MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d935d16b1603eb83d9c8587e3fe36ba247341adb572bac99a291f35bd13d7292. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d935d16b1603eb83d9c8587e3fe36ba247341adb572bac99a291f35bd13d7292
SHA3-384 hash: 37281cf777e69507080410f0feb252759267d17a0fe264d7ad08f19a392fc358137c8f0389ec61073da98c9f6e53090d
SHA1 hash: 02b68e1f2b57c6f37e86dfa6aeaed9235514bf27
MD5 hash: 5c7c4a198838dc17a523fc9ef2f80c2f
humanhash: comet-carpet-xray-nebraska
File name:5c7c4a198838dc17a523fc9ef2f80c2f.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'020'416 bytes
First seen:2023-05-31 08:16:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:+sIdum1lmFxUSJ0x5yRb+QKl0AnB3oc8q:cTmFxUsA5yRb+ll0ABP
Threatray 3'918 similar samples on MalwareBazaar
TLSH T1C725122897FD025ADABB67B617B45234533BFE5A7731E30F5E43A88E1960B008A10773
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
251
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
5c7c4a198838dc17a523fc9ef2f80c2f.exe
Verdict:
Malicious activity
Analysis date:
2023-05-31 08:22:14 UTC
Tags:
keylogger remcos
Link:
https://app.any.run/tasks/489da728-9a98-4f32-aae5-2a5daaaa8c47

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/393979/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Setting a keyboard event handler
DNS request
Connecting to a non-recommended domain
Sending a custom TCP request
Sending an HTTP GET request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed remcos
Link:
https://www.filescan.io/uploads/647702814642400a7af8f1f6/reports/8e1daffe-4986-4dab-8554-8ad2d5c1a980/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/d935d16b1603eb83d9c8587e3fe36ba247341adb572bac99a291f35bd13d7292
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eec5d507-b8fd-4dde-8ead-ae254223ffc8
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1245939
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d935d16b1603eb83d9c8587e3fe36ba247341adb572bac99a291f35bd13d7292/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-05-29 13:43:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
21 of 37 (56.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3e25c2ywapvyhwoilb7d7y3lujdtigw3k4v2zgncshzvxuj5okja._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
093211c83f13bdaa0ab037352beee293ce3d1e2c023d865c87bd86b61509f3f4
RemcosRAT
5b1e8d8e1c47866009a79f371befaff9f673cb07656a0eb9509771dffd8f7ea7
RemcosRAT
648cf8b93fa2f02344ef0ab1684a0e6cfb45b61a21f79890c5183e8068f6a1fa
RemcosRAT
8a69c6b0efd7bbf528d4a163be673143bf04021faafcc076aa2cc73d7688de63
RemcosRAT
b2a00a736c7f3cc7212c99c445c222c589c08fdffbb0085d0688a857b081eec1
RemcosRAT
b6c627336f2b88a0eaa3a58ef166fa2c5eed3b409c649a7228b1d3c8573a770b
RemcosRAT
c57ef56c3465d7d32b6851cdfd6d950fbbc53a40c825f547f4b4cc0f01123346
RemcosRAT
d4bbd5ce6f012df9861c4bee326c87539c7b92b5cbdfb73b54fd7f1321d15eb9
RemcosRAT
d7300cfd284114c32015ed2c8d711f8d5c204428e85addd79fc73539c024ca7e
RemcosRAT
db5aac25dcb71e739e6f5571cb7d10ba2f30c891d4a19307d6bf8c549b2074cb
RemcosRAT
+ 3'908 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:searose rat
Link:
https://tria.ge/reports/230531-j6p52sdg29/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Remcos
Malware Config
C2 Extraction:
seanblacin.sytes.net:6110
Unpacked files
SH256 hash:
d556a2fdfdeca5d1fc9dbce499c628ecc1c36da11a0e3c2dcc59e9eb013330f7
MD5 hash:
8e40003c09110d9f8b0d378285b6f0e2
SHA1 hash:
a0d47782d9ce0ab9eb2233558dd0d57afc5562db
Link:
https://www.unpac.me/results/58dddeec-be17-47a9-926e-bcc5d489ee6b/
SH256 hash:
7b64aec54ac31cac58a23bbe70dc23cf4768ce7a001e86365b26b6defefa6ad6
MD5 hash:
1b7637798c137647f4d3c82f5bdb4f3d
SHA1 hash:
9c2bc0380aa4a422ff27b1512ab23c77411182d7
Link:
https://www.unpac.me/results/58dddeec-be17-47a9-926e-bcc5d489ee6b/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/58dddeec-be17-47a9-926e-bcc5d489ee6b/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
25b31e7409399a47b785bff555662e30e5aebb38d6f1414db9826f9b1ad157a6
MD5 hash:
7b224d3106233663633ea87c84a6b30e
SHA1 hash:
96abb0868d794bb70ac92a45c57a5c97c0ad6fc2
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/58dddeec-be17-47a9-926e-bcc5d489ee6b/
Parent samples :
c57ef56c3465d7d32b6851cdfd6d950fbbc53a40c825f547f4b4cc0f01123346
5b1e8d8e1c47866009a79f371befaff9f673cb07656a0eb9509771dffd8f7ea7
d935d16b1603eb83d9c8587e3fe36ba247341adb572bac99a291f35bd13d7292
ac7983522d429ba0141b567f6e7606e4c8f11065f976f306c4222a2110d8a2da
SH256 hash:
0b861d0e19d173621dba77fc3954b6325b3e89e0856817eb9ac1b0e4b4b6f9a0
MD5 hash:
34e9924238cc9c184aed0f7e0dd905ab
SHA1 hash:
42e0e3852a327ae2d232858ba41fca9cadd628db
Link:
https://www.unpac.me/results/58dddeec-be17-47a9-926e-bcc5d489ee6b/
SH256 hash:
d935d16b1603eb83d9c8587e3fe36ba247341adb572bac99a291f35bd13d7292
MD5 hash:
5c7c4a198838dc17a523fc9ef2f80c2f
SHA1 hash:
02b68e1f2b57c6f37e86dfa6aeaed9235514bf27
Link:
https://www.unpac.me/results/58dddeec-be17-47a9-926e-bcc5d489ee6b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d935d16b1603/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/d935d16b1603eb83d9c8587e3fe36ba247341adb572bac99a291f35bd13d7292

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:pe_imphash
Create hunting rule
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe d935d16b1603eb83d9c8587e3fe36ba247341adb572bac99a291f35bd13d7292

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2641293/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/393979/

Comments