MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3653e6517e48603a356a5978cdc1b210bd20e023146fd561c611c3b82c0736c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c3653e6517e48603a356a5978cdc1b210bd20e023146fd561c611c3b82c0736c
SHA3-384 hash: 5d734b5ec94b2671da457b14dff1b84719f0752cc9c88979ea95e605b8187eba4b6f67f473273252f649e0e8a1d11e0a
SHA1 hash: 2b1f0ef04ee121819be9123109c9447879826b16
MD5 hash: d13a703bf3ddfd76e3044754c94dcad3
humanhash: minnesota-pasta-arkansas-april
File name:c3653e6517e48603a356a5978cdc1b210bd20e023146fd561c611c3b82c0736c
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:964'608 bytes
First seen:2023-05-14 09:58:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:NLvXkGKkj3a9ELZjnLIm5Xx2XkW9BxbzSsCp8alWvGsa:9v/a9ELZjUoh0kW93CTWesa
Threatray 351 similar samples on MalwareBazaar
TLSH T15025232C2BACE106C5BF4F3DC8B2260583B65D15FA21D7BA1FC418A61D73704E9A1B97
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 4c3c6e6ce4a0c044 (5 x AgentTesla, 4 x Loki, 2 x SnakeKeylogger)
Reporter petikvx
Tags:RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
110
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
c3653e6517e48603a356a5978cdc1b210bd20e023146fd561c611c3b82c0736c
Verdict:
Malicious activity
Analysis date:
2023-05-14 10:12:27 UTC
Tags:
remcos
Link:
https://app.any.run/tasks/a296b0ee-4844-431c-8366-5317e032df7f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/389366/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.10051.12933.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6460b0ec1ae7b229055c6109/reports/5a1bcf4c-5935-4043-84f5-3c2c2438bfe2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/c3653e6517e48603a356a5978cdc1b210bd20e023146fd561c611c3b82c0736c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/60f1ac46-3d5e-4b2c-8b9e-30b5b0ee49a7
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1232752
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 865730 Sample: yu0mmlBx5W.exe Startdate: 14/05/2023 Architecture: WINDOWS Score: 100 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus / Scanner detection for submitted sample 2->50 52 9 other signatures 2->52 7 gvvwDuPkX.exe 5 2->7         started        10 yu0mmlBx5W.exe 7 2->10         started        process3 file4 54 Antivirus detection for dropped file 7->54 56 Multi AV Scanner detection for dropped file 7->56 58 Contains functionality to bypass UAC (CMSTPLUA) 7->58 64 5 other signatures 7->64 13 schtasks.exe 1 7->13         started        15 gvvwDuPkX.exe 7->15         started        34 C:\Users\user\AppData\Roaming\gvvwDuPkX.exe, PE32 10->34 dropped 36 C:\Users\...\gvvwDuPkX.exe:Zone.Identifier, ASCII 10->36 dropped 38 C:\Users\user\AppData\Local\...\tmp8B09.tmp, XML 10->38 dropped 40 C:\Users\user\AppData\...\yu0mmlBx5W.exe.log, CSV 10->40 dropped 60 Uses schtasks.exe or at.exe to add and modify task schedules 10->60 62 Adds a directory exclusion to Windows Defender 10->62 17 yu0mmlBx5W.exe 2 10->17         started        20 powershell.exe 21 10->20         started        22 powershell.exe 21 10->22         started        24 schtasks.exe 1 10->24         started        signatures5 process6 dnsIp7 26 conhost.exe 13->26         started        42 45.128.234.54, 56932 RACKTECHRU United Kingdom 17->42 44 127.0.0.1 unknown unknown 17->44 28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        process8
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c3653e6517e48603a356a5978cdc1b210bd20e023146fd561c611c3b82c0736c/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-04-04 04:02:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
28 of 37 (75.68%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ynst4zix4sdahi2wuwlyzxa3eef5edqcgfdp2vq4meodxawaonwa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
015ac938d581a3af8e1d988e8a2a96fe502153b7cf90ee9e9224c6beb0238443
RemcosRAT
490a16064d8639a4637f7ee3ac2ad7bdb5f1a4db1c6f4f42cc53d11f51878bb6
RemcosRAT
4d83125a53744cf0b65a3fc7160965548b504348d1d26146e35420aecf5d26c2
RemcosRAT
837acf5c4bbc04842a5742b335994ff6eec7df1c1768cafb3cf7fa3aef3d5e0b
RemcosRAT
970c4b831da818fc235548b2f0db7bc45b028e19edd91b9a0654a2e59e7071c7
RemcosRAT
9c50fe80a314898db5b4849b8bf2523e6e943376a4832d1943d0c12d5e7d5b8d
RemcosRAT
b1e912ac090bab63fe0f4c5fe95a920afce1ed2a79b3bd7bdef6fbd8fb9f2031
RemcosRAT
e5a87b27c03e65abef7933af36a80813ec882cf63728b2d34e61e6d12ec84d98
RemcosRAT
+ 341 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/230514-lz4qzabe65/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
127.0.0.1:56932
45.128.234.54:56932
Unpacked files
SH256 hash:
8effa3bb61375830255510ad0f1d8f04940d7048ae97e0961b32997156f4fefa
MD5 hash:
0528a533e3e8475ac5c73164d6748b3e
SHA1 hash:
a0b43b802b341827fd6e9e3770e0ce3d73bc9eae
Link:
https://www.unpac.me/results/d0b4003d-87a2-4e13-85cc-a7ce0ee64086/
SH256 hash:
3c507afadbb1c31a9ebdd24baac5739d47576159e01c5e84f973c951885100aa
MD5 hash:
e79bf0e7e9d52d398e0b23b352394c68
SHA1 hash:
682325763a0ec77e0fd475ea3a4021b4651eceac
Link:
https://www.unpac.me/results/d0b4003d-87a2-4e13-85cc-a7ce0ee64086/
SH256 hash:
797bb7eccd9f51c3e6280038ecdd4c08895359636ed04ace5273e56cc0354e51
MD5 hash:
e6d84f735b41dec0adc1eddd353e01a3
SHA1 hash:
676b8870812b92f597d0d4eb6a241791695e261c
Link:
https://www.unpac.me/results/d0b4003d-87a2-4e13-85cc-a7ce0ee64086/
SH256 hash:
faedd1335b94cd28d6226d808fa92988532a6d44e384eadce30d87495a446c36
MD5 hash:
ede8fb0b3fee8569d7943e28103d5c0e
SHA1 hash:
5c3edbf46a81eb49f70df4be2c873abf2b3e2a69
Link:
https://www.unpac.me/results/d0b4003d-87a2-4e13-85cc-a7ce0ee64086/
SH256 hash:
a9324b87639fbe6844f6add9fd49e9e6dcfd6d472beddaadf2056e1623a9e773
MD5 hash:
d156609c1dfab86c24f9f0934488d285
SHA1 hash:
54180cc33f0817d5292b1735c9aea9abc1e54145
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/d0b4003d-87a2-4e13-85cc-a7ce0ee64086/
Parent samples :
1d0a51787f8726c44aa40f88422d01f084c4e533c2f190f4aef1696f9fd600d9
c3653e6517e48603a356a5978cdc1b210bd20e023146fd561c611c3b82c0736c
ed5f392d0095487edd0f112db6a14bbd3e9dc13454e63bf17bb0816d15e93f31
SH256 hash:
c3653e6517e48603a356a5978cdc1b210bd20e023146fd561c611c3b82c0736c
MD5 hash:
d13a703bf3ddfd76e3044754c94dcad3
SHA1 hash:
2b1f0ef04ee121819be9123109c9447879826b16
Link:
https://www.unpac.me/results/d0b4003d-87a2-4e13-85cc-a7ce0ee64086/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c3653e6517e48603a356a5978cdc1b210bd20e023146fd561c611c3b82c0736c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/389366/

Comments