MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e970fdbbcd35127388ad909820df33fbe5d0a7bd4b52ccde011c5782edfe03fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e970fdbbcd35127388ad909820df33fbe5d0a7bd4b52ccde011c5782edfe03fc
SHA3-384 hash: 522fd9c251f39889f77235332afc02607a03a98ae74288ecbfb823a49ec7eb0e7a78f06ef40a6d776fdf92515165c0ce
SHA1 hash: 685a1caa16ee85d4b41a26c4fef701a48a1787d7
MD5 hash: 4a28daa7b3ea61ede54d0038bb7d4c10
humanhash: fish-bravo-ceiling-ceiling
File name:file
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:620'070 bytes
First seen:2023-06-13 14:20:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b293aeb3c2f123a822aa0f8509bdaaac (1 x RemcosRAT)
ssdeep 12288:jig4rfh0virvxZWkHB6b+2Is2wsG9KgahOvmiEX+9bDGpo8cR:jpa50q7xrHBaIeXKgah9X2bQcR
Threatray 2'025 similar samples on MalwareBazaar
TLSH T138D4123DEE45ADC7F2D51BB28802F496891CBD6849CF4C5F9BCDBBAD2632905460132B
TrID 82.3% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
5.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.5% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter jstrosch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
277
Origin country :
US US
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-06-13 14:30:01 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/a825fdd5-2c91-41d9-ab72-aaa09796b8a0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/398434/
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Launching a process
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
DNS request
Sending a custom TCP request
Launching a service
Launching the default Windows debugger (dwwin.exe)
Creating a file
Sending an HTTP GET request
Searching for the window
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
evasive overlay packed
Link:
https://www.filescan.io/uploads/64887b4f9f45f940f553d144/reports/2525bb27-6d55-442f-9696-966e0333456d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e970fdbbcd35127388ad909820df33fbe5d0a7bd4b52ccde011c5782edfe03fc
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/23cc5313-c891-4ed0-8382-74399cdbe2fc
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1253767
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Writes to foreign memory regions
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e970fdbbcd35127388ad909820df33fbe5d0a7bd4b52ccde011c5782edfe03fc/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-06-13 14:21:07 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5fyp3o6ngujhhcfnscmcbxzt7ps5bj55jnjmzxqbdrlyf3p6ap6a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
3a573796b5e6f1cc3a92eef7e268fa4e74aeddf34f5dd62f7b02109fe560ecd2
RemcosRAT
3d4ffcd1cd594f452ad1c374933eea8dd36d21a6d01372cc7f1afc636d26fa72
RemcosRAT
538b607c03aa2d0960c396529399921f957f421a3ca084d140316e2ee21889cc
RemcosRAT
76005c1982c2d4df1995d8ba0e2163ac84b5009823466b9e043a5a017e15c9cd
RemcosRAT
818bd67db5fe30f5cfdab861f996f30fa20427e3e1aa65ffe6d98f6c7af7558d
RemcosRAT
a4a9151dee1026abcaec06ec7596983a05cc7df43c37d5646e17ae02e2902445
RemcosRAT
a4da37e92ca54c8851ad144fba875b61e2018f69bbe43b11926d8f8d831b56f0
RemcosRAT
b5ca34b966549dfee1a824ab645c66b17217aadda4ccea96731b8cb0cfb03a27
RemcosRAT
c1bcaa3723fd87f8a0a537c14ecf7e5852a69d33995333b40a7a475eb2e1696c
RemcosRAT
+ 2'015 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:ares rat
Link:
https://tria.ge/reports/230613-rnz7asha9y/
Behaviour
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Remcos
Malware Config
C2 Extraction:
nov231122.con-ip.com:7476
Unpacked files
SH256 hash:
ea987b8abd20dc953398b622d7b05ae67cd74861aadf461f5e6e1d86dabdde93
MD5 hash:
b8e41160fdc623f0bb32b665c5ffa6ff
SHA1 hash:
3b8f0acbcfa421a7b06adcc935590271bf2a6783
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/24f458f7-92e9-4699-baef-62e65baac9f8/
SH256 hash:
e970fdbbcd35127388ad909820df33fbe5d0a7bd4b52ccde011c5782edfe03fc
MD5 hash:
4a28daa7b3ea61ede54d0038bb7d4c10
SHA1 hash:
685a1caa16ee85d4b41a26c4fef701a48a1787d7
Link:
https://www.unpac.me/results/24f458f7-92e9-4699-baef-62e65baac9f8/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e970fdbbcd35/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e970fdbbcd35127388ad909820df33fbe5d0a7bd4b52ccde011c5782edfe03fc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe e970fdbbcd35127388ad909820df33fbe5d0a7bd4b52ccde011c5782edfe03fc

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/398434/

Comments