MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ffbd296a47663a4d2ea7ff9ba93e580112f0eca613b93d4956edd34fa62dcb30. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 15

Intelligence 15 IOCs YARA 3 File information Comments

SHA256 hash:	ffbd296a47663a4d2ea7ff9ba93e580112f0eca613b93d4956edd34fa62dcb30
SHA3-384 hash:	0209856ac9aab75f59e55e8819a449a7c212bda8a3b529a840e8bbbded4cc559a398125a5df70cc9d321c0a3ee49a98e
SHA1 hash:	1279cb68bf691aeb9f1ab2dc5a9d65fe4c519501
MD5 hash:	30df98e200691ccc0df504344f3fd3b6
humanhash:	grey-cat-lamp-grey
File name:	Bestillingsliste_20230912158.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	411'648 bytes
First seen:	2023-09-12 09:35:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b5d21c7b01a6fc37863814a89f8ee87a (1 x RemcosRAT, 1 x AveMariaRAT)
ssdeep	6144:cqLVuU0w+pSStNYN8blnynhSRM2XAKBUNE8QzVHXq9PtNIr84MjF9dE:VhuU0wGYWyhiJ8QzVUtNz4MjFD
Threatray	393 similar samples on MalwareBazaar
TLSH	T175940212F8F0C071D26343388D35DA54AA7FB8A1BEB1C58773941AAE1F326D1AE16747
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 16.0% (.EXE) Win32 Executable (generic) (4505/5/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	0404041608282000 (1 x RemcosRAT)
Reporter	lowmal3
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

310

Origin country :

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

Bestillingsliste_20230912158.exe

Verdict:

Malicious activity

Analysis date:

2023-09-12 09:38:58 UTC

Tags:

rat remcos remote keylogger

Link:

https://app.any.run/tasks/dd28f1e3-6bca-4a37-ae75-01c0c87472ad

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/448127/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a custom TCP request

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed remcos xpack

Link:

https://www.filescan.io/uploads/6500310225e2ece4df6b0c93/reports/ed74c0cc-5392-43e0-97aa-4df70fd23ab2/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/ffbd296a47663a4d2ea7ff9ba93e580112f0eca613b93d4956edd34fa62dcb30

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d30c07d0-9c2a-44f9-ac70-f1c9c3d89e8c

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/ffbd296a47663a4d2ea7ff9ba93e580112f0eca613b93d4956edd34fa62dcb30/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2023-09-12 09:36:04 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 23 (82.61%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=766ss2shmy5e2lvh76n2spsyaejpb3fgco4t2skw5xju7jrnzmya._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

8bf8b980381fd607ec9065bfbcd572973770ee77c815354a35455c10651516d5

RemcosRAT

b2823172397c389e1ff948bd03473193ed8527eb19edff06cbb16e2b43ebc19f

RemcosRAT

b2d5e15268cb130c995118e17afa1198ca19604a20b91f1907a7ef18210db30f

RemcosRAT

bad6dc695ec91155fbf548d43e3039c1b694db28c1a713b81ecc2d59674635cb

RemcosRAT

d4da52e07bcf01df28c9106df95b75385eef2c06e3c4754efa6d1b772e940ea7

RemcosRAT

+ 383 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:professional rat

Link:

https://tria.ge/reports/230912-lkyleabd6y/

Behaviour

Suspicious use of SetWindowsHookEx

Program crash

Remcos

Malware Config

C2 Extraction:

37.139.129.251:2404

Unpacked files

SH256 hash:

69f76aea00e7299206027e4471fb00aa2d53de98e8599791d41cbcc5cf0a1397

MD5 hash:

d9d7830033ea2feb676b3ab9ed22ffe4

SHA1 hash:

792d197572e88ea387c475a1e71be745dfb17627

Detections:

Remcos

win_remcos_auto

Link:

https://www.unpac.me/results/2f432241-f682-4a30-8e48-76979685c890/

Parent samples :

ffbd296a47663a4d2ea7ff9ba93e580112f0eca613b93d4956edd34fa62dcb30
1f667508b2ddf652347fd73ac2e084cb004a8616cb04282e59d3ce63ab1e959d

SH256 hash:

ffbd296a47663a4d2ea7ff9ba93e580112f0eca613b93d4956edd34fa62dcb30

MD5 hash:

30df98e200691ccc0df504344f3fd3b6

SHA1 hash:

1279cb68bf691aeb9f1ab2dc5a9d65fe4c519501

Link:

https://www.unpac.me/results/2f432241-f682-4a30-8e48-76979685c890/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ffbd296a4766/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

exe ffbd296a47663a4d2ea7ff9ba93e580112f0eca613b93d4956edd34fa62dcb30

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/448127/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample