MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f72233b9518367bd3858ba7a54c631dfcb7090b3e8dac552ca4e7928cc9ea68a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	f72233b9518367bd3858ba7a54c631dfcb7090b3e8dac552ca4e7928cc9ea68a
SHA3-384 hash:	77d7508262ea86b115de62bbace75dd5674559b97a7027f427e35047378ad03898757be3f5b542b6b6d21f57d389b2ea
SHA1 hash:	d6f5b401b95a13333fa9dd2c37b39ca2cf5629e3
MD5 hash:	b3e095ff902ae130c551fd344f167344
humanhash:	grey-tennis-eleven-papa
File name:	f72233b9518367bd3858ba7a54c631dfcb7090b3e8dac552ca4e7928cc9ea68a
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	1'457'664 bytes
First seen:	2024-01-10 14:56:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	948cc502fe9226992dce9417f952fce3 (1'182 x CredentialFlusher, 446 x Formbook, 231 x AgentTesla)
ssdeep	24576:2qDEvCTbMWu7rQYlBQcBiT6rprG8aA0zQGYkSi8IPIH+2PB4+q:2TvC/MTQYxsWR7aZkjpH+QB4
Threatray	1'799 similar samples on MalwareBazaar
TLSH	T17C65C0033381C062FFAB91734F5AF61197FC69674123A52F17A82D79B9701B2463E6A3
TrID	68.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 12.5% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.4% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	d0a8a0a0a0a0a0d8 (3 x AgentTesla, 1 x RemcosRAT, 1 x XWorm)
Reporter	adrian__luca
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

306

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Información del pago.eml

Verdict:

Suspicious activity

Analysis date:

2023-12-29 16:10:48 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/7cd91e3b-659d-451a-a2a0-0f01b870d553

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/470215/

Detection(s):

SecuriteInfo.com.Trojan.Generic.33203615.28472.17882.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Creating a window

Creating a file in the %temp% directory

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

autoit bladabindi control darkkomet greyware keylogger lolbin packed remcos shell32 threat

Link:

https://www.filescan.io/uploads/659eb045784d3498d73be610/reports/faeecc39-b1ea-4387-8699-c81707bc0094/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/f72233b9518367bd3858ba7a54c631dfcb7090b3e8dac552ca4e7928cc9ea68a

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

LockBit Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0504b300-2911-4089-a243-02aac97cfd8b

Result

Threat name:

Remcos

Detection:

malicious

Classification:

rans.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1372466

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Contains functionality to bypass UAC (CMSTPLUA)

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Drops VBS files to the startup folder

Found API chain indicative of sandbox detection

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: Remcos

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/f72233b9518367bd3858ba7a54c631dfcb7090b3e8dac552ca4e7928cc9ea68a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f72233b9518367bd3858ba7a54c631dfcb7090b3e8dac552ca4e7928cc9ea68a/

Threat name:

Win32.Trojan.Remcos

Status:

Malicious

First seen:

2023-12-29 14:43:14 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 37 (64.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=64rdhokrqnt32ocyxj5fjrrr37fxbeft5dnmkuwkjz4srte6u2fa._file

Verdict:

unknown

RemcosRAT

4b8896554332d025010afb7c2d634ae9ff5294433f534652aa1cf0cf2a0b1ac1

RemcosRAT

54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711

RemcosRAT

a79b66630563a29a21dd21531e3e605d801eb2fb821522b6b9815dc8f269a7aa

RemcosRAT

b9f69c03f5d2f0190f98375d442160b4bf00071f5f4845a1152299c0430f8744

RemcosRAT

c70ba8369d587d514b1b6a783708af9fd8b9f3fd08f4db7dd21d1e81f2136516

RemcosRAT

fc68214ae21bb693cb4dd555bc8eb14fec2d9086da96edbcf8e13bf825c41bce

RemcosRAT

+ 1'789 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/240110-sbk3aaade7/

Unpacked files

SH256 hash:

a739f75be90696d11429b7b5003af6ae0318009bdabdecdcd49b18d80c60d946

MD5 hash:

2ba2baa0a9f2917074f70a50f10ddee9

SHA1 hash:

5e32eb53c8ff82ef5dfe9fa41158af2c131998e4

Detections:

Remcos

win_remcos_w0

win_remcos_auto

malware_windows_remcos_rat

INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

win_remcos_rat_unpacked

Link:

https://www.unpac.me/results/6e187d5e-dab6-4bb4-89c9-ed08ac4f7991/

Parent samples :

a739f75be90696d11429b7b5003af6ae0318009bdabdecdcd49b18d80c60d946
85e1ad6c1503ecfec6e03b38c24b93ce7c92a08f3c84f43db8946359054938c6
1862317879e1cfcaff8a4c2355f8d88b0911a4c848773f54bcb82c48f20480e6
62bfc227410b8cc5e8a3f6b6a7344e9ce2a91481278c7d0d2afae8ea3eb095ce
7cfbfe371912b59dec9a22cb39790c9f94774124ac786b48d493ec46830a0c1c
f72233b9518367bd3858ba7a54c631dfcb7090b3e8dac552ca4e7928cc9ea68a
be58907253b68299ffaa7d7bb9104e1faa2671ddd6e18f4b53261537895c87e8
449ecf2471ec8a48d115b252928053edc56f2bbf622a88db78274bdf3cc574ac

SH256 hash:

f72233b9518367bd3858ba7a54c631dfcb7090b3e8dac552ca4e7928cc9ea68a

MD5 hash:

b3e095ff902ae130c551fd344f167344

SHA1 hash:

d6f5b401b95a13333fa9dd2c37b39ca2cf5629e3

Detections:

AutoIT_Compiled

Link:

https://www.unpac.me/results/6e187d5e-dab6-4bb4-89c9-ed08ac4f7991/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f72233b9518367bd3858ba7a54c631dfcb7090b3e8dac552ca4e7928cc9ea68a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE).

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/470215/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample