MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2b2a8bc43696328f9650d218fe0e57e7c55c0e4799a1f28721b85e37e85eaf4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2b2a8bc43696328f9650d218fe0e57e7c55c0e4799a1f28721b85e37e85eaf4
SHA3-384 hash: 8875d829dbbaa62147870c72edfc0f63e570ed31de65157d8393c7849e1ee3b63c7c2304b51c7794e7e98e8086edee77
SHA1 hash: dd5851a6fcfbada4a1b085ffa388552a45c3c12f
MD5 hash: ac9e836f751cd76101bf095009c27233
humanhash: double-fillet-tango-vegan
File name:z98Enquiryformachineparts.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:517'632 bytes
First seen:2023-06-20 17:33:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 17e5230c5cf4f4448b3cb8e448bbcc70 (1 x RedLineStealer, 1 x Smoke Loader, 1 x RemcosRAT)
ssdeep 12288:LNohofhVqellqx2etypiTySFFrhc+Q30N:ief+elU2PpMtFI+QE
Threatray 53 similar samples on MalwareBazaar
TLSH T1BBB45B9382E13D94F9278B72AF2FC6E8764DF2508F497B6522189E1F04B11B6C1B3B51
TrID 39.5% (.EXE) InstallShield setup (43053/19/16)
28.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.6% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 08081212240a1200 (1 x RemcosRAT)
Reporter FXOLabs
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
307
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
z98Enquiryformachineparts.exe
Verdict:
Malicious activity
Analysis date:
2023-06-20 17:36:39 UTC
Tags:
installer remcos
Link:
https://app.any.run/tasks/67556ea6-7f22-4e89-acc2-8fb78134ce92

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/401159/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/91943/overview
Behaviour
MalwareBazaar
MeasuringTime
CPUID_Instruction
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed xpack
Link:
https://www.filescan.io/uploads/6491e30a99f0c0cb093300fe/reports/45e4aa4e-2a7a-43c7-9102-71558a98aeac/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f2b2a8bc43696328f9650d218fe0e57e7c55c0e4799a1f28721b85e37e85eaf4
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c89c2225-bf96-462e-b48a-d69541c41dc3
Result
Threat name:
Remcos, PrivateLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1258515
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected PrivateLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f2b2a8bc43696328f9650d218fe0e57e7c55c0e4799a1f28721b85e37e85eaf4/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-06-20 13:21:24 UTC
File Type:
PE (Exe)
Extracted files:
74
AV detection:
21 of 37 (56.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6kzkrpcdnfrsr6lfbuqy7yhfpz6flqhepgnb6kdsdoc6g7uf5l2a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
3e6ec18ecee467ac76807198be9c02531fd7091545056260ef164354846e59a6
RemcosRAT
3f07585c2ab00f3f8cb68b6c3a461c0b267c52531a5bca15d59a6cad1cbbc6f7
RemcosRAT
6e3cf5c7cccc4369fbed86c4de5bb59d7bb40c1ced10cab8b0bc733299d45ea1
RemcosRAT
a4a9151dee1026abcaec06ec7596983a05cc7df43c37d5646e17ae02e2902445
RemcosRAT
aa6646da5d47bbfffce88075205a5e6c1af6107a9dae7dec98b14e7c3d022219
RemcosRAT
c1bcaa3723fd87f8a0a537c14ecf7e5852a69d33995333b40a7a475eb2e1696c
RemcosRAT
c1ccc7e57074fb432d2de187fca944ac480e5b2ad68ad7cc52388e3381990396
RemcosRAT
ea2f8aca010aba1f0ebb0b5af2de53b2a4106d5feb147f34e0a8e615eccd77c1
RemcosRAT
+ 43 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/230620-v5ehpsee6x/
Behaviour
Program crash
Remcos
Malware Config
C2 Extraction:
89.37.99.49:5888
Unpacked files
SH256 hash:
de4281063ca08013514ad6d64e585185dba3d80d45867663ce9b19dc820d0da9
MD5 hash:
967dcae7de1299ab842f4d70f93b3350
SHA1 hash:
6ea64fd6043a7d4c56973e8f61a1f335c4d9ea97
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/c12773fc-e1e2-41b6-b688-f04ce226cbbc/
Parent samples :
f2b2a8bc43696328f9650d218fe0e57e7c55c0e4799a1f28721b85e37e85eaf4
9d6ead1f911aa56ad0d3bb44131f22f0064d7c553c86d1d518d35247af49d488
SH256 hash:
f2b2a8bc43696328f9650d218fe0e57e7c55c0e4799a1f28721b85e37e85eaf4
MD5 hash:
ac9e836f751cd76101bf095009c27233
SHA1 hash:
dd5851a6fcfbada4a1b085ffa388552a45c3c12f
Link:
https://www.unpac.me/results/c12773fc-e1e2-41b6-b688-f04ce226cbbc/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f2b2a8bc4369/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f2b2a8bc43696328f9650d218fe0e57e7c55c0e4799a1f28721b85e37e85eaf4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe f2b2a8bc43696328f9650d218fe0e57e7c55c0e4799a1f28721b85e37e85eaf4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/401159/

Comments