MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d56512737d1f617c05ef9bf6bd1fedac0418cba3bbde821cdc063599924e4570. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d56512737d1f617c05ef9bf6bd1fedac0418cba3bbde821cdc063599924e4570
SHA3-384 hash: 5f48708f01c7fb63fce08672f864c839f5c987ad1461e21a7ce0b1388007db3f4739d04eadc15ca016954f16c8b2e4aa
SHA1 hash: ee4caebd7930c7cd48a43f425b15ba1ae7d9a42f
MD5 hash: 1df7fc81095ae4a7c32c01c6ea402b58
humanhash: pennsylvania-indigo-mobile-november
File name:1df7fc81095ae4a7c32c01c6ea402b58
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:53'248 bytes
First seen:2022-07-05 13:49:17 UTC
Last seen:2022-07-05 14:55:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 768:Jm1k95P/DaOtifPYoeVSX9d9s9MXPtwcyU2jnBkfM7TM69jwRUwH:JmsPrNtifCebH1wE21kEvMUjwRUe
Threatray 5'951 similar samples on MalwareBazaar
TLSH T16E336BB2D6980561E19F0E3F14620690C137EC89E875AEFF5888B14B19FF3865D22F5B
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f8cc9af8f660e0c6 (4 x AveMariaRAT, 1 x SnakeKeylogger, 1 x RemcosRAT)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
249
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d56512737d1f617c05ef9bf6bd1fedac0418cba3bbde821cdc063599924e4570.exe
Verdict:
Malicious activity
Analysis date:
2022-07-05 14:23:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b218568b-3ad4-4a68-aa70-f58e7c77276d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.15400.13565.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Creating a file
Creating a window
Creating a file in the %temp% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm packed wacatac
Link:
https://www.filescan.io/uploads/62c441c9783441cda108f092/reports/0158c0e1-5492-4d2b-b84e-5715c05514eb/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ed55a9fd-a58e-4b59-a930-1215a6c4e3dd
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1024903
Signature
.NET source code contains potential unpacker
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d56512737d1f617c05ef9bf6bd1fedac0418cba3bbde821cdc063599924e4570/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-07-05 13:50:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2vsre435d5qxybpptp3l2h7nvqcbrs5dxppiehg4ay2ztesoivya._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
014e5350dfbbc963ce361a4c22b2518afd90304b4704071696ab93d9412bf3a4
RemcosRAT
0c9172e1657a20e5e5b35d9a6632b5b87c5db320275dd0cd62d4174aa69547ea
RemcosRAT
279b0de566cfa70c9f15ff2499b62a12d47d627eaa7912c719f57443e8eadd49
RemcosRAT
462757689ac3c1498cfc5160eb8e160c27668ab5b9a8546af645d522e93e21c0
RemcosRAT
8141fae70ffd2918e015e5626af46b24706075a22900abe9c3e9ee753c892f96
RemcosRAT
8e3c255747a5488359596df0c1398d56f206462477aedd67fe38892b745133fd
RemcosRAT
96cf3dde4a7f0757b82e055c75f6b3025414fb06480b021fd36ae1186d67850f
RemcosRAT
a237dbf82afbdf7dfab8bf6ff84f2a9543d46a9d07951827cd520aa5ec2accd9
RemcosRAT
a4717412162c3a9b74997841c66cb913771279323f6e5829b6e42b0970499e08
RemcosRAT
+ 5'941 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220705-q489gahgfq/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
NanoCore
Malware Config
C2 Extraction:
anglemanagement.ddns.net:9036
shahzad73.ddns.net:9036
Unpacked files
SH256 hash:
d56512737d1f617c05ef9bf6bd1fedac0418cba3bbde821cdc063599924e4570
MD5 hash:
1df7fc81095ae4a7c32c01c6ea402b58
SHA1 hash:
ee4caebd7930c7cd48a43f425b15ba1ae7d9a42f
Link:
https://www.unpac.me/results/de57e8a6-7953-4d3e-80f0-dc72f3080482/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d56512737d1f617c05ef9bf6bd1fedac0418cba3bbde821cdc063599924e4570

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe d56512737d1f617c05ef9bf6bd1fedac0418cba3bbde821cdc063599924e4570

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2254157/

Comments


Avatar
zbet commented on 2022-07-05 13:49:26 UTC

url : hxxp://192.227.173.41/7659/vbc.exe