MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b76a896c8faf8ca28e4f0ecce91e7a622c3ea8999f27503ac9f46e09542c26f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 18

Intelligence 18 IOCs YARA 11 File information Comments

SHA256 hash:	b76a896c8faf8ca28e4f0ecce91e7a622c3ea8999f27503ac9f46e09542c26f7
SHA3-384 hash:	2001b255151ffbcd5ff395c73bd53c37a6594628d46ba11c2128bd68229c3309cad38bbf2c4c0d1c0d46fccc04ab14a0
SHA1 hash:	387312f70d7bd53a4ab5a779a38d125d731323cc
MD5 hash:	caad5e1ae920d351c2521be2dc5f22fc
humanhash:	early-vermont-washington-whiskey
File name:	845c3ba76768948ab3df490599f02d060cd464c6251e16e7847d53707254ee46_dump.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	94'208 bytes
First seen:	2024-06-23 12:07:49 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d3a62971944197f0701c7049a9c739d1 (60 x RemcosRAT)
ssdeep	1536:IhhW0YTGZWdVseJxaM9kraLdV2QkQ1TbPX8IHOCkIsI4ESHNTh9E+JP19qkP66rA:OhzYTGWVvJ8f2v1TbPzuMsIFSHNThy+q
TLSH	T1FF93C813FA4AD0B2E46591F146426F31CEBCBC3736492173D38FCA419D79892D416EAE
TrID	33.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 17.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 14.0% (.SCR) Windows screen saver (13097/50/3) 11.2% (.EXE) Win64 Executable (generic) (10523/12/4) 7.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	989894b49c9494f0 (43 x RemcosRAT)
Reporter	ukycircle
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

421

Origin country :

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

b76a896c8faf8ca28e4f0ecce91e7a622c3ea8999f27503ac9f46e09542c26f7.exe

Verdict:

Malicious activity

Analysis date:

2024-06-23 12:08:53 UTC

Tags:

rat remcos remote

Link:

https://app.any.run/tasks/639c19ec-e830-49f8-b6ba-ec60edb31336

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Malware.Azden-7587127-0

Win.Malware.Rescoms-6598304-0

Win.Malware.Zusy-6832224-0

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6678102333f13d42068c6970win7simulatehigh_evasion

Tags:

Generic Stealth Remcos

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Setting a keyboard event handler

Creating a file in the %AppData% subdirectories

Connection attempt to an infection source

Sending a TCP request to an infection source

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug anti-vm anti-vm epmicrosoft_visual_cc evasive evasive eventvwr explorer fingerprint hook keylogger lolbin microsoft_visual_cc remcos shell32

Link:

https://www.filescan.io/uploads/667810229fd5f9d5921069f1/reports/fc38f5f5-22d0-4023-b0bc-6cdc8e3bbb85/overview

Verdict:

Malicious

Labled as:

Trojan.Agent

Link:

https://www.hybrid-analysis.com/sample/b76a896c8faf8ca28e4f0ecce91e7a622c3ea8999f27503ac9f46e09542c26f7

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a7d8849b-a645-43d2-b9c6-85c18a441181

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1461254

Signature

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Contains functionality to capture and log keystrokes

Contains functionality to detect virtual machines (IN, VMware)

Contains functionality to inject code into remote processes

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Detected Remcos RAT

Found malware configuration

Found stalling execution ending in API Sleep call

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/b76a896c8faf8ca28e4f0ecce91e7a622c3ea8999f27503ac9f46e09542c26f7

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b76a896c8faf8ca28e4f0ecce91e7a622c3ea8999f27503ac9f46e09542c26f7/

Threat name:

Win32.Backdoor.Rescoms

Status:

Malicious

First seen:

2024-06-23 12:08:04 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 24 (100.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=w5vis3epv6gkfdspb3gosht2miwd5kezt4tvaowj6rxasvbme33q._file

Verdict:

malicious

Label(s):

remcos

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:banksy

Link:

https://tria.ge/reports/240623-pavzbazbre/

Behaviour

Suspicious use of SetWindowsHookEx

Malware Config

C2 Extraction:

62.102.148.166:3319

Unpacked files

SH256 hash:

b76a896c8faf8ca28e4f0ecce91e7a622c3ea8999f27503ac9f46e09542c26f7

MD5 hash:

caad5e1ae920d351c2521be2dc5f22fc

SHA1 hash:

387312f70d7bd53a4ab5a779a38d125d731323cc

Detections:

Remcos

win_remcos_auto

win_remcos_g0

Remcos

malware_windows_remcos_rat

INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer

Link:

https://www.unpac.me/results/06d73fb1-aedf-4982-9c2a-ee001c079f49/

Parent samples :

33cc55fef11d691d7728275b1e7dfc61520cef61bb0035de7dfb8e648f086f50
43281415b361da4215bb7a4a0a950b2c95c2d772f315d451088ffd53480de73f
7d7cf9b0a09e74a8a10b23b2265a31b41b0f017f18c965987ac47acebac15268
845c3ba76768948ab3df490599f02d060cd464c6251e16e7847d53707254ee46
b76a896c8faf8ca28e4f0ecce91e7a622c3ea8999f27503ac9f46e09542c26f7
253ae6027d114caeb26331508c9c916b54fe3561faf46679c06c48dad8860cac
d21d0451a7a8b112776118d88154bf7eab2703b13bf6ae1dcaec2f959bf42305
86329825eaf86f08f84bfc3ddd8870b5c05f47a43aba3695eea5ca4c7a0ee00b

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b76a896c8faf/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b76a896c8faf8ca28e4f0ecce91e7a622c3ea8999f27503ac9f46e09542c26f7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CMD_Ping_Localhost Create hunting rule

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	malware_Remcos_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Windows_Generic_Threat_994f2330 Create hunting rule
Author:	Elastic Security

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
GDI_PLUS_API	Interfaces with Graphics	gdiplus.dll::GdiplusStartup gdiplus.dll::GdipGetImageEncoders gdiplus.dll::GdipGetImageEncodersSize gdiplus.dll::GdipAlloc
MULTIMEDIA_API	Can Play Multimedia	WINMM.dll::waveInAddBuffer WINMM.dll::waveInClose WINMM.dll::waveInOpen WINMM.dll::waveInPrepareHeader WINMM.dll::waveInStart WINMM.dll::waveInStop
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AdjustTokenPrivileges
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteA SHELL32.dll::ShellExecuteExA SHELL32.dll::ShellExecuteW
URL_MONIKERS_API	Can Download & Execute components	urlmon.dll::URLDownloadToFileA
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessA KERNEL32.dll::OpenProcess ADVAPI32.dll::OpenProcessToken KERNEL32.dll::VirtualAllocEx KERNEL32.dll::WriteProcessMemory KERNEL32.dll::CloseHandle WININET.dll::InternetCloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetDriveTypeA KERNEL32.dll::GetStartupInfoA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WinExec KERNEL32.dll::AllocConsole
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileA KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateDirectoryA KERNEL32.dll::CreateFileMappingA KERNEL32.dll::DeleteFileA KERNEL32.dll::DeleteFileW
WIN_BASE_USER_API	Retrieves Account Information	ADVAPI32.dll::GetUserNameW ADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExA ADVAPI32.dll::RegCreateKeyA ADVAPI32.dll::RegDeleteKeyA ADVAPI32.dll::RegOpenKeyExA ADVAPI32.dll::RegQueryInfoKeyA ADVAPI32.dll::RegQueryValueExA
WIN_USER_API	Performs GUI Actions	USER32.dll::AppendMenuA USER32.dll::EmptyClipboard USER32.dll::FindWindowA USER32.dll::OpenClipboard USER32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample