MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ddc516549845da0775484d40a3397df8e48b542d0cf7f1c2b1be413c6465ed08. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	ddc516549845da0775484d40a3397df8e48b542d0cf7f1c2b1be413c6465ed08
SHA3-384 hash:	fad15881b494f9437422f497ad09f4b97192867450b874f21a1f25883ef29c2e99fa5d13d4823f03caaeb42db1416979
SHA1 hash:	93d78c2476ac9f23ae9f47ccc8922dcca4f6ecae
MD5 hash:	341520ef0b9352ddacb0311024b15f73
humanhash:	harry-dakota-thirteen-music
File name:	341520ef0b9352ddacb0311024b15f73
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	794'640 bytes
First seen:	2023-06-28 14:19:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	24576:ygIJqd3BGAUy+zUAbQxrO1IftTF5/deL4:rvBwbUOU/tZ5VeL4
Threatray	25 similar samples on MalwareBazaar
TLSH	T17AF4E1241FC17CC2CA6DAF3CE2A2056EE959A06E74A2D7513D4520BC1692FCB0B54EDF
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	abuse_ch
Tags:	341520ef0b9352ddacb0311024b15f73 exe RAT RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

300

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

341520ef0b9352ddacb0311024b15f73

Verdict:

Malicious activity

Analysis date:

2023-06-28 14:20:59 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/da2a4412-d40b-48bc-b121-79211e5a2689

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/403505/

Detection(s):

Win.Packed.Formbook-9980347-1

Win.Packed.Cerbu-9993871-0

Win.Dropper.Formbook-9993903-0

Win.Packed.Generic-6680913-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

cmstp lolbin overlay packed

Link:

https://www.filescan.io/uploads/649c419310925f175aff8cd4/reports/e6e996a9-191f-49a2-830f-a9f5b7a8dd5f/overview

Verdict:

Malicious

Labled as:

Trojan.E1CAE469

Link:

https://www.hybrid-analysis.com/sample/ddc516549845da0775484d40a3397df8e48b542d0cf7f1c2b1be413c6465ed08

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d6cb65a6-3b94-4a8e-9ce9-f334bcab2b8b

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1262704

Signature

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ddc516549845da0775484d40a3397df8e48b542d0cf7f1c2b1be413c6465ed08/

Threat name:

ByteCode-MSIL.Trojan.Dotrunpex

Status:

Malicious

First seen:

2023-06-28 14:20:06 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3xcrmveyixnao5kijvakgol57dsiwvbnbt37dqvrxzatyzdf5uea._file

Verdict:

malicious

RemcosRAT

3956c21824bc18caca2523381ce3fa113e40d5e7f47bf2a05d65f2a1a27a3f1d

RemcosRAT

4d9e0a28423515a1574837873cc75c3c495daebf2247e5353f9028d97ccf3fb6

RemcosRAT

670bc9a86f72af2ab43a89c576a4e1874ce188b35a1f5656ea27f4b7ac3d5f09

RemcosRAT

71b83a4a645cee8038819ee490a2b6324d287d8aac405adb1b373277dc5c23ab

RemcosRAT

754794ccb5c349adb0551759cc1cd6add14616a50b5b3ffe1b4c0d133d13f300

RemcosRAT

9b6573b930e72d319ef4efa0975ff1b59673f96633a03d5e338bc8d7418418f4

RemcosRAT

cd15fbc9e839dbc2888b3e72c47827e09a8bc50038a509f138c266ebcf2f3ed6

RemcosRAT

e43e5c816ce04f8fa14c819ff2b5bfc02c03e27a4b0a6b85875ef11ea4d4489f

RemcosRAT

ef436975e5f283c5bd2e60ab75e85af7f3b7d0600ab128f987a18f0bffde351d

RemcosRAT

+ 15 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/230628-rneklaag5z/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

ddc516549845da0775484d40a3397df8e48b542d0cf7f1c2b1be413c6465ed08

MD5 hash:

341520ef0b9352ddacb0311024b15f73

SHA1 hash:

93d78c2476ac9f23ae9f47ccc8922dcca4f6ecae

Link:

https://www.unpac.me/results/610d516e-c4d4-44b2-b278-3107f72d8935/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Remcos

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/ddc516549845da0775484d40a3397df8e48b542d0cf7f1c2b1be413c6465ed08

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BAZT_B5_NOCEXInvalidStream Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/403505/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample