MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3dcf0bb8f1a9506ec058c0b70f3335e02d3e9d83a5e3af370b917c097f191b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 18


Intelligence 18 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c3dcf0bb8f1a9506ec058c0b70f3335e02d3e9d83a5e3af370b917c097f191b6
SHA3-384 hash: efbbd2f8d4c29218e9a2e0c2ff6749481a40141c82c99abfaef4d1f5d73f7395accb44fa719ffe35d30d919e275d9483
SHA1 hash: 7ac9ad6a60cc685b24f65ba7715c2a85387eff62
MD5 hash: 160c2784d173e7bb077ff0794a922488
humanhash: gee-magnesium-fourteen-hotel
File name:1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:493'056 bytes
First seen:2024-11-27 22:58:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e77512f955eaf60ccff45e02d69234de (138 x RemcosRAT)
ssdeep 12288:3uD09AUkNIGBYYv4eK13x13nZHSRVMf139F5wIB7+IwtHwBtVxbesvZDSl+DY:q09AfNIEYsunZvZ19Z2s
Threatray 81 similar samples on MalwareBazaar
TLSH T138A4BF01B6D2C072D57625300D26E775DEBDBD212835897BB3DA1D67FE30180E63AAB2
TrID 32.2% (.EXE) Win64 Executable (generic) (10522/11/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon c4d48eaa8ad4d4f8 (1'000 x RemcosRAT, 1 x Worm.Ramnit, 1 x Vjw0rm)
Reporter abuse_ch
Tags:base64-decoded exe RemcosRAT


Avatar
abuse_ch
Malware dropped as base64 encoded payload

Intelligence

File Origin
# of uploads :
1
# of downloads :
522
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded
Verdict:
Malicious activity
Analysis date:
2024-11-27 22:59:29 UTC
Tags:
rat remcos remote evasion
Link:
https://app.any.run/tasks/7474bb1d-2223-457e-aa3b-8a91116a3db8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.Remcos-9841897-0
Create hunting rule

Win.Trojan.Remcos-10002580-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6747a5f3d0583382434b8993
Tags:
ransomware dropper remcos keylog
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Setting a keyboard event handler
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd crypto evasive exploit explorer fingerprint fingerprint keylogger lolbin microsoft_visual_cc packed rat remcos windows
Link:
https://www.filescan.io/uploads/6747a43b4759c792deb65b8c/reports/ecee4406-e1de-4ec2-8041-c5db88b32c68/overview
Verdict:
Malicious
Labled as:
Remcos.Generic
Link:
https://www.hybrid-analysis.com/sample/c3dcf0bb8f1a9506ec058c0b70f3335e02d3e9d83a5e3af370b917c097f191b6
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/761444f4-e8a8-4742-b1b4-bf825ed7676e
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1564220
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Uses dynamic DNS services
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c3dcf0bb8f1a9506ec058c0b70f3335e02d3e9d83a5e3af370b917c097f191b6
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c3dcf0bb8f1a9506ec058c0b70f3335e02d3e9d83a5e3af370b917c097f191b6/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2024-11-27 22:59:04 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ypopbo4pdkkqn3afrqfxb4ztlybnh2oyhjpdv43qxel4bf7rsg3a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0d4bf4e1a47fa2cfdb5cdc23d8a2b1552c1d82c307e1eec95297e62a478d2f2d
RemcosRAT
4d4b203f72413a42a31be62977b8a6508e7f04f9192913c432ab456b15fc3004
RemcosRAT
958e5d7947f48f2047ac3c595ee724a916c9969430731091ac1b9fcfaaf65d70
RemcosRAT
ae7dd99d6214b35fe4d225dd782ca41714ffd0b637d8db40fbb887e00807d288
RemcosRAT
b3a40331524394846d2782f1e52e1410ce1681283f8c715373bab73c84fa30ec
RemcosRAT
dcbcfe00290d92cfea7ff37d322cf80991016d6379888cdaf27451c6543a894c
RemcosRAT
error
RemcosRAT
+ 71 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost discovery
Link:
https://tria.ge/reports/241127-2yc5mazrdn/
Behaviour
Suspicious use of SetWindowsHookEx
System Location Discovery: System Language Discovery
Malware Config
C2 Extraction:
rxsas.duckdns.org:57870
Verdict:
Malicious
Tags:
rat remcos Win.Trojan.Remcos-9841897-0
YARA:
malware_windows_remcos_rat REMCOS_RAT_variants Remcos_Payload win_remcos_rat_unpacked Windows_Trojan_Remcos_b296e965 MAL_EXE_Remcos_RAT_Jul_22 Remcos
Link:
https://app.threat.zone/submission/3febe636-d040-4667-80e8-7b463c3965f1
Unpacked files
SH256 hash:
c3dcf0bb8f1a9506ec058c0b70f3335e02d3e9d83a5e3af370b917c097f191b6
MD5 hash:
160c2784d173e7bb077ff0794a922488
SHA1 hash:
7ac9ad6a60cc685b24f65ba7715c2a85387eff62
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
win_remcos_w0
Create hunting rule
Link:
https://www.unpac.me/results/0f4f56c6-c170-4cac-b07e-d647d320ead4/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c3dcf0bb8f1a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c3dcf0bb8f1a9506ec058c0b70f3335e02d3e9d83a5e3af370b917c097f191b6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639

RemcosRAT

Executable exe c3dcf0bb8f1a9506ec058c0b70f3335e02d3e9d83a5e3af370b917c097f191b6

(this sample)

  
Dropped by
SHA256 fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639
  
Dropped by
MD5 92fced3da23cdf29654b439d2cfed130
  
URLhaus
https://urlhaus.abuse.ch/url/3309514/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdipGetImageEncoders
gdiplus.dll::GdipGetImageEncodersSize
gdiplus.dll::GdipAlloc
MULTIMEDIA_APICan Play MultimediaWINMM.dll::mciSendStringA
WINMM.dll::mciSendStringW
WINMM.dll::PlaySoundW
WINMM.dll::waveInAddBuffer
WINMM.dll::waveInClose
WINMM.dll::waveInOpen
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExA
SHELL32.dll::ShellExecuteW
URL_MONIKERS_APICan Download & Execute componentsurlmon.dll::URLDownloadToFileW
urlmon.dll::URLOpenBlockingStreamW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CreateProcessA
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::WriteProcessMemory
KERNEL32.dll::CloseHandle
WININET.dll::InternetCloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::FindFirstVolumeW
KERNEL32.dll::FindNextVolumeW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDriveTypeA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleOutputCP
KERNEL32.dll::SetConsoleTextAttribute
KERNEL32.dll::SetStdHandle
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileExW
KERNEL32.dll::MoveFileW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::GetUserNameW
ADVAPI32.dll::LookupPrivilegeValueA
KERNEL32.dll::QueryDosDeviceW
WIN_CRYPT_APIUses Windows Crypt APIADVAPI32.dll::CryptAcquireContextA
ADVAPI32.dll::CryptGenRandom
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyA
ADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegCreateKeyW
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegOpenKeyExW
WIN_SVC_APICan Manipulate Windows ServicesADVAPI32.dll::ChangeServiceConfigW
ADVAPI32.dll::ControlService
ADVAPI32.dll::OpenSCManagerW
ADVAPI32.dll::OpenSCManagerA
ADVAPI32.dll::OpenServiceW
ADVAPI32.dll::QueryServiceConfigW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::EmptyClipboard
USER32.dll::OpenClipboard
USER32.dll::CreateWindowExA

Comments