MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe5441d6898cf0dea8ca087588a0b8cbc0154a011f4b81de03d370a237b86ebf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe5441d6898cf0dea8ca087588a0b8cbc0154a011f4b81de03d370a237b86ebf
SHA3-384 hash: dd1e3f5c6371baa1843e0be6418b295c2607088a4988693f0a054d0c24442b2827cf46d59759d9139f5fb93898b5fab4
SHA1 hash: 2ef4c92599ecbe650c7ad44f2da124a057ab8a4e
MD5 hash: e9628cfc2fa49040e0317a95e96f2f02
humanhash: black-fillet-muppet-helium
File name:e9628cfc2fa49040e0317a95e96f2f02.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'089'024 bytes
First seen:2023-05-10 08:02:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:EsNLoubt1FjvDANYfS8DHMaRgWKZZ3xICsFit4:FdpTLANYfS8DHMaRgtZ3xIXFa4
Threatray 2'889 similar samples on MalwareBazaar
TLSH T14135F112622AAB27C76843FF0A29458513B4BB16FD67D23D2DDF21CCDC22F514A21E67
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
277
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
e9628cfc2fa49040e0317a95e96f2f02.exe
Verdict:
Malicious activity
Analysis date:
2023-05-10 08:05:50 UTC
Tags:
keylogger remcos
Link:
https://app.any.run/tasks/f00c2d9c-94a0-4dca-a54b-b61444cb5782

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/388085/
Detection(s):
SecuriteInfo.com.Variant.Lazy.338688.21933.8975.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/645b4fb6d860ee3e1ca69e0f/reports/decf82d0-77be-4096-b625-70c5ed0a37e5/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/fe5441d6898cf0dea8ca087588a0b8cbc0154a011f4b81de03d370a237b86ebf
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a51bbc39-9d38-4dee-a1b0-a1755fe07454
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1229818
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Remcos
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fe5441d6898cf0dea8ca087588a0b8cbc0154a011f4b81de03d370a237b86ebf/
Threat name:
Win32.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2023-05-10 08:03:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
11 of 37 (29.73%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7zkedvujrtyn5kgkbb2yrifyzpabksqbd5fydxqd2nyken5yn27q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
11327f3b5123a0f6325b9370d4321bddc00ef1619f6da209503ae1370b24121e
RemcosRAT
1815892a1d6a47e7d5c2108743f78e20cf5b2283ceba13f232c780dddc3c5324
RemcosRAT
1abe11cf0a879b99c092a403e9efedf7ecda8e92c6708c31c799ce36c2da26a8
RemcosRAT
2010a7e1a136a9881ba4db4beb99088ea77ea2997d36e6d1d16fc696b34fda8b
RemcosRAT
2b4c534df5fe4c7ee7a402f384109cb60b54c7f301ef8644e7b1eba397d89f2b
RemcosRAT
32fcd31207c5e310957801fca81578c9dcba9ed3515809f62a7d50d93ad033db
RemcosRAT
3c2ffc42864aba9e07bb8cd494141ea7125a2d24a8717f0cf0a33da8020dbdfb
RemcosRAT
edd0bc79de9c5ecb3d4903d20259b356171aa41af2df2a43aad0bf36bda95c7b
RemcosRAT
fee8b0a5bd69e9ca4d343dbf309b19ecc9a510dc26f7d84d1095fbb494763a99
RemcosRAT
+ 2'879 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost rat
Link:
https://tria.ge/reports/230510-jxpg6agg91/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Remcos
Malware Config
C2 Extraction:
bmarch459.sytes.net:6110
Unpacked files
SH256 hash:
bd8f7dfde6dd7a119c16575910e68418e24a1df6eb563c070c4c756d2ca3c620
MD5 hash:
d13c27165735ac6b13f3d5870025dfb1
SHA1 hash:
c17049f590332fe7680333d1be5374319d5e5131
Link:
https://www.unpac.me/results/fe3d50b0-51ee-4d28-818f-b6a2f426f0c0/
SH256 hash:
38fb1b16881788bc6fdba04745d3d24003f7c1e455d033a0ba1506d0a7bf6984
MD5 hash:
346bce3c8f3d68e786d996f5d8903ff1
SHA1 hash:
aaf4404381827a0f7e82be686c129b912fdf3862
Link:
https://www.unpac.me/results/fe3d50b0-51ee-4d28-818f-b6a2f426f0c0/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/fe3d50b0-51ee-4d28-818f-b6a2f426f0c0/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
1a74b799c1a40a793e526da7e8e0de843cd00a39fd21736888fa42ed399de005
MD5 hash:
4d61d1ba711188097ea6d10b4175a7ec
SHA1 hash:
91c0382c4470028b26f4ba4d96bf09556827663c
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/fe3d50b0-51ee-4d28-818f-b6a2f426f0c0/
Parent samples :
3d35655b8a265b213dba9d23a9542e024895cba4c18dbfb782cb844125c23654
23b3b5a24a51826ddb55a28333f4bfb9455f891f946e7d71a8d1eb3bab1f02f2
7f930ad707464ff08068026c219b7d470da3adedf984f0b0897e1adb4126440d
59d9df7e128711ba9e34b6a6cac31cd50e25c5e350849abfc1b53e8c25854719
27d5b86fa6821ac78a1ad2ad6dbc94cd34d24e461ebc1fa15a0014acd4cd71d6
fe5441d6898cf0dea8ca087588a0b8cbc0154a011f4b81de03d370a237b86ebf
SH256 hash:
e25c3ba5055c44d9b15cd5beedd9ae35d80355d2b23fa13e2d661c62cb6c5fba
MD5 hash:
a95a840deb708a7730a29a1624f4ef23
SHA1 hash:
9095b2aaa493cb9c9333aed637e13957ef4966b6
Link:
https://www.unpac.me/results/fe3d50b0-51ee-4d28-818f-b6a2f426f0c0/
SH256 hash:
fe5441d6898cf0dea8ca087588a0b8cbc0154a011f4b81de03d370a237b86ebf
MD5 hash:
e9628cfc2fa49040e0317a95e96f2f02
SHA1 hash:
2ef4c92599ecbe650c7ad44f2da124a057ab8a4e
Link:
https://www.unpac.me/results/fe3d50b0-51ee-4d28-818f-b6a2f426f0c0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fe5441d6898c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe fe5441d6898cf0dea8ca087588a0b8cbc0154a011f4b81de03d370a237b86ebf

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2260834/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/388085/

Comments