MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9e9f4d1945fc9cb9daf5b4a72032a00ba7040154e3fe44be5371fbb7da695ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	c9e9f4d1945fc9cb9daf5b4a72032a00ba7040154e3fe44be5371fbb7da695ea
SHA3-384 hash:	4c5a568e09deff13100aa9afcaae31037de7b9b8be20f1876711cf541de186ebc9c3f41496fc74df0db0600cd6cbb014
SHA1 hash:	6bc93c9e783ef25885c602a2ff9461517eaa7c74
MD5 hash:	2ed9f5fd57f0bd14d8b6a367bcc2e6c7
humanhash:	social-leopard-failed-spring
File name:	file
Download:	download sample
Signature	RemcosRAT Alert Create hunting rule
File size:	553'522 bytes
First seen:	2023-06-13 14:19:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	752f4f5e2214a73fbb6bae0fe7215eef (1 x RemcosRAT)
ssdeep	12288:DAijvnPy/8Y83Lt6xqpbxbUVJhlPq36NY7Qjua3j:DAq91LwANxbUV1q36SQiW
Threatray	60 similar samples on MalwareBazaar
TLSH	T173C4235D2E989C9CF1E443B51815B0A96A60BC50ABDF9E0F3AC42F2C6CF254B39F1647
TrID	82.3% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8) 5.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.5% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter	jstrosch
Tags:	exe RemcosRAT

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

281

Origin country :

US

Vendor Threat Intelligence

ANY.RUN remcos

Malware family:

remcos

Alert

Create hunting rule

ID:

1

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-06-13 14:34:21 UTC

Tags:

remcos

Link:

https://app.any.run/tasks/bba5d338-454e-4d98-9f42-eafe632ae240

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox Remcos

Detection:

Remcos

Alert

Create hunting rule

Link:

https://www.capesandbox.com/analysis/398419/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Variant.Ser.Jaik.2505.7642.17159.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Clean

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Unauthorized injection to a recently created process

Creating a file

FileScan.IO Likely Malicious

Verdict:

Likely Malicious

Threat level:

  7.5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/64887b1708b287b7595b7663/reports/c4e07368-f733-4c25-bcdd-1e27ee28d605/overview

Hybrid Analysis Ransom_.29DBB5CE

Verdict:

Malicious

Labled as:

Ransom_.29DBB5CE

Link:

https://www.hybrid-analysis.com/sample/c9e9f4d1945fc9cb9daf5b4a72032a00ba7040154e3fe44be5371fbb7da695ea

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer REMCOS

Malware family:

REMCOS

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/042c9d6f-555e-4092-8fe1-c1cf340a17df

Joe Sandbox Remcos

Result

Threat name:

Remcos

Alert

Create hunting rule

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1253777

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Contains functionality to modify clipboard data

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB remcos

Detection:

remcos

Alert

Create hunting rule

Link:

https://mwdb.cert.pl/sample/c9e9f4d1945fc9cb9daf5b4a72032a00ba7040154e3fe44be5371fbb7da695ea/

ReversingLabs TitaniumCloud Win32.Ransomware.Crypshed

Threat name:

Win32.Ransomware.Crypshed

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-06-13 14:20:09 UTC

File Type:

PE (Exe)

Extracted files:

6

AV detection:

17 of 23 (73.91%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zhu7jumul7e4xhnplnfheazkac5haqavjy76is7fg4p3w7ngsxva._file

Threatray remcos

Verdict:

malicious

Label(s):

remcos

Alert

Create hunting rule

Similar samples:

4107b6df1884a4eb7aeabe55741c01e486ba0b4454c99caaec0ed647018a6125

RemcosRAT

56386224d3f2d9dea8cce5f9dafcdce3012a548d824f4e9af162bc2397bb5916

RemcosRAT

64eb3d68103cc47e6c3af8880d7cec9371cfd787a396ea0f3ac1418e0b80ff47

RemcosRAT

b564ce75ebda7ddfe0c1be6becd119905c850c6703bb81af1d0ca8d8b9dcb86a

RemcosRAT

bcaf8f9bb1cda543a06ef101b8f4ac8228360400ec35a2ef2fba27b372ba75e7

RemcosRAT

c06613844bf5641d98c53c9536a3103b686a3123b44a147046fad162a1f164e0

RemcosRAT

c3f58fc7e4e51a2d4c6551fd6cebac7d8c0bf79d83f1235e7570c2db574df0f6

RemcosRAT

+ 50 additional samples on MalwareBazaar

Hatching Triage remcos

Result

Malware family:

remcos

Alert

Create hunting rule

Score:

  10/10

Tags:

family:remcos botnet:remotehost rat

Link:

https://tria.ge/reports/230613-rne65age93/

Behaviour

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Remcos

Malware Config

C2 Extraction:

192.168.175.1:1800

UnpacMe win_remcos_auto

Unpacked files

SH256 hash:

403e2f96f6d58127e802c54862ac36991c691da1cdd53e0fb8a5204fa9132f8d

MD5 hash:

e70924d8786050c7f50bfbaa2a99fa11

SHA1 hash:

7b5d081169624693dbc6d24c86f5732e97b0e292

Detections:

win_remcos_auto

Alert

Create hunting rule

Link:

https://www.unpac.me/results/f22fc122-781d-4304-97f9-35cfeae6f45c/

SH256 hash:

c9e9f4d1945fc9cb9daf5b4a72032a00ba7040154e3fe44be5371fbb7da695ea

MD5 hash:

2ed9f5fd57f0bd14d8b6a367bcc2e6c7

SHA1 hash:

6bc93c9e783ef25885c602a2ff9461517eaa7c74

Link:

https://www.unpac.me/results/f22fc122-781d-4304-97f9-35cfeae6f45c/

VMRay Remcos

Malware family:

Remcos

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c9e9f4d1945f/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Suspicious File

Threat name:

Suspicious File

Score:

0.34

Link:

https://yomi.yoroi.company/submissions/c9e9f4d1945fc9cb9daf5b4a72032a00ba7040154e3fe44be5371fbb7da695ea

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

exe c9e9f4d1945fc9cb9daf5b4a72032a00ba7040154e3fe44be5371fbb7da695ea

(this sample)

  

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/398419/