MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5d444943ef65bbd3466987435a57db92549c8a0ac87582d58d1df90ed456999. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e5d444943ef65bbd3466987435a57db92549c8a0ac87582d58d1df90ed456999
SHA3-384 hash: 50526c78386c9d10230061915a367ff12759a640ff218c641ffe77d6b7a6100d82f15f1ec4ba1dabc38a4974d4693594
SHA1 hash: 80838be076ed2b0b9776edb36c1bba6532433b24
MD5 hash: 155bf3aaedd924e7191686c60f5d42fc
humanhash: south-vegan-harry-north
File name:SecuriteInfo.com.Win32.DropperX-gen.2129.28508
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:3'642'368 bytes
First seen:2025-02-22 08:40:23 UTC
Last seen:2025-02-24 11:28:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:Q/tNM1iZfZoQF9prJZ/nMFA1XAPxdHhuh2JhZ68HTVKR6CPd1+4LI:ozRoQJrJZ/nMrxdHxh0eTw6sVLI
TLSH T101F53717BA8A4AB1C101373BC49A4C3013B6D981F633F69A674A53590F437A9BB4DE1F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
27
Origin country :
US US
Vendor Threat Intelligence
Malware family:
phorpiex
Create hunting rule
ID:
1
File name:
bomb.zip
Verdict:
Malicious activity
Analysis date:
2025-02-22 15:06:28 UTC
Tags:
github loader payload ta558 apt stegocampaign reverseloader miner auto phorpiex botnet opendir ransomware generic xmrig cactus stealer lokibot rat remcos remote trojan quasar evasion redline lefthook metastealer python mimikatz tools susp-powershell
Link:
https://app.any.run/tasks/f1eb0295-3fb9-4299-85eb-c9f945d9a8dd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.2129.28508.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67b98daca0fd713c335c5176
Tags:
autorun remcos
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% directory
Launching cmd.exe command interpreter
Creating a file
Connection attempt to an infection source
Blocking the User Account Control
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
net_reactor obfuscated obfuscated packed packed remcos
Link:
https://www.filescan.io/uploads/67b98dac6222db7f23d87af1/reports/ab78f4a6-a219-4635-a30b-617cbc95d865/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/e5d444943ef65bbd3466987435a57db92549c8a0ac87582d58d1df90ed456999
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/34991bd2-689b-4052-9f1a-4aa5e6f2c5da
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1621741
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Disables UAC (registry)
Drops large PE files
Drops VBS files to the startup folder
Encrypted powershell cmdline option found
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1621741 Sample: SecuriteInfo.com.Win32.Drop... Startdate: 22/02/2025 Architecture: WINDOWS Score: 100 43 171.39.242.20.in-addr.arpa 2->43 51 Suricata IDS alerts for network traffic 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 12 other signatures 2->57 9 SecuriteInfo.com.Win32.DropperX-gen.2129.28508.exe 6 2->9         started        13 wscript.exe 1 2->13         started        15 svchost.exe 1 1 2->15         started        signatures3 process4 dnsIp5 37 C:\Users\user\AppData\Roaming\Message.exe, PE32 9->37 dropped 39 C:\Users\user\AppData\Local\...\LIBAdmin.exe, PE32 9->39 dropped 41 C:\Users\user\AppData\Roaming\...\Message.vbs, ASCII 9->41 dropped 75 Drops VBS files to the startup folder 9->75 77 Encrypted powershell cmdline option found 9->77 79 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->79 81 Drops large PE files 9->81 18 LIBAdmin.exe 4 9->18         started        22 InstallUtil.exe 9->22         started        24 powershell.exe 21 9->24         started        83 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->83 47 127.0.0.1 unknown unknown 15->47 file6 signatures7 process8 dnsIp9 45 162.230.48.189, 2404, 49801, 49815 ATT-INTERNET4US United States 18->45 59 Antivirus detection for dropped file 18->59 61 Multi AV Scanner detection for dropped file 18->61 63 Contains functionality to bypass UAC (CMSTPLUA) 18->63 73 2 other signatures 18->73 26 cmd.exe 1 18->26         started        65 Contains functionalty to change the wallpaper 22->65 67 Contains functionality to steal Chrome passwords or cookies 22->67 69 Contains functionality to steal Firefox passwords or cookies 22->69 71 Loading BitLocker PowerShell Module 24->71 28 WmiPrvSE.exe 24->28         started        30 conhost.exe 24->30         started        signatures10 process11 process12 32 reg.exe 1 26->32         started        35 conhost.exe 26->35         started        signatures13 49 Disables UAC (registry) 32->49
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e5d444943ef65bbd3466987435a57db92549c8a0ac87582d58d1df90ed456999
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e5d444943ef65bbd3466987435a57db92549c8a0ac87582d58d1df90ed456999/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2025-02-19 13:39:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4xkejfb66zn32ndgtb2dljl5xesutsfavsdvqlky2hpzb3kfngmq._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:lib defense_evasion discovery rat trojan
Link:
https://tria.ge/reports/250222-kljcfatqz9/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Remcos
Remcos family
Suspicious use of NtCreateUserProcessOtherParentProcess
UAC bypass
Malware Config
C2 Extraction:
162.230.48.189:2404
162.230.48.189:8848
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/dd5d99ae-8b08-4ded-81ee-ef75b382e702
Unpacked files
SH256 hash:
e5d444943ef65bbd3466987435a57db92549c8a0ac87582d58d1df90ed456999
MD5 hash:
155bf3aaedd924e7191686c60f5d42fc
SHA1 hash:
80838be076ed2b0b9776edb36c1bba6532433b24
Link:
https://www.unpac.me/results/fbbd0751-1b66-4cde-8d9f-1017be2133c8/
SH256 hash:
c67fb1d96c4d623b42d0a7ff23d3639019d2ec551994d1cd4632e973f9ceb7bc
MD5 hash:
42de08b1058fef28403b7d1c98e3f852
SHA1 hash:
3d6c8351ca21597674a0f0b51be7ac306983ae47
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/fbbd0751-1b66-4cde-8d9f-1017be2133c8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e5d444943ef65bbd3466987435a57db92549c8a0ac87582d58d1df90ed456999

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe e5d444943ef65bbd3466987435a57db92549c8a0ac87582d58d1df90ed456999

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3448472/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments