MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf14c5b8ca5ad71f9ca5b37e4784001d9128b161958f6daf5807540eca4ffcc4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 19


Intelligence 19 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf14c5b8ca5ad71f9ca5b37e4784001d9128b161958f6daf5807540eca4ffcc4
SHA3-384 hash: 47b8e372f53d022fbe824aac26948f9077148936cd043e2110af97b16d4a54e34e028be038a8323922a40a0f1741cbc9
SHA1 hash: 2f36c0c1370f8cb64408e361898e0107bacb1f70
MD5 hash: 33ca8417dc5dd6f6b3197f076ef8f6a9
humanhash: zebra-colorado-pluto-red
File name:z36HGT780000900.bat
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'077'248 bytes
First seen:2023-12-20 00:26:20 UTC
Last seen:2023-12-20 02:15:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:4rqtxIFryW7A5RC6AaEdbGrXfqLx+Rxz/i:4Exc2euCaki7iYxza
Threatray 580 similar samples on MalwareBazaar
TLSH T13A35E195F3818369DC6B43707635D5300B22ED9EE47A6A0F6ADC3D673FB36A50232522
TrID 35.4% (.EXE) Win64 Executable (generic) (10523/12/4)
22.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.1% (.EXE) Win32 Executable (generic) (4505/5/1)
6.9% (.ICL) Windows Icons Library (generic) (2059/9)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon d4d4d4d4d4d4d4c4 (7 x RemcosRAT, 6 x AgentTesla, 1 x MassLogger)
Reporter FXOLabs
Tags:bat exe RemcosRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
340
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
z36HGT780000900.bat
Verdict:
Malicious activity
Analysis date:
2023-12-20 00:27:37 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/12e7b60b-64af-4ad5-849d-9d58e887c4eb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/468576/
Detection(s):
SecuriteInfo.com.Trojan.Siggen22.44193.15201.20937.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file
Сreating synchronization primitives
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Reading critical registry keys
Creating a file in the %temp% directory
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin masquerade packed remcos remote
Link:
https://www.filescan.io/uploads/658234d8f4b6e5e16350ff75/reports/a8be59e8-d878-4886-9300-ef69338fb7fc/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/cf14c5b8ca5ad71f9ca5b37e4784001d9128b161958f6daf5807540eca4ffcc4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1707c3c1-3c8f-4e55-8299-bdaa3d80abd2
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1364856
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Creates executable files without a name
Drops PE files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Copy file to startup via Powershell
Writes to foreign memory regions
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1364856 Sample: z36HGT780000900.bat.exe Startdate: 20/12/2023 Architecture: WINDOWS Score: 100 32 Multi AV Scanner detection for domain / URL 2->32 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 11 other signatures 2->38 7 z36HGT780000900.bat.exe 3 2->7         started        10 .exe 3 2->10         started        process3 signatures4 40 Bypasses PowerShell execution policy 7->40 42 Writes to foreign memory regions 7->42 44 Allocates memory in foreign processes 7->44 12 powershell.exe 13 7->12         started        16 InstallUtil.exe 7->16         started        46 Injects a PE file into a foreign processes 10->46 18 powershell.exe 11 10->18         started        20 InstallUtil.exe 10->20         started        process5 file6 30 C:\Users\user\AppData\Roaming\...\.exe, PE32 12->30 dropped 48 Creates executable files without a name 12->48 50 Drops PE files to the startup folder 12->50 52 Powershell drops PE file 12->52 22 conhost.exe 12->22         started        24 WerFault.exe 23 16 16->24         started        26 conhost.exe 18->26         started        28 WerFault.exe 21 20->28         started        signatures7 process8
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cf14c5b8ca5ad71f9ca5b37e4784001d9128b161958f6daf5807540eca4ffcc4
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cf14c5b8ca5ad71f9ca5b37e4784001d9128b161958f6daf5807540eca4ffcc4/
Threat name:
ByteCode-MSIL.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-12-19 18:19:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
40
AV detection:
12 of 37 (32.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=z4kmlogklllr7hffwn7epbaadwisrmlbswhw3l2ya5ka5ssp7tca._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
13c527233819f76ce94c4ab839838a213acd727de5cae5660222a5c4ddd8d5b4
RemcosRAT
21e97352d99419e877c055452e9a462aa4f5ca3bb0676dbbb12f5142f89cd79b
RemcosRAT
2db991b9ae725ec59f9a29654e4c5f8d2bf363662cfa8d271a8692fea4883744
RemcosRAT
43c8f7c4fd456d2e3db0c15024481db6681b8ea7c8f296f99957c36630f76e37
RemcosRAT
dfd724316cb0edbf1212cbf5e71f007d22b7a38e7860d96d4d4bedf17eaa85ea
RemcosRAT
+ 570 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost collection rat
Link:
https://tria.ge/reports/231220-arrkwsfab9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Drops startup file
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
107.175.229.139:8087
Unpacked files
SH256 hash:
086bb4332fe0be6d5a020df9666cd3eb3a4ccc2f385b6666b76ef5295d6ce853
MD5 hash:
c2146368518a62dc06a5a8669b3b8002
SHA1 hash:
df0ff8a40ddb97b4046a305f4056549374f3846a
Link:
https://www.unpac.me/results/caf0e1c0-c22c-41a1-8b6f-8741613fae2a/
SH256 hash:
45c7b64a55dca23ee1239649e03a7c361813dbcfc2a0817b0d8e94c907d6ed4b
MD5 hash:
fb1bc19121c4e190d83672bc71b493f0
SHA1 hash:
c3488b969ba578e28ee360be24b6416425a224a0
Link:
https://www.unpac.me/results/caf0e1c0-c22c-41a1-8b6f-8741613fae2a/
SH256 hash:
1d5d05f977665e72d96f0cfa60de530d7912a51f44464e805c468b73f53eaf11
MD5 hash:
229284f8cddfa43ac54a0e60196e709b
SHA1 hash:
27bc5b44cc9c2689482a4f622a092beb94bbda8c
Detections:
Remcos
Create hunting rule
win_remcos_w0
Create hunting rule
win_remcos_auto
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
win_remcos_rat_unpacked
Create hunting rule
Link:
https://www.unpac.me/results/caf0e1c0-c22c-41a1-8b6f-8741613fae2a/
Parent samples :
03e1b46d2f7cd22416f24a7d5f4eabc8dd2b3de80b8b8cdc8d360f02ed1d931f
9c365f7df9b2bb958a53890dc80a258de1f5ea0781155f7c2b3741b9dd593867
fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd
2db991b9ae725ec59f9a29654e4c5f8d2bf363662cfa8d271a8692fea4883744
dfd724316cb0edbf1212cbf5e71f007d22b7a38e7860d96d4d4bedf17eaa85ea
f05ac4628bc3cc7da752894e47479c2f8532ed5c485943b7abb680a79d4dba9c
3de39937dbba16980b665dcf03505af8bd11a77a9f09d8e5ca69837932a9340e
cf14c5b8ca5ad71f9ca5b37e4784001d9128b161958f6daf5807540eca4ffcc4
SH256 hash:
cf14c5b8ca5ad71f9ca5b37e4784001d9128b161958f6daf5807540eca4ffcc4
MD5 hash:
33ca8417dc5dd6f6b3197f076ef8f6a9
SHA1 hash:
2f36c0c1370f8cb64408e361898e0107bacb1f70
Link:
https://www.unpac.me/results/caf0e1c0-c22c-41a1-8b6f-8741613fae2a/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cf14c5b8ca5a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cf14c5b8ca5ad71f9ca5b37e4784001d9128b161958f6daf5807540eca4ffcc4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe cf14c5b8ca5ad71f9ca5b37e4784001d9128b161958f6daf5807540eca4ffcc4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/468576/

Comments