MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf0bc44ce17f3691873b5d4b1048d2ee37966fed0d6f9aefe82a63d5e3a44381. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 17

Intelligence 17 IOCs YARA 13 File information Comments

SHA256 hash:	cf0bc44ce17f3691873b5d4b1048d2ee37966fed0d6f9aefe82a63d5e3a44381
SHA3-384 hash:	0362d047902886582b0b969e2e6cf45d903a812b52654e07de338c92733baebed2557905a3d805676816215aa85ef5c7
SHA1 hash:	4f733af9d4a0eef8aa55968c2971f5d6ae1f0f57
MD5 hash:	4c9dcdd5946caffba47fd4218404d384
humanhash:	lake-solar-don-washington
File name:	cf0bc44ce17f3691873b5d4b1048d2ee37966fed0d6f9aefe82a63d5e3a44381
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	494'592 bytes
First seen:	2023-11-21 09:22:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	8d5087ff5de35c3fbb9f212b47d63cad (170 x RemcosRAT)
ssdeep	6144:+/7iPrcL3ArwhBq7Kjsn9iHGXg0lwGS9MNNhdFvPxps9gsAOZZuAXec7p7ov:+/uPq3AfK496Gw0lwGXN3pvs/ZuI8v
Threatray	460 similar samples on MalwareBazaar
TLSH	T149B49E01BAD2C072D57514300D36F776EAB8BD2028264A7BB3D61D5BFE31190B62A6B7
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	c4d48eaa8ad4d4f8 (1'000 x RemcosRAT, 1 x Worm.Ramnit, 1 x Vjw0rm)
Reporter	adrian__luca
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

321

Origin country :

Vendor Threat Intelligence

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/459467/

Detection(s):

Win.Trojan.Remcos-9841897-0

Win.Trojan.Remcos-10002580-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Unauthorized injection to a recently created process

Restart of the analyzed sample

Reading critical registry keys

Creating a file in the %temp% directory

Searching for the window

Сreating synchronization primitives

Stealing user critical data

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

89%

Tags:

control evasive exploit explorer greyware hook keylogger lolbin shell32

Link:

https://www.filescan.io/uploads/655c76f715cd82a1c998be00/reports/2e8a7dfd-ef14-46f1-959d-fc6e86411c61/overview

Verdict:

Malicious

Labled as:

Backdoor.Remcos

Link:

https://www.hybrid-analysis.com/sample/cf0bc44ce17f3691873b5d4b1048d2ee37966fed0d6f9aefe82a63d5e3a44381

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/88f2099b-ce06-4e29-9f50-cf66480df6fe

Result

Threat name:

Remcos

Detection:

malicious

Classification:

rans.phis.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1345673

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to bypass UAC (CMSTPLUA)

Contains functionality to inject code into remote processes

Contains functionality to modify clipboard data

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Detected unpacking (changes PE section rights)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Yara detected WebBrowserPassView password recovery tool

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/cf0bc44ce17f3691873b5d4b1048d2ee37966fed0d6f9aefe82a63d5e3a44381

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/cf0bc44ce17f3691873b5d4b1048d2ee37966fed0d6f9aefe82a63d5e3a44381/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2023-11-21 09:23:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 23 (95.65%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=z4f4ithbp43jdbz3lvfrasgs5y3zm37nbvxzv37ifjr5ly5eioaq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

06df9938eb1faaf4c5862a64273998b15201a83e5a46842cd0067a50eb964f4b

RemcosRAT

0e8dfb4c4b15bffe7df07f0a9240c2287e23c149b465991da96b73eff7b8f903

RemcosRAT

17d12e966b6e89c0c80d7d03e7a665b5d52801a5256a3e0fd1c96a11fb8828e6

RemcosRAT

280945c850b2ee81256b36dacdec35b2bbc147c3cba57b344cd50bf464d74f97

RemcosRAT

ca49853927005b03dcbfc86f17f34e28120cb37f0a9cd9ead30b38f9c9a7b816

RemcosRAT

f1efd86756d2b913e17e6de502d9de494ffa89b503a209f4d82d204ad1d4be6b

RemcosRAT

+ 450 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:grace collection spyware stealer

Link:

https://tria.ge/reports/231121-lcf2dsec5s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook accounts

Reads user/profile data of web browsers

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Malware Config

C2 Extraction:

grantadistciaret.com:3212

Unpacked files

SH256 hash:

cf0bc44ce17f3691873b5d4b1048d2ee37966fed0d6f9aefe82a63d5e3a44381

MD5 hash:

4c9dcdd5946caffba47fd4218404d384

SHA1 hash:

4f733af9d4a0eef8aa55968c2971f5d6ae1f0f57

Detections:

Remcos

win_remcos_w0

win_remcos_auto

win_remcos_rat_unpacked

INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

malware_windows_remcos_rat

Link:

https://www.unpac.me/results/11d966e6-dfa0-4cd5-ab9a-22e85791b904/

Parent samples :

db4520e67b7388d613d17e7a0758192feda02f2951e3a3a2f5bd4f2c55efd7a2
cf0bc44ce17f3691873b5d4b1048d2ee37966fed0d6f9aefe82a63d5e3a44381
a1f95947c7d421aef77f87b95744c6a93c149e203af906b32b3e6002f3331cf3
1592a15da607057998d44258e4892bbe0191a9fb4b0f688b9ecb8112016d387d
9fdca9360e25dcfd92011c7aa47c40037cadc4573826b13cfdb8ecf7dc3bb553
48df72d38c4b15ae4c34723fd6b2c8399110aebbf9f4205064901bc2650f2571
bafc5fae0104b9851797f62ad1d638cf18237782147ff341033d6bfc06e0d5ca
d72b9ebc71193849d196a3962f735f5bc49b4be81d099317582f199008580704
88c300243b5102cdcf2685203b2469f384d12d0cbd66b49dd479d21b3ceab24d
c6f1ef6ad4ded0111f232672a308199294eb93182d7cd7acc294f0a2c2d20413
788edaf71879b87d34ea6397f6be0c718a67bc8f3ef5a2b32e5b1ad8064a44d0
e32b631a8b82943b24d90088fba052ef7c6bb591b6bd759c71fa7ba8ef63fa63
39a8c585d60201261bad7600af0f3840fcb174fec63263ebf55020e4dedc157c

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/cf0bc44ce17f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cf0bc44ce17f3691873b5d4b1048d2ee37966fed0d6f9aefe82a63d5e3a44381

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	iexplorer_remcos Create hunting rule
Author:	iam-py-test
Description:	Detect iexplorer being taken over by Remcos

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM Create hunting rule
Author:	ditekSHen
Description:	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Windows_Trojan_Remcos_b296e965 Create hunting rule
Author:	Elastic Security

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.remcos.

Rule name:	win_remcos_rat_unpacked Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detects strings present in remcos rat Samples.

Rule name:	win_remcos_w0 Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detects strings present in remcos rat Samples.

Rule name:	yarahub_win_remcos_rat_unpacked_aug_2023 Create hunting rule
Author:	Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

exe cf0bc44ce17f3691873b5d4b1048d2ee37966fed0d6f9aefe82a63d5e3a44381

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/459467/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample