MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5dfa6b5d19d9334c69d24dd98f13cb30badacb6403b03afc47af4e267cbe0c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f5dfa6b5d19d9334c69d24dd98f13cb30badacb6403b03afc47af4e267cbe0c2
SHA3-384 hash: 925dc96cbb3b8f282ae22386da1acb583686a985427dd889f68e69f63b341b95ec495f4abd567656876fc95319988c84
SHA1 hash: 139dfe6164e7c6ba6e2360673cf75801fd2add36
MD5 hash: c628123d2539f5ae51b37a06bd179fc7
humanhash: spring-fillet-johnny-chicken
File name:LauncherPred8.3.37Stablesetup.msi
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:11'920'384 bytes
First seen:2024-11-17 09:54:38 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:oEGAvNE+MNqCjsict52JykNWmKoahv02bfHJNeh5XK3zQlstPGaVB4L0iJP:QCBAK5XmooaBYhtKklkG
Threatray 4'588 similar samples on MalwareBazaar
TLSH T1CAC61212BA8BC633EA7D4176E569FB2B117ABEE2073084D763E4398E4D708C15275F12
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter aachum
Tags:msi RemcosRAT


Avatar
iamaachum
https://www.youtube.com/watch?v=r9yE8tW8X-M => https://app.box.com/s/qulsz9aubfz07k4rz85i7ld4jz6nr4i0

Remcos C2: 185.157.162.126:1995

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
ES ES
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6739bf644ca0f9db40c4c1ef
Tags:
shellcode dropper virus
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm cmd cscript fingerprint lolbin lolbin msiexec remote wix
Link:
https://www.filescan.io/uploads/6739bd79990b86b66c39fcd5/reports/a568cdf0-5f1d-4e98-9ba8-1738d4810f81/overview
Verdict:
Suspicious
Labled as:
TR/VB.Agent
Link:
https://www.hybrid-analysis.com/sample/f5dfa6b5d19d9334c69d24dd98f13cb30badacb6403b03afc47af4e267cbe0c2
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1557094
Signature
AI detected suspicious sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Installs a MSI (Microsoft Installer) remotely
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential evasive VBS script found (sleep loop)
Query firmware table information (likely to detect VMs)
Sigma detected: Potentially Suspicious PowerShell Child Processes
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1557094 Sample: LauncherPred8.3.37Stablesetup.msi Startdate: 17/11/2024 Architecture: WINDOWS Score: 100 119 185.157.162.126 OBE-EUROPEObenetworkEuropeSE Sweden 2->119 121 gersgaming.s3.us-east-2.amazonaws.com 2->121 123 s3-r-w.us-east-2.amazonaws.com 2->123 125 Found malware configuration 2->125 127 Malicious sample detected (through community Yara rule) 2->127 129 Antivirus detection for dropped file 2->129 131 8 other signatures 2->131 13 msiexec.exe 20 40 2->13         started        16 msiexec.exe 22 54 2->16         started        19 EHttpSrv.exe 2->19         started        22 3 other processes 2->22 signatures3 process4 dnsIp5 97 C:\Windows\Installer\MSIA727.tmp, PE32 13->97 dropped 99 C:\Windows\Installer\MSIA5BE.tmp, PE32 13->99 dropped 101 C:\Windows\Installer\MSIA59E.tmp, PE32 13->101 dropped 109 10 other malicious files 13->109 dropped 24 cmd.exe 1 13->24         started        26 msiexec.exe 13->26         started        115 s3-r-w.us-east-2.amazonaws.com 52.219.84.168, 443, 49732 AMAZON-02US United States 16->115 103 C:\Windows\Installer\MSI840A.tmp, PE32 16->103 dropped 105 C:\Windows\Installer\MSI83DA.tmp, PE32 16->105 dropped 107 C:\Windows\Installer\MSI83AA.tmp, PE32 16->107 dropped 111 5 other files (3 malicious) 16->111 dropped 29 EHttpSrv.exe 1 16->29         started        31 msiexec.exe 16->31         started        133 Maps a DLL or memory area into another process 19->133 33 cmd.exe 19->33         started        117 127.0.0.1 unknown unknown 22->117 135 Potential evasive VBS script found (sleep loop) 22->135 36 cmd.exe 22->36         started        file6 signatures7 process8 file9 38 cscript.exe 2 24->38         started        41 conhost.exe 24->41         started        43 timeout.exe 1 24->43         started        54 4 other processes 24->54 151 Query firmware table information (likely to detect VMs) 26->151 153 Maps a DLL or memory area into another process 29->153 155 Switches to a custom stack to bypass stack traces 29->155 45 cmd.exe 4 29->45         started        95 C:\Users\user\AppData\Local\Temp\grcidsplgy, PE32 33->95 dropped 157 Writes to foreign memory regions 33->157 48 EHttpSrv.exe 33->48         started        50 conhost.exe 33->50         started        52 conhost.exe 36->52         started        signatures10 process11 file12 139 Suspicious powershell command line found 38->139 56 powershell.exe 8 12 38->56         started        113 C:\Users\user\AppData\Local\Temp\hxv, PE32 45->113 dropped 141 Writes to foreign memory regions 45->141 143 Found hidden mapped module (file has been removed from disk) 45->143 145 Maps a DLL or memory area into another process 45->145 147 Switches to a custom stack to bypass stack traces 45->147 58 EHttpSrv.exe 45->58         started        61 conhost.exe 45->61         started        149 Found direct / indirect Syscall (likely to bypass EDR) 48->149 signatures13 process14 signatures15 63 wscript.exe 1 56->63         started        66 conhost.exe 56->66         started        159 Found direct / indirect Syscall (likely to bypass EDR) 58->159 process16 signatures17 161 Windows Scripting host queries suspicious COM object (likely to drop second stage) 63->161 163 Installs a MSI (Microsoft Installer) remotely 63->163 165 Wscript called in batch mode (surpress errors) 63->165 68 wscript.exe 1 63->68         started        71 cmd.exe 1 63->71         started        73 cmd.exe 1 63->73         started        75 2 other processes 63->75 process18 signatures19 137 Installs a MSI (Microsoft Installer) remotely 68->137 77 msiexec.exe 68->77         started        79 WMIC.exe 1 71->79         started        81 conhost.exe 71->81         started        83 taskkill.exe 1 73->83         started        85 conhost.exe 73->85         started        87 taskkill.exe 1 75->87         started        89 conhost.exe 75->89         started        91 conhost.exe 75->91         started        process20 process21 93 WmiPrvSE.exe 1 79->93         started       
Score:
83%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/f5dfa6b5d19d9334c69d24dd98f13cb30badacb6403b03afc47af4e267cbe0c2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f5dfa6b5d19d9334c69d24dd98f13cb30badacb6403b03afc47af4e267cbe0c2/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Suspicious
First seen:
2024-11-17 09:55:08 UTC
File Type:
Binary (Archive)
Extracted files:
1710
AV detection:
8 of 38 (21.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6xp2nnortwjtjru5etozr4j4wmf23lfwia5qhl6epl2oez6l4dba._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0aea26ef40526c8f352e09e9d14a7fe7a0663046f08090b6877b5d63bb0b4bc3
RemcosRAT
1f46d078bfe514f7aeebf7ac92bd226d10335d74702a81059b9d24f5849437e4
RemcosRAT
3880c8403a1377ae8bbcc6f782e51839364c9e2e9e29ea9a02d011eeefd51d69
RemcosRAT
38e0af644ef980b21487b6e16dbaf21119014f3364c2d23ded1f52788b88421a
RemcosRAT
c804d3785acf26364471c13ee7b8714bce6329666877dff5541252ae0613af55
RemcosRAT
e375d127ede7c4f45893d14e94e334672688b4861a5e2dfe54deda05a67b6727
RemcosRAT
e483ca3bc78e49f0ceef3406ea963101fe1d2b08b4bace6945ac9298222b8c37
RemcosRAT
error
RemcosRAT
f5d82956ceca26f10317df7cfbfacfe99d3854b8aa3fea507e28676f6a6cd9ed
RemcosRAT
+ 4'578 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader family:remcos botnet:v2 discovery execution loader persistence privilege_escalation rat
Link:
https://tria.ge/reports/241117-lxskxs1qcp/
Behaviour
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Suspicious use of SetThreadContext
Blocklisted process makes network request
Enumerates connected drives
Use of msiexec (install) with remote resource
Detects HijackLoader (aka IDAT Loader)
HijackLoader
Hijackloader family
Remcos
Remcos family
Malware Config
C2 Extraction:
185.157.162.126:1995
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b7f71a7a-2239-4545-903b-8f66aaf01f54
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f5dfa6b5d19d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f5dfa6b5d19d9334c69d24dd98f13cb30badacb6403b03afc47af4e267cbe0c2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_LATAM_MSI_Banker
Create hunting rule
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Microsoft Software Installer (MSI) msi f5dfa6b5d19d9334c69d24dd98f13cb30badacb6403b03afc47af4e267cbe0c2

(this sample)

RemcosRAT

Microsoft Software Installer (MSI) msi e483ca3bc78e49f0ceef3406ea963101fe1d2b08b4bace6945ac9298222b8c37

  
Link
https://tria.ge/241117-lrrrfaxdmn
  
Dropping
Remcos
  
Delivery method
Distributed via web download
  
Dropping
SHA256 e483ca3bc78e49f0ceef3406ea963101fe1d2b08b4bace6945ac9298222b8c37
  
Dropping
MD5 da2c2debc2177026f359f4f06db67ea2

Comments