MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db9b54869c09234b1284f990515224d7f86d1571fca2c3349329404f24cd2da1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db9b54869c09234b1284f990515224d7f86d1571fca2c3349329404f24cd2da1
SHA3-384 hash: a75c8dc322766df259db1e7735306f524dfd08b67a4899d8ffefbc4116299bc8597e6e6a36c325f61496a93a23b3e39a
SHA1 hash: ec8a4e8d0c34570650d0f761f9bd3689f9620a15
MD5 hash: e4661f9c8d4cb3ae13f8bb875a8e7680
humanhash: kansas-avocado-hamper-spaghetti
File name:e4661f9c8d4cb3ae13f8bb875a8e7680
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'493'504 bytes
First seen:2023-07-22 13:21:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7ae416377d1ae94f412d8b958c2f23da (1 x RemcosRAT)
ssdeep 24576:FtuY8DyxG8F+KDWKejV9xvEirHl97/KcS+H0EqB0Q//T5Loe/XMCv:fYGQQ6V/l97hkEqN/ffv
Threatray 1'056 similar samples on MalwareBazaar
TLSH T14B659F23B2829837D0B2193F9D5BB6699425BD039D2CD80A7BE44E4C3F3B6C13529D97
TrID 69.6% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
27.5% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
1.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
0.4% (.EXE) Win32 Executable (generic) (4505/5/1)
0.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
429
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
e4661f9c8d4cb3ae13f8bb875a8e7680
Verdict:
Malicious activity
Analysis date:
2023-07-22 13:21:26 UTC
Tags:
remcos rat remote
Link:
https://app.any.run/tasks/039d98b2-d46d-4dda-a833-982ad29af8c1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/428727/
Detection(s):
Win.Malware.Qakbot-9939298-1
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control keylogger lolbin packed remcos remote shell32
Link:
https://www.filescan.io/uploads/64bbd7fbe179a8163b7ca3f1/reports/6b82c43b-9706-4119-8d70-fdff722f56f3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/db9b54869c09234b1284f990515224d7f86d1571fca2c3349329404f24cd2da1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a1710601-7e71-4a24-8d15-6a19e1143db5
Result
Threat name:
CryptOne, Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1277796
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected CryptOne packer
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/db9b54869c09234b1284f990515224d7f86d1571fca2c3349329404f24cd2da1/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-07-22 13:22:06 UTC
File Type:
PE (Exe)
Extracted files:
58
AV detection:
22 of 25 (88.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3onvjbu4beruweue7gifcure274g2flr7srmgnetffae6jgnfwqq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
07f678a2738900d3046868e70cddd95171240f3319c24dba741f95d5763932a5
RemcosRAT
2efdfea9644c378bb7e04dac7b7a2b4760ef9a4925026a3a23d804efefd2f26a
RemcosRAT
4d20cc81fe3369624b78b05419fea8efdf9f147fa13ff541561ae4298b3c5ad8
RemcosRAT
56386224d3f2d9dea8cce5f9dafcdce3012a548d824f4e9af162bc2397bb5916
RemcosRAT
6f6d7329e0948b935011c95d6f3899c917279086347ad85ddf4494ada1970ec6
RemcosRAT
ab122c5daa471c2dee1cc58e3a63b3a05be7e66b52faa1542a528dd81c62fed3
RemcosRAT
c3f58fc7e4e51a2d4c6551fd6cebac7d8c0bf79d83f1235e7570c2db574df0f6
RemcosRAT
c9e9f4d1945fc9cb9daf5b4a72032a00ba7040154e3fe44be5371fbb7da695ea
RemcosRAT
+ 1'046 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/230722-ql79fsbd5x/
Behaviour
Remcos
Malware Config
C2 Extraction:
80.66.75.172:2792
Unpacked files
SH256 hash:
17ec9cf51c654e38aaf094410a895763f2a64cb8dc67ccf459e76edb81de2aa5
MD5 hash:
80b0cf42b33cca75ff82925111a5a228
SHA1 hash:
6dce2bb348099ddc4b25c2b427c3cd2c1e1dcc49
Detections:
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/c471eb07-d8c8-4234-a10f-9ef836b85281/
SH256 hash:
db9b54869c09234b1284f990515224d7f86d1571fca2c3349329404f24cd2da1
MD5 hash:
e4661f9c8d4cb3ae13f8bb875a8e7680
SHA1 hash:
ec8a4e8d0c34570650d0f761f9bd3689f9620a15
Link:
https://www.unpac.me/results/c471eb07-d8c8-4234-a10f-9ef836b85281/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/db9b54869c09/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/db9b54869c09234b1284f990515224d7f86d1571fca2c3349329404f24cd2da1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe db9b54869c09234b1284f990515224d7f86d1571fca2c3349329404f24cd2da1

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2687750/
Cape
Cape
https://www.capesandbox.com/analysis/428727/

Comments


Avatar
zbet commented on 2023-07-22 13:21:07 UTC

url : hxxp://185.209.230.21:8080/steelsea.exe