MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd1ee01f73112ac8092488e3c8bd6edf3c5defc2ff087b60312ecd34a46afeef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd1ee01f73112ac8092488e3c8bd6edf3c5defc2ff087b60312ecd34a46afeef
SHA3-384 hash: 0bd7365946d4f083bae74ca2953466e0803740e7de55ead7d0b07fabea0d029c910bc3860536ee3980bb5fb5d15d46f5
SHA1 hash: 0a903373482fb718e04cd7827f53b698b672edba
MD5 hash: e1f54cb4e87f05e3ad006b707bbf7faa
humanhash: paris-mango-nuts-echo
File name:Revised P.o.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'569'280 bytes
First seen:2024-02-05 08:33:20 UTC
Last seen:2024-02-05 10:34:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bd3825b6e0410966f0c31f64b6c7644a (36 x AgentTesla, 15 x Formbook, 6 x RemcosRAT)
ssdeep 24576:OAHnh+eWsN3skA4RV1Hom2KXcmtc3q1WYpqKoBoTM8G010GloAxr0OC7DBg:5h+ZkldoPKsaccWYpqKoBoTMN010GSga
Threatray 37 similar samples on MalwareBazaar
TLSH T16275CF0373C0C075FFAA92B36B16A14567BDAC798127951E23C83A766EF05B1163E723
TrID 49.2% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.7% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon d2b09c8ecebade6e (3 x AveMariaRAT, 2 x AgentTesla, 2 x Formbook)
Reporter adrian__luca
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
281
Origin country :
HU HU
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/474634/
Detection(s):
PUA.Win.Packer.Ep-7
Create hunting rule

PUA.Win.Packer.Embedpe-3
Create hunting rule

PUA.Win.Packer.AcprotectUltraprotect-1
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
autoit fingerprint keylogger lolbin masquerade packed shell32
Link:
https://www.filescan.io/uploads/65c09d82dc0e133d92c18213/reports/27bd0dc8-6a04-4f92-92f4-a0cfda429a85/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/cd1ee01f73112ac8092488e3c8bd6edf3c5defc2ff087b60312ecd34a46afeef
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5a306720-f627-4c5c-ad87-e94948ae7566
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1386634
Signature
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cd1ee01f73112ac8092488e3c8bd6edf3c5defc2ff087b60312ecd34a46afeef
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cd1ee01f73112ac8092488e3c8bd6edf3c5defc2ff087b60312ecd34a46afeef/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-02-05 08:34:11 UTC
File Type:
PE (Exe)
Extracted files:
35
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zupoah3tcevmqcjerdr4rplo346f336c74ehwybrf3gtjjdk73xq._file
Verdict:
unknown
Similar samples:
154413a3db35cba21de61256313446c7b3a018234914335dbb564dfc6573aa11
RemcosRAT
5c702d043863b1bdd6e4dbdf89ffde07497dea0570396698509e23637b5558ab
RemcosRAT
6368bd094f648a12bcdd609edb833cb5ca3aa7a70efc0cf7e0dcbc71e80ed51b
RemcosRAT
b7e1e34df8d8f63cad1d66970746631001c34f2bad3f86e3a517e5ebdfdd6b3a
RemcosRAT
c20765742b6d22e16299239e960d1c4e851fa9f12bd1b0696d4195f8890a6bf6
RemcosRAT
cd1ee01f73112ac8092488e3c8bd6edf3c5defc2ff087b60312ecd34a46afeef
RemcosRAT
e4d521e8c1f8bc496fe8fcdf2e083f0ab341696723586c83c12c5b13013843c3
RemcosRAT
+ 27 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240205-kggm2sdgfr/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
AutoIT Executable
Unpacked files
SH256 hash:
1a59ae136fdefc11ff7759f21c788b7b1591e04981518c46f82e05233198fc82
MD5 hash:
2fc9e1b18832790446367de5c1fefd0f
SHA1 hash:
b9472b438a650749208985d0319816cc8b1b642a
Detections:
Remcos
Create hunting rule
win_remcos_w0
Create hunting rule
win_remcos_auto
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Link:
https://www.unpac.me/results/9120ce78-9508-4a3a-b026-c672a345a75b/
SH256 hash:
cd1ee01f73112ac8092488e3c8bd6edf3c5defc2ff087b60312ecd34a46afeef
MD5 hash:
e1f54cb4e87f05e3ad006b707bbf7faa
SHA1 hash:
0a903373482fb718e04cd7827f53b698b672edba
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/9120ce78-9508-4a3a-b026-c672a345a75b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cd1ee01f73112ac8092488e3c8bd6edf3c5defc2ff087b60312ecd34a46afeef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe cd1ee01f73112ac8092488e3c8bd6edf3c5defc2ff087b60312ecd34a46afeef

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/474634/

Comments