MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba159c0db403bbe2f0279d6a73342b8213ede878f0674025c57d73c4cb238de3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 19

Intelligence 19 IOCs YARA 6 File information Comments

SHA256 hash:	ba159c0db403bbe2f0279d6a73342b8213ede878f0674025c57d73c4cb238de3
SHA3-384 hash:	9896200364d385bdd66832dae66ece6ab22a162c68dbed4416a0f3ca1ee6cebb4dee692321f3a904385e3346abe74e69
SHA1 hash:	6ebf03699b16ceb2bd704f4c4dfa51a59e4305ce
MD5 hash:	f1092f888dc95a3afa0be98685184ba2
humanhash:	spaghetti-solar-nineteen-michigan
File name:	1st.bin
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	486'400 bytes
First seen:	2023-02-21 09:55:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b1c8f7572a6db205362528e88fd3ff32 (21 x RemcosRAT)
ssdeep	12288:PjdAK8wxqkXuxOqLXO3X2orpbKs/Z6jYBRq:pA3wxqkXuxOq+rpbRZ1
Threatray	2'678 similar samples on MalwareBazaar
TLSH	T108A4AE01BAC2C072D57524340D2AF735DABCBC212925597BB3EA1D5BFE70190A72A7B3
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	c4d48eaa8ad4d4f8 (1'000 x RemcosRAT, 1 x Worm.Ramnit, 1 x Vjw0rm)
Reporter	JAMESWT_WT
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

227

Origin country :

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

1st.bin

Verdict:

Malicious activity

Analysis date:

2023-02-21 09:57:10 UTC

Tags:

trojan rat remcos keylogger

Link:

https://app.any.run/tasks/0fc1663f-3f77-43a4-b834-0d19a9628d6d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/368583/

Detection(s):

Win.Trojan.Remcos-9841897-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Setting a keyboard event handler

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/71927/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

cmd.exe exploit explorer.exe fingerprint greyware keylogger rat remcos shell32.dll windows

Link:

https://www.filescan.io/uploads/63f495339dd875fc9126c8ef/reports/e303244b-6ef6-446e-b9d9-18da7c061a00/overview

Verdict:

Malicious

Labled as:

Remcos.Generic

Link:

https://www.hybrid-analysis.com/sample/ba159c0db403bbe2f0279d6a73342b8213ede878f0674025c57d73c4cb238de3

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c524edb7-bfe1-4f7b-aa81-1ba5decc7d26

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1179644

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to bypass UAC (CMSTPLUA)

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Snort IDS alert for network traffic

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/ba159c0db403bbe2f0279d6a73342b8213ede878f0674025c57d73c4cb238de3/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2023-02-21 09:55:34 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 25 (92.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xikzydnuao56f4bhtvvhgnblqij632dy6btuajofpvz4jszdrxrq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

28894ebd9537959f6d45cb8f5cd21fcff66472820f5e8bcc6944276fa32c2623

RemcosRAT

4d8144373754035a1f2efa73853ee424d7f69bdd1b8c0cd97426d25733f00ed7

RemcosRAT

5ca676b334d8a3f4542877a696a7092b29dbdeddabcd70af2a80e5c8384a75b6

RemcosRAT

62f4359aef9d0d604c03c099da375debd0d98f20cf4f673a5a32bd64989076ca

RemcosRAT

71413583e55230a0a3a659cae17e5a23da5db0b660ed850b268c16680945995a

RemcosRAT

808bb32f710ae23d2a4b53b873f766bf56d905dbe8e51810edd15ff79538cd94

RemcosRAT

85072c1047d2354b40e07b8ad6628f86208fb392a56cd868b9d166f7f6b462c7

RemcosRAT

d1937bc0326abde4ce4a9f3cac4fac05de2926bfec9be2ea40200b9682bebe30

RemcosRAT

+ 2'668 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:newcomputers

Link:

https://tria.ge/reports/230221-lycabsed32/

Behaviour

Suspicious use of SetWindowsHookEx

Malware Config

C2 Extraction:

ezeife.kozow.com:2404

Unpacked files

SH256 hash:

ba159c0db403bbe2f0279d6a73342b8213ede878f0674025c57d73c4cb238de3

MD5 hash:

f1092f888dc95a3afa0be98685184ba2

SHA1 hash:

6ebf03699b16ceb2bd704f4c4dfa51a59e4305ce

Detections:

Remcos

win_remcos_auto

Link:

https://www.unpac.me/results/b49b2c8e-611d-4e3a-86a7-bfd89f4ce142/

Parent samples :

ba159c0db403bbe2f0279d6a73342b8213ede878f0674025c57d73c4cb238de3
3881f76b58969b36b12b7f8f60c2593bdf2e8671fa355e806669cebe9514cb34

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ba159c0db403/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ba159c0db403bbe2f0279d6a73342b8213ede878f0674025c57d73c4cb238de3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	iexplorer_remcos Create hunting rule
Author:	iam-py-test
Description:	Detect iexplorer being taken over by Remcos

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM Create hunting rule
Author:	ditekSHen
Description:	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	Windows_Trojan_Remcos_b296e965 Create hunting rule
Author:	Elastic Security

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/368583/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample