MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5732b98cf2583a638596031d273fe494682bbd49e7572de4cc7b1da34d365c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e5732b98cf2583a638596031d273fe494682bbd49e7572de4cc7b1da34d365c5
SHA3-384 hash: 9543459ada7064504b16143beddc43dae147c16db31af640d0f32184af6938525a4a25f8fdd19c4a40eb30e760f7f4a8
SHA1 hash: a1c5d86c77753abc3c58d48be94adfbee115f4d5
MD5 hash: eb9b7a0ca0aa3a0f4db9dd92b6b506e9
humanhash: vegan-chicken-vermont-oregon
File name:e5732b98cf2583a638596031d273fe494682bbd49e7572de4cc7b1da34d365c5
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'009'664 bytes
First seen:2024-02-06 15:26:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 24576:n/dTRUfmULpLz0jol+V0v5Lk1TYwxv3a:/PULKUkmvu1TYwxv3a
Threatray 32 similar samples on MalwareBazaar
TLSH T1032522003B98976BE57A87F50D2550500BB57A937AA1F37E9DD090CD2E7AB004326F7B
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter adrian__luca
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
443
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e5732b98cf2583a638596031d273fe494682bbd49e7572de4cc7b1da34d365c5.exe
Verdict:
Suspicious activity
Analysis date:
2024-02-06 15:29:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/80d8a8e6-be1e-4b8d-a49d-cdeea4d8afa7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/474906/
Detection(s):
Win.Packed.Filerepmalware-10019564-0
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65c24fc8572e8da8b23240ca/reports/cd69b2b2-1f4c-40f3-9cea-7fecccd4a07a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e5732b98cf2583a638596031d273fe494682bbd49e7572de4cc7b1da34d365c5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a469c800-cce1-414e-a8f0-f5a97975dc56
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1387654
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1387654 Sample: U6O0cDES5h.exe Startdate: 06/02/2024 Architecture: WINDOWS Score: 100 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for URL or domain 2->43 45 7 other signatures 2->45 7 U6O0cDES5h.exe 7 2->7         started        11 OdWrmcu.exe 5 2->11         started        process3 file4 35 C:\Users\user\AppData\Roaming\OdWrmcu.exe, PE32+ 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmpC2BB.tmp, XML 7->37 dropped 47 Uses schtasks.exe or at.exe to add and modify task schedules 7->47 49 Modifies the context of a thread in another process (thread injection) 7->49 51 Adds a directory exclusion to Windows Defender 7->51 13 powershell.exe 21 7->13         started        15 schtasks.exe 1 7->15         started        17 U6O0cDES5h.exe 7->17         started        53 Multi AV Scanner detection for dropped file 11->53 55 Machine Learning detection for dropped file 11->55 19 schtasks.exe 1 11->19         started        21 OdWrmcu.exe 11->21         started        signatures5 process6 process7 23 WmiPrvSE.exe 13->23         started        25 conhost.exe 13->25         started        27 conhost.exe 15->27         started        29 WerFault.exe 2 17->29         started        31 conhost.exe 19->31         started        33 WerFault.exe 4 21->33         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e5732b98cf2583a638596031d273fe494682bbd49e7572de4cc7b1da34d365c5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e5732b98cf2583a638596031d273fe494682bbd49e7572de4cc7b1da34d365c5/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2024-01-29 12:27:55 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
30
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4vzsxggpewb2moczmay5e476jfdifo6utz2xfxsmy6y5ungtmxcq._file
Verdict:
malicious
Similar samples:
714f11ed7d83f9cd2067675f873f43e76781fa23982832998d9813738e2e26ab
RemcosRAT
a240015a32ca9e0665c9ccc875788084fe58bdbbd0e9f70a0ce5a7fd9ecce65e
RemcosRAT
b80690f5312d2360d3a790392594b78aaada3ed6120d9a28300f408f286ce6e6
RemcosRAT
d4ce99bddbf7352ad97482052b01754e5aca502213aaa3c06242982fd5a42c34
RemcosRAT
e0bab39f15dae51e6ee793aec74d0076eb33339776c037e4ad963efc40c49820
RemcosRAT
e5732b98cf2583a638596031d273fe494682bbd49e7572de4cc7b1da34d365c5
RemcosRAT
+ 22 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240206-svrzyaaah6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
e5732b98cf2583a638596031d273fe494682bbd49e7572de4cc7b1da34d365c5
MD5 hash:
eb9b7a0ca0aa3a0f4db9dd92b6b506e9
SHA1 hash:
a1c5d86c77753abc3c58d48be94adfbee115f4d5
Link:
https://www.unpac.me/results/8f0f2dd1-5515-486d-916f-022f877bcf30/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e5732b98cf25/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e5732b98cf2583a638596031d273fe494682bbd49e7572de4cc7b1da34d365c5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/474906/

Comments