MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bad6dc695ec91155fbf548d43e3039c1b694db28c1a713b81ecc2d59674635cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bad6dc695ec91155fbf548d43e3039c1b694db28c1a713b81ecc2d59674635cb
SHA3-384 hash: 9f4bfe8d52ef93634b50f9bfd4b768deae740913574f851882da182714af1430e2ad3d100b645deed24bae996664cf74
SHA1 hash: 0abf9fd7d92882306a50a5090769eef686240f16
MD5 hash: 5920eceac3f06f57c51c31556ea93c05
humanhash: artist-indigo-burger-lima
File name:zapytanie.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:503'808 bytes
First seen:2023-09-07 07:19:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d5b70e22276decc41f732fe8162e7fe0 (2 x RemcosRAT, 1 x MarsStealer, 1 x Smoke Loader)
ssdeep 12288:HPE3oqyhqQk3d2jKru7FNuR9GxspK2BK:HPEYqyTkmfFNu2xqX
Threatray 7 similar samples on MalwareBazaar
TLSH T1E5B4F112B691C036E1532934597186655A3BFCF29F656ACB3BE43E3E6E713D08A3070B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 74f4ccccccd4c0f4 (1 x RemcosRAT)
Reporter Anonymous
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
290
Origin country :
PL PL
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
zapytanie.exe
Verdict:
Malicious activity
Analysis date:
2023-09-07 07:22:00 UTC
Tags:
rat remcos keylogger remote
Link:
https://app.any.run/tasks/31c7fbf8-baac-4703-a0bf-3e1fe46ab4d2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/446902/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.29919.2100.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware lolbin packed remcos shell32
Link:
https://www.filescan.io/uploads/64f979a34578d9c35e0599b7/reports/8e45ed1e-4e68-4516-8dc4-7a21ef9d02e2/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/bad6dc695ec91155fbf548d43e3039c1b694db28c1a713b81ecc2d59674635cb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c255b8ef-deec-4875-bc56-c840a8dbe5f7
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1305024
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates autostart registry keys with suspicious names
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1305024 Sample: zapytanie.exe Startdate: 07/09/2023 Architecture: WINDOWS Score: 100 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus detection for URL or domain 2->41 43 7 other signatures 2->43 6 remcos.exe 3 4 2->6         started        11 zapytanie.exe 2 4 2->11         started        13 remcos.exe 2->13         started        process3 dnsIp4 35 37.139.129.251, 2404, 49743, 49748 LVLT-10753US Germany 6->35 31 C:\ProgramData\Remcos\logs.dat, data 6->31 dropped 45 Multi AV Scanner detection for dropped file 6->45 47 Contains functionality to bypass UAC (CMSTPLUA) 6->47 49 Detected unpacking (changes PE section rights) 6->49 57 4 other signatures 6->57 15 conhost.exe 6->15         started        17 WerFault.exe 6->17         started        19 WerFault.exe 6->19         started        27 4 other processes 6->27 33 C:\ProgramData\Remcos\remcos.exe, PE32 11->33 dropped 51 Detected unpacking (overwrites its own PE header) 11->51 53 Creates autostart registry keys with suspicious names 11->53 55 Contains functionality to steal Chrome passwords or cookies 11->55 21 WerFault.exe 9 11->21         started        23 WerFault.exe 9 11->23         started        25 WerFault.exe 9 11->25         started        29 5 other processes 11->29 file5 signatures6 process7
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bad6dc695ec91155fbf548d43e3039c1b694db28c1a713b81ecc2d59674635cb/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-09-07 06:48:49 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xllny2k6zeivl67vjdkd4mbzyg3jjwziygtrhoa6zqwvsz2ggxfq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
456f09b71ed09cbc590f6a3b8d5aacc7f0fb94521d8b19b80d2a201e5f73b5a0
RemcosRAT
55eebc888e9151e28295587ff7c12c40f8b7ae5f23d29bac79c6444277940a6a
RemcosRAT
67334009d5d6fb492333a8d6a850b2c464654aaaf96ddeef125129af29ea3d66
RemcosRAT
846ae70abd97cfc15d14a0261e9c6c38643e071dddf73fafe3bc3e5d3769511b
RemcosRAT
b2823172397c389e1ff948bd03473193ed8527eb19edff06cbb16e2b43ebc19f
RemcosRAT
b2d5e15268cb130c995118e17afa1198ca19604a20b91f1907a7ef18210db30f
RemcosRAT
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:livingthing persistence rat
Link:
https://tria.ge/reports/230907-h54flsfc81/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Remcos
Malware Config
C2 Extraction:
37.139.129.251:2404
Unpacked files
SH256 hash:
33b812ec176ab47f34dfacdc8598190bb5d3fa72b0a29359c6bd30c1d99268f7
MD5 hash:
e6b82980817f39849f57db79815a241b
SHA1 hash:
1dbd195256b05a42dcdc03de71c62c67c90d7c4f
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/fd5fbbd0-aef5-4655-bed8-628e9c6fa02a/
SH256 hash:
bad6dc695ec91155fbf548d43e3039c1b694db28c1a713b81ecc2d59674635cb
MD5 hash:
5920eceac3f06f57c51c31556ea93c05
SHA1 hash:
0abf9fd7d92882306a50a5090769eef686240f16
Link:
https://www.unpac.me/results/fd5fbbd0-aef5-4655-bed8-628e9c6fa02a/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bad6dc695ec9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bad6dc695ec91155fbf548d43e3039c1b694db28c1a713b81ecc2d59674635cb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.
Rule name:win_remcos_rat_unpacked
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/446902/

Comments