MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c80849b89470656a8f81e539e38a7246e032d943639e3a161612a6daabb77282. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	c80849b89470656a8f81e539e38a7246e032d943639e3a161612a6daabb77282
SHA3-384 hash:	cd94eb9ae5feb1ddb8806e38d03e544770fdac16ae8e8d845558231de9b29fbb6a8c240386441b78bab1f0c0ddb39507
SHA1 hash:	63861052970ad9487c218406f1478190c6c9e51b
MD5 hash:	84b1cbc52fa9a20124dda922f7fc24b7
humanhash:	ten-mobile-network-mountain
File name:	file
Download:	download sample
Signature	RemcosRAT Alert Create hunting rule
File size:	664'626 bytes
First seen:	2023-06-13 14:19:50 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	084e3cbd11b9de5a5addaa5b312aaf94 (1 x RemcosRAT)
ssdeep	12288:c2a4jE4j44jJtUMTSshgft6gXN2bPnYj4dD2RIyeA/m2HaYOJaP:nRfLrYshKUe8fYj4tEmA/m2HaYAaP
Threatray	1'995 similar samples on MalwareBazaar
TLSH	T11EE4029467698ADAC54916B22CB3CDD90712FC189E2B121FFAE0677A1E70D346D37383
TrID	82.3% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8) 5.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.5% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	72f0bcbceca4d86d (1 x RemcosRAT)
Reporter	jstrosch
Tags:	exe RemcosRAT

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

253

Origin country :

US

Vendor Threat Intelligence

ANY.RUN remcos

Malware family:

remcos

Alert

Create hunting rule

ID:

1

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-06-13 14:32:34 UTC

Tags:

rat remcos keylogger

Link:

https://app.any.run/tasks/46d19b33-488c-4937-b9a1-6ec89dac2982

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox Remcos

Detection:

Remcos

Alert

Create hunting rule

Link:

https://www.capesandbox.com/analysis/398424/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.67259898.15700.3865.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

Launching a process

Searching for synchronization primitives

DNS request

Launching the default Windows debugger (dwwin.exe)

Creating a file

Sending a custom TCP request

Unauthorized injection to a recently created process by context flags manipulation

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

evasive lolbin overlay packed remcos shell32.dll

Link:

https://www.filescan.io/uploads/64887b1c08b287b7595b766a/reports/897b8fc7-525b-4535-a373-357b084a6621/overview

Hybrid Analysis Win/malicious_confidence_100%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/c80849b89470656a8f81e539e38a7246e032d943639e3a161612a6daabb77282

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer REMCOS

Malware family:

REMCOS

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9ba35b2e-7ea2-4761-950a-15d64a7d3e54

Joe Sandbox Remcos

Result

Threat name:

Remcos

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1253685

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to bypass UAC (CMSTPLUA)

Contains functionality to modify clipboard data

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Writes to foreign memory regions

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c80849b89470656a8f81e539e38a7246e032d943639e3a161612a6daabb77282/

ReversingLabs TitaniumCloud Win32.Trojan.Generic

Threat name:

Win32.Trojan.Generic

Alert

Create hunting rule

Status:

Suspicious

First seen:

2023-05-27 17:33:04 UTC

File Type:

PE (Exe)

Extracted files:

12

AV detection:

24 of 37 (64.86%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zaeetoeuobswvd4b4u46hctsi3qdfwkdmopdufqwcktnvk5xokba._file

Threatray remcos

Verdict:

malicious

Label(s):

remcos

Alert

Create hunting rule

Similar samples:

10889504234fe600c781aefe6ba0918e2e1d98a777f6e4e03da6d006a06bffb0

RemcosRAT

23b3b5a24a51826ddb55a28333f4bfb9455f891f946e7d71a8d1eb3bab1f02f2

RemcosRAT

2b4c534df5fe4c7ee7a402f384109cb60b54c7f301ef8644e7b1eba397d89f2b

RemcosRAT

30aa6ed4bf80553de2406b91601d215de6ea9f682af906e83c5e7773c8d13037

RemcosRAT

3d35655b8a265b213dba9d23a9542e024895cba4c18dbfb782cb844125c23654

RemcosRAT

6053c5c3a4202b8c2e6b2f176a99c980233f63024be06b67d3a30e2f0b4470f4

RemcosRAT

87216060e8612f76a973916a50c96b8066c2891b3d19e779cbe122019e48157a

RemcosRAT

b84d775cf5de9234ec178e4a94c5c459f0c6e8ad3bffc977ba20b116b4d9d88e

RemcosRAT

cadf95355bd6ea18fdd3555ea3f85d102f40b3df0dc36b332f9ad8b505105f6e

RemcosRAT

+ 1'985 additional samples on MalwareBazaar

Hatching Triage remcos

Result

Malware family:

remcos

Alert

Create hunting rule

Score:

  10/10

Tags:

family:remcos botnet:remotehost rat

Link:

https://tria.ge/reports/230613-rnfsnage97/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Remcos

Malware Config

C2 Extraction:

pops.mastercoa.co:39477

UnpacMe Remcos win_remcos_auto

Unpacked files

SH256 hash:

e4df412aae2d2ddc35618b80123f17425d8cbeff16d0665ecd6e5296e9ca939b

MD5 hash:

1283dad473d6ec8171c2020e1656da8a

SHA1 hash:

4123064d33aff232ca9db5d50ea3456aec70c628

Detections:

Remcos

Alert

Create hunting rule

win_remcos_auto

Alert

Create hunting rule

Link:

https://www.unpac.me/results/6087b077-7a48-4bd7-a08d-2999d1313259/

Parent samples :

90920ec16dc530c71905b20801f4d443ddcadbcb1d2a5d0a957fc837169fa4b2
90a337ab1343d9a80a9d5bc97c004fb22ea4a9f562fd2c8ef65cf423738263cf
c80849b89470656a8f81e539e38a7246e032d943639e3a161612a6daabb77282

SH256 hash:

c80849b89470656a8f81e539e38a7246e032d943639e3a161612a6daabb77282

MD5 hash:

84b1cbc52fa9a20124dda922f7fc24b7

SHA1 hash:

63861052970ad9487c218406f1478190c6c9e51b

Link:

https://www.unpac.me/results/6087b077-7a48-4bd7-a08d-2999d1313259/

VMRay Malicious

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c80849b89470/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c80849b89470656a8f81e539e38a7246e032d943639e3a161612a6daabb77282

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

exe c80849b89470656a8f81e539e38a7246e032d943639e3a161612a6daabb77282

(this sample)

  

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/398424/