MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be58907253b68299ffaa7d7bb9104e1faa2671ddd6e18f4b53261537895c87e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	be58907253b68299ffaa7d7bb9104e1faa2671ddd6e18f4b53261537895c87e8
SHA3-384 hash:	6bc650aef16bb1a77550c3b8c36c8f16b7153661a7c8304353ce9dd4e5bf9b2d7efdf12d8cc89465159f96c6b7dca491
SHA1 hash:	876a7dac1cf8b3e2df468c83f09ec872ce6959d4
MD5 hash:	b4dbee524d43c3c34067a06c1369ca4a
humanhash:	wyoming-papa-stairway-victor
File name:	GHA000900098790000.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'565'696 bytes
First seen:	2024-01-31 11:11:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	948cc502fe9226992dce9417f952fce3 (1'182 x CredentialFlusher, 446 x Formbook, 231 x AgentTesla)
ssdeep	24576:VqDEvCTbMWu7rQYlBQcBiT6rprG8alKfrTa6w1qOoxQLSE:VTvC/MTQYxsWR7al4Tjw4FQLS
Threatray	2'128 similar samples on MalwareBazaar
TLSH	T1FA75590322818312EE5E9DF23AD6A2534EF95DD6012297DE035C3F6DAB3FD6103E9652
TrID	68.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 12.5% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.4% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	31f098929698f031 (2 x AgentTesla, 1 x RedLineStealer, 1 x RemcosRAT)
Reporter	abuse_ch
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

277

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/473795/

Detection(s):

SecuriteInfo.com.Trojan.Generic.33203615.28472.17882.UNOFFICIAL

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

autoit fingerprint keylogger lolbin packed shell32

Link:

https://www.filescan.io/uploads/65ba2b127ddeff640e475306/reports/064ba90f-cac6-493b-931f-778e35e29bde/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/be58907253b68299ffaa7d7bb9104e1faa2671ddd6e18f4b53261537895c87e8

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/3cff5532-3964-481d-a1e9-145aa0900b32

Result

Threat name:

Remcos

Detection:

malicious

Classification:

rans.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1384014

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Contains functionality to bypass UAC (CMSTPLUA)

Contains functionality to inject code into remote processes

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Drops VBS files to the startup folder

Found API chain indicative of sandbox detection

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: Remcos

Sigma detected: WScript or CScript Dropper

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/be58907253b68299ffaa7d7bb9104e1faa2671ddd6e18f4b53261537895c87e8

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/be58907253b68299ffaa7d7bb9104e1faa2671ddd6e18f4b53261537895c87e8/

Threat name:

Win32.Trojan.Remcos

Status:

Malicious

First seen:

2023-12-26 05:12:22 UTC

AV detection:

15 of 23 (65.22%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xzmja4stw2bjt75kpv53secod6vcm4o523qy6s2teyktpck4q7ua._file

Verdict:

malicious

RemcosRAT

4b8896554332d025010afb7c2d634ae9ff5294433f534652aa1cf0cf2a0b1ac1

RemcosRAT

54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711

RemcosRAT

a79b66630563a29a21dd21531e3e605d801eb2fb821522b6b9815dc8f269a7aa

RemcosRAT

b9f69c03f5d2f0190f98375d442160b4bf00071f5f4845a1152299c0430f8744

RemcosRAT

c70ba8369d587d514b1b6a783708af9fd8b9f3fd08f4db7dd21d1e81f2136516

RemcosRAT

fc68214ae21bb693cb4dd555bc8eb14fec2d9086da96edbcf8e13bf825c41bce

RemcosRAT

+ 2'118 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/240131-nav4mscfep/

Unpacked files

SH256 hash:

a739f75be90696d11429b7b5003af6ae0318009bdabdecdcd49b18d80c60d946

MD5 hash:

2ba2baa0a9f2917074f70a50f10ddee9

SHA1 hash:

5e32eb53c8ff82ef5dfe9fa41158af2c131998e4

Detections:

Remcos

win_remcos_w0

win_remcos_auto

malware_windows_remcos_rat

INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

win_remcos_rat_unpacked

Link:

https://www.unpac.me/results/2344ed00-bfb6-469a-9281-dbeafaa3f9d8/

Parent samples :

a739f75be90696d11429b7b5003af6ae0318009bdabdecdcd49b18d80c60d946
85e1ad6c1503ecfec6e03b38c24b93ce7c92a08f3c84f43db8946359054938c6
1862317879e1cfcaff8a4c2355f8d88b0911a4c848773f54bcb82c48f20480e6
62bfc227410b8cc5e8a3f6b6a7344e9ce2a91481278c7d0d2afae8ea3eb095ce
7cfbfe371912b59dec9a22cb39790c9f94774124ac786b48d493ec46830a0c1c
f72233b9518367bd3858ba7a54c631dfcb7090b3e8dac552ca4e7928cc9ea68a
be58907253b68299ffaa7d7bb9104e1faa2671ddd6e18f4b53261537895c87e8
449ecf2471ec8a48d115b252928053edc56f2bbf622a88db78274bdf3cc574ac

SH256 hash:

be58907253b68299ffaa7d7bb9104e1faa2671ddd6e18f4b53261537895c87e8

MD5 hash:

b4dbee524d43c3c34067a06c1369ca4a

SHA1 hash:

876a7dac1cf8b3e2df468c83f09ec872ce6959d4

Detections:

AutoIT_Compiled

Link:

https://www.unpac.me/results/2344ed00-bfb6-469a-9281-dbeafaa3f9d8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/be58907253b68299ffaa7d7bb9104e1faa2671ddd6e18f4b53261537895c87e8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

exe be58907253b68299ffaa7d7bb9104e1faa2671ddd6e18f4b53261537895c87e8

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/473795/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample