MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be5fbed126be0685414464f8d18c42027cbb09c884640c35e2420f96c0d254df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 19


Intelligence 19 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be5fbed126be0685414464f8d18c42027cbb09c884640c35e2420f96c0d254df
SHA3-384 hash: 652fad84706f73a8152e370cf1787b74b33dd1a464aec21d0824e3b57b0840de3a0e645eb7c461060f823ec4bb838b6c
SHA1 hash: 9955cde6556837bc877e596c5b206df39d060a00
MD5 hash: 065a6053492ecc989755413d4b9cffea
humanhash: muppet-mars-three-nuts
File name:file
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'075'712 bytes
First seen:2024-12-17 19:36:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 24576:60u2uOCjadxmISCQDJ8wovaxTFfJDe4Pu2:6euCfLQ5xTFd5
Threatray 177 similar samples on MalwareBazaar
TLSH T1E535DFD03B39B701DE78B934D536EDB852642E647014B9E3AEDD2B8776E8202AD1CF50
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon 84b2a8a0e2dab28c (7 x Formbook, 2 x AgentTesla, 1 x RemcosRAT)
Reporter jstrosch
Tags:.NET exe MSIL RemcosRAT


Avatar
jstrosch
Found at hxxp://192.3.179[.]166/76/ecome.exe by #subcrawl

Intelligence

File Origin
# of uploads :
1
# of downloads :
530
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-12-17 19:37:25 UTC
Tags:
remcos rat remote
Link:
https://app.any.run/tasks/d3951cfc-f9a4-43fa-bc40-217a30449568

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.19168.7565.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6761d3b5653a8698dfda4430
Tags:
micro shell spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Creating a file
Connection attempt to an infection source
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected remcos vbnet
Link:
https://www.filescan.io/uploads/6761d2e18dcf4ce71442c8e4/reports/357ca58e-8bc7-45ef-b4e4-d5e704161d38/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/be5fbed126be0685414464f8d18c42027cbb09c884640c35e2420f96c0d254df
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/50077ee0-d5b7-4c36-81ce-ed8c6c55c421
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1576998
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1576998 Sample: file.exe Startdate: 17/12/2024 Architecture: WINDOWS Score: 100 43 Suricata IDS alerts for network traffic 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 12 other signatures 2->49 7 file.exe 7 2->7         started        11 DcBNSgyxoJFip.exe 5 2->11         started        process3 file4 33 C:\Users\user\AppData\...\DcBNSgyxoJFip.exe, PE32 7->33 dropped 35 C:\...\DcBNSgyxoJFip.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmp1B5F.tmp, XML 7->37 dropped 39 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 7->39 dropped 51 Uses schtasks.exe or at.exe to add and modify task schedules 7->51 53 Writes to foreign memory regions 7->53 55 Allocates memory in foreign processes 7->55 63 2 other signatures 7->63 13 MSBuild.exe 3 7->13         started        17 powershell.exe 23 7->17         started        19 schtasks.exe 1 7->19         started        57 Antivirus detection for dropped file 11->57 59 Multi AV Scanner detection for dropped file 11->59 61 Machine Learning detection for dropped file 11->61 21 MSBuild.exe 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 41 107.173.4.16, 2560, 49711, 49713 AS-COLOCROSSINGUS United States 13->41 65 Contains functionality to bypass UAC (CMSTPLUA) 13->65 67 Detected Remcos RAT 13->67 69 Contains functionalty to change the wallpaper 13->69 73 4 other signatures 13->73 71 Loading BitLocker PowerShell Module 17->71 25 WmiPrvSE.exe 17->25         started        27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        31 conhost.exe 23->31         started        signatures8 process9
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/be5fbed126be0685414464f8d18c42027cbb09c884640c35e2420f96c0d254df
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/be5fbed126be0685414464f8d18c42027cbb09c884640c35e2420f96c0d254df/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2024-12-17 19:37:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xzp35ujgxydikqkemt4nddccaj6lwcoiqrsaynpciihznqgsktpq._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
remcos
Create hunting rule
Similar samples:
0b606f6d0ce44922bf456bee5e6e8acf1b343521b2d5d4c5838926cc0484e052
RemcosRAT
224c47ef077b428bd96989875e00573896c4f487f1ac78a6baa81e1741d7e5d5
RemcosRAT
b3a40331524394846d2782f1e52e1410ce1681283f8c715373bab73c84fa30ec
RemcosRAT
e744e0aa890a2d9b5e6eed8403cb16f6098baee4a0529b1fabc0644ee4ba6b32
RemcosRAT
error
RemcosRAT
f389839a6216aea670545a89697ce85cc3a8c170961804cea96525c5ed1cb6e7
RemcosRAT
+ 167 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:elvis discovery execution rat
Link:
https://tria.ge/reports/241217-ybsd9awrbq/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Remcos
Remcos family
Malware Config
C2 Extraction:
107.173.4.16:2560
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3f3d46b2-3784-4b0f-9552-795f020ae652
Unpacked files
SH256 hash:
3bf51c6dfd03eae8e1924ca2f08b31186551a9944c5969a48db708590dd9d584
MD5 hash:
ae7b64be43f7c3a897d806cc8eb6832b
SHA1 hash:
ea51faabbeea6589c3b21571dc1e6aa61afbd2b7
Detections:
Remcos
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
win_remcos_rat_unpacked
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Link:
https://www.unpac.me/results/54bb33a6-6181-4d79-8183-38abf4241989/
SH256 hash:
117c984a4b6c0bc0d29ee3bee08babe51bf8e5e9288726974c200fd5ca58ed10
MD5 hash:
bc07fcf586482a89d878684072409c5a
SHA1 hash:
ca195505dd9659666eb029983f6e189ce316ae9e
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/54bb33a6-6181-4d79-8183-38abf4241989/
Parent samples :
cc48dc4257bbcfcc07212d548808d7958be2e6e7db936ea8c255624ad5e47f82
fe1ea0347bf6d718b99d5f38c272ee7c44099185319df916ff44ff8ae1e139c3
168f3f67fdf19ef0a0afabb378ee803fb3cf1f822ad37ba51772bc96a58a83d0
7f3a6082c0ab2b881863c4dfe7328ef497155d2d962fa4a1976a5c26ec1d4e66
9ba87d90f707c080cc4833ab960ff76301f1615d19271d5f2749a2594eec7d12
36389326c697d43ecf27b181b4ec997ffc45aa8b1cdca0cca34db3d43075cccd
557e744afea416d8f74e7a997bcf0ce5acd0d86ef6b6f7c8b16e0d9f338d786d
4733c3841f338c4b95b5226678de7358eaf8604750ee3aa3c3d55ce829db11b3
525248e53005e0ec5a39b4aa00c2323e9f5be5a256ddd944707aba1b3dedba58
be5fbed126be0685414464f8d18c42027cbb09c884640c35e2420f96c0d254df
63ff1a1be734e83c37ff7039e8b7a2b303a5e2df7b53ce2158a75c2e26d6906a
c01469ec1500b5bbb7ace40f1823b41e0965607d4fa54497f3dff82712c8070a
34ec90ccd81677a867a00f697ece5799cdbbfaf76556701353fe8fcdc3c674c1
80d7f00f11c5bb9b582383d9359d29f3fd77b83df68a4a56b813bd76aa08295a
e6e77931c83b25ca5e349b0c3a2ae39cab402ecfdde8a8507e10966da107f3b3
969b59611c12796080c4742d484f3a11a78c40ca44bccc4691cbe2bb8458c73b
d26c248791d7c1347e8e21257ad5522c1e47e26e054a59bc61a50133e5d180d6
e1e6a513abf55583458cd88ec8b7af9ce2a60d169526b0e6a31183a7688b8480
2cf5186fed58526d250443fecf2cbdfdc51f53797a944ffa586ea56d6b547b58
80639535a88aa7662bb05425e5c1c3520c7642da20a0feaed308fec754661e89
d5b6f53a68279ba7bd78158a4003e1ccb9b70cd4681627e34a1c4ec228c9f485
130c869f7ce90b4dd45a1192c8cb13aa8e3f986ab29fb9f446475e2030a2d2ec
2e31bfbc51607f142e0413db74ced776bb207448c052b9363250d2b93e718431
SH256 hash:
49cf3842606da451a5892a4206193ec3845f9a078dcdf57106b5198db9269241
MD5 hash:
22255784dd1a221c15086a58a20ef0a8
SHA1 hash:
96485ab0794efd4b26c7f21ff5d787c6312d5df9
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/54bb33a6-6181-4d79-8183-38abf4241989/
SH256 hash:
be5fbed126be0685414464f8d18c42027cbb09c884640c35e2420f96c0d254df
MD5 hash:
065a6053492ecc989755413d4b9cffea
SHA1 hash:
9955cde6556837bc877e596c5b206df39d060a00
Link:
https://www.unpac.me/results/54bb33a6-6181-4d79-8183-38abf4241989/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/be5fbed126be/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe be5fbed126be0685414464f8d18c42027cbb09c884640c35e2420f96c0d254df

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3353525/
  
URLhaus
https://urlhaus.abuse.ch/url/3352334/
  
URLhaus
https://urlhaus.abuse.ch/url/3353520/
  
URLhaus
https://urlhaus.abuse.ch/url/3352335/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments