io/uploads/62c9233f783441cda11ac222/reports/2573b708-6356-4bb6-8410-98dd98b0f564/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c0517a7e-544c-4d20-b295-d771cbf2ecbf
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1027680
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 660175 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 09/07/2022 Architecture: WINDOWS Score: 100 30 www.simsekaluminyurn.com 2->30 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected Remcos RAT 2->44 46 2 other signatures 2->46 7 SecuriteInfo.com.W32.AIDetect.malware2.8771.exe 1 17 2->7         started        12 Isprzvdzjn.exe 13 2->12         started        14 Isprzvdzjn.exe 2->14         started        signatures3 process4 dnsIp5 32 vervain.co.in 199.79.62.221, 443, 49739, 49741 PUBLIC-DOMAIN-REGISTRYUS United States 7->32 22 C:\Users\Public\Libraries\Isprzvdzjn.exe, PE32 7->22 dropped 24 C:\Users\...\Isprzvdzjn.exe:Zone.Identifier, ASCII 7->24 dropped 48 Writes to foreign memory regions 7->48 50 Creates a thread in another existing process (thread injection) 7->50 52 Injects a PE file into a foreign processes 7->52 16 logagent.exe 2 2 7->16         started        54 Multi AV Scanner detection for dropped file 12->54 56 Machine Learning detection for dropped file 12->56 20 logagent.exe 12->20         started        file6 signatures7 process8 dnsIp9 26 www.simsekaluminyurn.com 91.192.100.53, 2404, 49746, 49755 AS-SOFTPLUSCH Switzerland 16->26 28 192.168.2.1 unknown unknown 16->28 34 Contains functionality to steal Chrome passwords or cookies 16->34 36 Contains functionality to steal Firefox passwords or cookies 16->36 38 Delayed program exit found 16->38 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b6d46263696ceeab50c8a9088bf3cedecad1bf4f8d8f452c1b1773f877d8e4a0/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-07-09 01:28:23 UTC
File Type:
PE (Exe)
Extracted files:
43
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w3kgey3jntxkwugiveeix46o33fndp2prwhukla3c5z7q56y4sqa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0a7baae0933a14082beb95b1c5484dd958e333f7fc499f645c1d550d8ad124a1
RemcosRAT
1015aaf219bd6c756e9e5224d219ed551795585e383fb4a6d2a566e7c8dabad5
RemcosRAT
81b648fca4135b631044dd68aee71ee704dcc930ae635658b9438585c5dc6b90
RemcosRAT
8b759b06f4ac7b60429a8570e0faa36ac691fc03430f94cfae2bc6fcc1d0de63
RemcosRAT
bcc2e33d331dbe662d0d845f4210de0613e8b6bb91565ee41cc198ffb7024fcc
RemcosRAT
d3b0ff3262302f0478cdc55f8d77d9d7c999255282a3181bd6cc09a252077ee9
RemcosRAT
db8a8a4bf1e1e63ef1bd27f8131dfeb14bca74e9d68605cf71e9eac5126baa48
RemcosRAT
+ 1'658 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:simsek-4-po persistence rat trojan
Link:
https://tria.ge/reports/220709-hfr2aafah9/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
www.simsekaluminyurn.com:2404
Unpacked files
SH256 hash:
0b4b7d7628499c9d0c62562dc64f22baf5390cd32f71e0317c259511ae85b5b6
MD5 hash:
d6e8fb9c9383709a7475144fbc74cb44
SHA1 hash:
3dc32f98eb13d725511b64924730132883ad3591
Link:
https://www.unpac.me/results/dde35c4b-a3f9-4a98-be59-2713d98e43ef/
SH256 hash:
b6d46263696ceeab50c8a9088bf3cedecad1bf4f8d8f452c1b1773f877d8e4a0
MD5 hash:
dcf3ab79e1986e24e824fc92ae59b0ae
SHA1 hash:
716135a18594c01c65b070882b84d6bfd86f4336
Link:
https://www.unpac.me/results/dde35c4b-a3f9-4a98-be59-2713d98e43ef/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b6d46263696c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.74
Link:
https://yomi.yoroi.company/submissions/b6d46263696ceeab50c8a9088bf3cedecad1bf4f8d8f452c1b1773f877d8e4a0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/285763/

Comments