MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 dca2d6e3f3b63d15829cad917515c62528de68fd2d0c2592a4106ac7b26d097f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
RemcosRAT
Vendor detections: 12
| SHA256 hash: | dca2d6e3f3b63d15829cad917515c62528de68fd2d0c2592a4106ac7b26d097f |
|---|---|
| SHA3-384 hash: | 0831875fb3b9927fe6f916510b00fa4dc14fb776a8214f77c4e04e34326823dbfa691775c96b09a1efae7562bc3d58c8 |
| SHA1 hash: | 70ab79ca3303cb52ee21e57d38d67504b97e704f |
| MD5 hash: | 52d12cdba1e96ce2bc18685e16c6904e |
| humanhash: | chicken-october-william-pizza |
| File name: | 52d12cdba1e96ce2bc18685e16c6904e |
| Download: | download sample |
| Signature | RemcosRAT |
| File size: | 876'032 bytes |
| First seen: | 2022-08-03 16:17:09 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger) |
| ssdeep | 12288:Bepy350vYBz0OOS+GcLPIXxi5yRHxpCytTjJysmPQxcSXhenbyL0FtntGGzGtGGR:Bepy350wBzLcaw5yRxpCMjJ1rXheI0 |
| TLSH | T1CE156BF5553ADE9AFD84AAFCD5C090944BA38D30DA9000497331770EAE73FE6789E918 |
| TrID | 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13) |
| File icon (PE): |  |
| dhash icon | f0f0e84dcde4e4f8 (17 x AgentTesla, 4 x AveMariaRAT, 4 x RemcosRAT) |
| Reporter |  zbetcheckin |
| Tags: | 32 exe RemcosRAT |
Intelligence
File Origin
# of uploads :
1
# of downloads :
404
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
ID:
1
File name:
2003988.xlsx
Verdict:
Malicious activity
Analysis date:
2022-08-03 15:07:16 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader keylogger remcos
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Reading critical registry keys
Creating a file in the %temp% directory
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
5/10
Confidence:
100%
Tags:
obfuscated packed
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Result
Threat name:
Remcos
Detection:
malicious
Classification:
rans.phis.troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Detection:
remcos
Threat name:
ByteCode-MSIL.Trojan.Remcos
Status:
Malicious
First seen:
2022-08-03 16:18:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
22 of 26 (84.62%)
Threat level:
5/5
Detection(s):
Malicious file
Result
Malware family:
remcos
Score:
10/10
Tags:
family:remcos botnet:remotehost collection rat
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Checks computer location settings
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
mail.deiomino.icu:45547
Unpacked files
SH256 hash:
c4378e7f7d420859c9062bbd07340b7b3533817afb6a1acf90cc3854e69e7d46
MD5 hash:
de6b45495ef1f042c8dfa876492b4b6f
SHA1 hash:
2ed4939d57dfac0bb8d06eaff7c35ce368a15edd
SH256 hash:
a6acfe617040a5005be0d1675756dc9f09596d3bb2bb3ebc8a2c6881b8c4cfd7
MD5 hash:
db843358b89f4074346cab346720ab06
SHA1 hash:
94d77a5f2d66f20baf557ad30c3ab284665980d9
SH256 hash:
d3e91d69723e0d85c12a43f8b2183a750d6cd495a7715bf6913667d973a25f1b
MD5 hash:
d2f1b70ee9d906dd90da08a54150879b
SHA1 hash:
9d3a87bb0454509a02bd046e4d993dd1b6364d81
Detections:
win_remcos_auto
Parent samples :
dca2d6e3f3b63d15829cad917515c62528de68fd2d0c2592a4106ac7b26d097f
0af02b5b10f10214ce8cb189337b84c443a594638821c2665d8330ecbd99cd31
fa630a35f8fbdb040aa52649e4e311a6eac1ea4e7fc0614dbb92a368b2bb3839
f4736fffb7caa557d796f39e376448b637c97ff24d8cf7cf1f08694e3f40f22d
7d2bce268c0b7b1bc232f1c7b7b169f195be8b931cc92d276de0733428bd4a0b
fe6a93368c9da83d864b3f37fba5c8c01302a3d909779cb3bd6dfaed8b430fb5
436cf5e6015bb698449e308b6cb6071e4404eeb29bb830ad28cd1442740f5c29
fbe8fa4ed7f1de962147afcf13e21f3f5e96b329fa6369f12a05641857828c27
dfed5249564b04f77e9dae3e45c13cb520635e345cf5c0976967062e5054e54d
40948ea3149f6561dffc9599179b142e6d5ff5ec97af45c9e8a5ba35671eba1e
1e894aeb21c7599eeace1408865c683439f4ff3d2114e0e8007a3423cdd386b4
8b2e62c33657add18454ba8a2e0a2701dff0bbbf8a12b7c66d3c5c22e3c5c07d
0af02b5b10f10214ce8cb189337b84c443a594638821c2665d8330ecbd99cd31
fa630a35f8fbdb040aa52649e4e311a6eac1ea4e7fc0614dbb92a368b2bb3839
f4736fffb7caa557d796f39e376448b637c97ff24d8cf7cf1f08694e3f40f22d
7d2bce268c0b7b1bc232f1c7b7b169f195be8b931cc92d276de0733428bd4a0b
fe6a93368c9da83d864b3f37fba5c8c01302a3d909779cb3bd6dfaed8b430fb5
436cf5e6015bb698449e308b6cb6071e4404eeb29bb830ad28cd1442740f5c29
fbe8fa4ed7f1de962147afcf13e21f3f5e96b329fa6369f12a05641857828c27
dfed5249564b04f77e9dae3e45c13cb520635e345cf5c0976967062e5054e54d
40948ea3149f6561dffc9599179b142e6d5ff5ec97af45c9e8a5ba35671eba1e
1e894aeb21c7599eeace1408865c683439f4ff3d2114e0e8007a3423cdd386b4
8b2e62c33657add18454ba8a2e0a2701dff0bbbf8a12b7c66d3c5c22e3c5c07d
SH256 hash:
04cae39923a06fd3185ff9d8ae323f62575314143af5dcbc4de111b40ad676a0
MD5 hash:
1f1082c557faed8621e8c08968124afe
SHA1 hash:
d5786e5675fbfa6773d396a79d80a93d0f362200
SH256 hash:
dca2d6e3f3b63d15829cad917515c62528de68fd2d0c2592a4106ac7b26d097f
MD5 hash:
52d12cdba1e96ce2bc18685e16c6904e
SHA1 hash:
70ab79ca3303cb52ee21e57d38d67504b97e704f
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | INDICATOR_EXE_Packed_MPress |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables built or packed with MPress PE compressor |
| Rule name: | INDICATOR_EXE_Packed_SmartAssembly |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables packed with SmartAssembly |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing many email and collaboration clients. Observed in information stealers |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer |
|---|---|
| Author: | ditekSHen |
| Description: | detects Windows exceutables potentially bypassing UAC using eventvwr.exe |
| Rule name: | meth_get_eip |
|---|---|
| Author: | Willi Ballenthin |
| Rule name: | meth_stackstrings |
|---|---|
| Author: | Willi Ballenthin |
| Rule name: | pe_imphash |
|---|
| Rule name: | Remcos |
|---|---|
| Author: | kevoreilly |
| Description: | Remcos Payload |
| Rule name: | RemcosRat |
|---|---|
| Author: | Mohamed Ashraf |
| Description: | Detects Remcos Rat |
| Rule name: | REMCOS_RAT_variants |
|---|
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
| Rule name: | win_remcos_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | Detects win.remcos. |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.url : hxxp://35.158.92.205/jik/jik.exe