MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ccd6b2a6a94558d78d46955365f3dde6562301f7e3be7c7821521e8ae1cb2f10. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 19

Intelligence 19 IOCs YARA 5 File information Comments

SHA256 hash:	ccd6b2a6a94558d78d46955365f3dde6562301f7e3be7c7821521e8ae1cb2f10
SHA3-384 hash:	3bb0fc30e0b8ed7ae179773745d9eb68086ad61b1bdc33a7f448bd6569b1525dbf986613513fcfbb22e29e42670cd718
SHA1 hash:	fca2d7afc64421910ad1c256fb634f32b00ef27b
MD5 hash:	cd5155b600fbc02c51b13b11df931b55
humanhash:	july-nuts-ten-west
File name:	scan_copy -account details.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	557'568 bytes
First seen:	2024-08-09 06:55:49 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:b+Y1A81D6cl2xhDIM1M9QFbTLcQHrl22yaOSBig:b+YW8FCdR1y8LLyaJ
Threatray	17 similar samples on MalwareBazaar
TLSH	T155C4234577E695A1CC8FA9BCE52736561F55D82672E3A30F2A74332F0C223DE2139A07
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	00be8323b233bac0 (79 x AgentTesla, 11 x Loki, 9 x DarkCloud)
Reporter	abuse_ch
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

360

Origin country :

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

scan_copy -account details.exe

Verdict:

Malicious activity

Analysis date:

2024-08-09 07:34:34 UTC

Tags:

rat remcos remote stealer mpress

Link:

https://app.any.run/tasks/4ac4ffde-b0bb-42e3-a61d-4d9956a9ff34

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Malware.PDB-71.UNOFFICIAL

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66b5bd94aa5b40be0a9fe58c

Tags:

Static Msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Сreating synchronization primitives

Connecting to a non-recommended domain

Connection attempt

Sending a custom TCP request

Reading critical registry keys

Creating a file in the %temp% directory

Forced shutdown of a system process

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

crypto_obfuscator_for_net infostealer obfuscated packed packed remcos

Link:

https://www.filescan.io/uploads/66b5bd8f36999766d46e50a4/reports/691fdd7a-8bf0-4ce6-b3b3-b3df46f997d3/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/ccd6b2a6a94558d78d46955365f3dde6562301f7e3be7c7821521e8ae1cb2f10

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fb52bb19-5245-444f-8b05-56daeae96715

Result

Threat name:

Remcos

Detection:

malicious

Classification:

rans.phis.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1490417

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

AI detected suspicious sample

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Contains functionality to bypass UAC (CMSTPLUA)

Contains functionality to inject code into remote processes

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Detected Remcos RAT

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Writes to foreign memory regions

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Yara detected WebBrowserPassView password recovery tool

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ccd6b2a6a94558d78d46955365f3dde6562301f7e3be7c7821521e8ae1cb2f10

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/ccd6b2a6a94558d78d46955365f3dde6562301f7e3be7c7821521e8ae1cb2f10/

Threat name:

ByteCode-MSIL.Backdoor.Remcos

Status:

Suspicious

First seen:

2024-08-02 12:27:16 UTC

AV detection:

25 of 38 (65.79%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ztllfjvjivmnpdkgsvjwl4654zlcgapx4o7hy6bbkipivyolf4ia._file

Verdict:

malicious

RemcosRAT

39c096e77e2ce57c75d07b577dbf5899b5e883a3d3435a0a3d0313a52718496a

RemcosRAT

526e3c918055d2bb13e27041204ac2caf34b650f0509ce7518bb9b524081e637

RemcosRAT

8dd2823b8343b3b64877355cb6b2b9f88d06b4dd586641fde317c592259b99ca

RemcosRAT

b360fa8c3d75aea26b7f82bbf598e6e52ec4a87a63b22b20fea0907aee96960a

RemcosRAT

ce8a1fa1dece3f12415c68769d60da8b709d3fefb5543b8335d88b117d9db2ca

RemcosRAT

f05d5a2fe9b0e832b06db4df35cdca37b3f729bb750d1707bae6260852e55dab

RemcosRAT

+ 7 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:remotehost collection credential_access discovery rat stealer

Link:

https://tria.ge/reports/240809-js28fsyann/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook accounts

Credentials from Password Stores: Credentials from Web Browsers

Detected Nirsoft tools

NirSoft MailPassView

NirSoft WebBrowserPassView

Remcos

Malware Config

C2 Extraction:

194.169.175.190:2404

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/6cc1f788-315a-4b79-b85e-a999909ed8d8

Unpacked files

SH256 hash:

16da2306e37c4a85a217cbe52b0a65175c1868e3a29822e4e25ff78f85768288

MD5 hash:

81596543df6c19892da2284507ed0014

SHA1 hash:

649d3308a7611d87cbc0e30e7f95004c1a4eb181

Detections:

Remcos

win_remcos_auto

win_remcos_w0

malware_windows_remcos_rat

Link:

https://www.unpac.me/results/5986fa28-12a9-4be2-be6d-f3142ef3ac10/

Parent samples :

575c516d8a79420f7319c19839c63919b585947635fa54e87430e1c9f95e299d
c2cf1032ae671d0bcba6d625bc72236b125f864a1bb6114c6b96a8e0c91c6759
391ac1ceedd3c960f32890f834a86ba1570ee5a0cc12dcef1714d43bb29fc457
ccd6b2a6a94558d78d46955365f3dde6562301f7e3be7c7821521e8ae1cb2f10
60e88a5e93683dcbea9f4fef73f946335a1378f0130ff44fab52f18f487c2c8a
2c98d193201137a3e33b34934fa866c2c66f346ed6878562e8191f4314bc5dc9
92be4e60ffc8bcce4d34243d1c5ec0f70c8059504d6466248ceeb8d0dde01afa

SH256 hash:

da35776bf338cdde14d8d2ce7d406bedb09d3c9f1982a7e20f52166a6b3c7b2f

MD5 hash:

304499bbf09083b8d6ca7d127c4f1543

SHA1 hash:

37d285186fd37f55332ed67628e233094035b5d8

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/5986fa28-12a9-4be2-be6d-f3142ef3ac10/

SH256 hash:

ccd6b2a6a94558d78d46955365f3dde6562301f7e3be7c7821521e8ae1cb2f10

MD5 hash:

cd5155b600fbc02c51b13b11df931b55

SHA1 hash:

fca2d7afc64421910ad1c256fb634f32b00ef27b

Link:

https://www.unpac.me/results/5986fa28-12a9-4be2-be6d-f3142ef3ac10/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ccd6b2a6a945/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AlphaCrypt

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ccd6b2a6a94558d78d46955365f3dde6562301f7e3be7c7821521e8ae1cb2f10

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample