MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce5611605035936355aeb920edf5a831f970de2c0904bd753025858e338410e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce5611605035936355aeb920edf5a831f970de2c0904bd753025858e338410e1
SHA3-384 hash: 1f5614fa369ff98b1e5ea5938d8071d705f5f41004220488d13f3e6ce8d40f2628b3fad6dda2169e1802caa159b25c26
SHA1 hash: c93d92367d4653050c029549c3bfa11089b20925
MD5 hash: fb68218db0b8c28fcdf659fdae6043b0
humanhash: london-twenty-sad-hamper
File name:Roco.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:855'040 bytes
First seen:2023-01-17 22:30:47 UTC
Last seen:2023-01-18 00:49:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 24576:rIBLLpJVo5dm2gjvYwVynAfBAX3dtWD8IlEgn8:rIBLDVovm2gjvJVyA2dturO
Threatray 968 similar samples on MalwareBazaar
TLSH T1AF05DE06DF44C26BD319C7B1089E4D91586EFA9B593BB3252907E34AD9732E10F3B1B2
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 30f0e8c8e833d470 (1 x AgentTesla, 1 x RemcosRAT)
Reporter 0x49736b
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
269
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Roco.exe
Verdict:
Malicious activity
Analysis date:
2023-01-17 22:31:56 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/d69f71bc-1cc4-4083-ae94-fd3e57c2a83a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/353963/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.AVEN.tr.28602.4306.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Сreating synchronization primitives
DNS request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
control.exe packed
Link:
https://www.filescan.io/uploads/63c721a78352dc7065e35fbc/reports/599f0217-8b24-4f72-9ebd-bae04bf4649c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a1aa15ab-a6d6-410b-8023-1bd09591dc8c
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
evad.troj
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1153520
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 786252 Sample: Roco.exe Startdate: 17/01/2023 Architecture: WINDOWS Score: 96 25 Malicious sample detected (through community Yara rule) 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 Yara detected Remcos RAT 2->29 31 5 other signatures 2->31 6 Roco.exe 1 3 2->6         started        10 Roco.exe 2 2->10         started        12 Roco.exe 2 2->12         started        process3 file4 21 C:\Users\user\AppData\Local\...\Roco.exe.log, ASCII 6->21 dropped 33 Creates autostart registry keys with suspicious names 6->33 35 Writes to foreign memory regions 6->35 37 Injects a PE file into a foreign processes 6->37 14 InstallUtil.exe 1 6->14         started        17 InstallUtil.exe 10->17         started        19 InstallUtil.exe 12->19         started        signatures5 process6 dnsIp7 23 qaqaqa.ddns.net 45.130.87.4, 2407 TELIANETTeliaCarrierEU United Kingdom 14->23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ce5611605035936355aeb920edf5a831f970de2c0904bd753025858e338410e1/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2023-01-17 22:31:10 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
26
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zzlbcycqgwjwgvnoxeqo35nigh4xbxrmbecl25jqewcy4m4ecdqq._file
Verdict:
malicious
Similar samples:
132a12a98cc3cc5857d24ddb35c499ec344d2482a8ca101df1630b9be37b11d1
RemcosRAT
2267fac6e4bcace94d9ed232cc4ba7e128424e80c5730ea38f23610c11bdc168
RemcosRAT
4c3af793b926ac4a4dfb0de4b54555730bf89dcaba5b2d6c25f6c9a4eefc0be6
RemcosRAT
67ffb10d7ef8cc9b49ef3ad7affcd7f865391cac2cdbad7ae1d259ec6a4a0cb8
RemcosRAT
a7555fbbb59c9e063dfa6b392af01c02f1d23679e53882fc1cb6d3a432330c50
RemcosRAT
b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4
RemcosRAT
bf9cbad13935f939f44add9a131188c73e3dda014e039debc553ebacab228d83
RemcosRAT
f1ec2da9572ec46cf6937a8e51b0e188f5778d2c6cf47be6fe098a7dc8de87a9
RemcosRAT
+ 958 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:cyber persistence rat
Link:
https://tria.ge/reports/230117-2fc2xadg2s/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
qaqaqa.ddns.net:2407
Unpacked files
SH256 hash:
ce5611605035936355aeb920edf5a831f970de2c0904bd753025858e338410e1
MD5 hash:
fb68218db0b8c28fcdf659fdae6043b0
SHA1 hash:
c93d92367d4653050c029549c3bfa11089b20925
Link:
https://www.unpac.me/results/b0259719-6798-462f-a652-3c9d4eb03a00/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ce5611605035/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/ce5611605035936355aeb920edf5a831f970de2c0904bd753025858e338410e1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/353963/

Comments