YARAify Scan Results
You are viewing the YARAify database entry for the file with the SHA256 hash ab184bbe1afee714246ce917c0dbf6c71c128ce978bf68047e42408cad6e4148.
Scan Results
| SHA256 hash: | ab184bbe1afee714246ce917c0dbf6c71c128ce978bf68047e42408cad6e4148 | |
|---|---|---|
| File size: | 110'592 bytes | |
| File download: | Original | |
| MIME type: | application/x-dosexec | |
| MD5 hash: | 0d18e3da724a96f272b7ebe975bcdc4d | |
| SHA1 hash: | a664a213f1a8237e46cc1064d5f48b1032268eea | |
| SHA3-384 hash: | 269f504b5158f623bed3298cddacc7aeee8dc51ede1bfdb0ae83199d1fe76e84c7f3a1714e94fb3be7e02a8ff79ccddf | |
| First seen: | 2024-02-02 17:55:20 UTC | |
| Last seen: | Never | |
| Sightings: | 1 | |
| imphash : | 27c26358507490ee39a6c32c85e5402a | |
| ssdeep : | 3072:sXWbmc+bQOfWUXV42nqZbgzE6jQg2X9zP/lGp2x5+zt3S8r+s:smbtCQOfWsV42nqZczFQ1X9zP/lGp23w | |
| TLSH : | T126B3E623A216C1B3E96501F11A503F32CBBCBF360B456417D798C1412D7BC8AE5B6ABB | |
| telfhash : | n/a | |
| gimphash : | n/a | |
| dhash icon : | 989894b49c9494f0 | |
Tasks
There are 1 tasks on YARAify for this particular file. The 10 most recent ones are shown below.
Task Information
| Task ID: | 3b71092c-c1f4-11ee-89b0-42010aa4000b | |
|---|---|---|
| File name: | 400000.remcos.exe | |
| Task parameters: | ClamAV scan: | True |
| Unpack: | False | |
| Share file: | True | |
ClamAV Results
The file matched the following open source and commercial ClamAV rules.
| Signature: | Win.Malware.Azden-7587127-0 |
|---|
| Signature: | Win.Malware.Rescoms-6598304-0 |
|---|
| Signature: | Win.Trojan.Remcos-9841897-0 |
|---|
YARA Results
Static Analysis
The following YARA rules matched on the file (static analysis).
| Rule name: | INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer |
|---|---|
| Author: | ditekSHen |
| Description: | detects Windows exceutables potentially bypassing UAC using eventvwr.exe |
| TLP: | TLP:WHITE |
| Repository: | diˈtekSHən |
| Rule name: | maldoc_find_kernel32_base_method_1 |
|---|---|
| Author: | Didier Stevens (https://DidierStevens.com) |
| TLP: | TLP:WHITE |
| Repository: |
| Rule name: | malware_Remcos_strings |
|---|---|
| Author: | JPCERT/CC Incident Response Group |
| Description: | detect Remcos in memory |
| TLP: | TLP:WHITE |
| Repository: | JPCERTCC |
| Rule name: | Parallax |
|---|---|
| Author: | @bartblaze |
| Description: | Identifies Parallax RAT. |
| TLP: | TLP:WHITE |
| Repository: | bartblaze |
| Rule name: | Remcos |
|---|---|
| Author: | kevoreilly |
| Description: | Remcos Payload |
| TLP: | TLP:WHITE |
| Repository: | CAPE |
| Rule name: | remcos_rat |
|---|---|
| Author: | jeFF0Falltrades |
| TLP: | TLP:WHITE |
| Repository: | jeFF0Falltrades |
| Rule name: | REMCOS_RAT_variants |
|---|---|
| TLP: | TLP:WHITE |
| Rule name: | SUSP_VBS_Wscript_Shell |
|---|---|
| Author: | SECUINFRA Falcon Team |
| Description: | Detects the definition of 'Wscript.Shell' which is often used by Malware, FPs are possible and commmon |
| TLP: | TLP:WHITE |
| Repository: | SIFalcon |
| Rule name: | ThreadControl__Context |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| TLP: | TLP:WHITE |
| Rule name: | win_remcos_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | Detects win.remcos. |
| TLP: | TLP:WHITE |
| Repository: | Malpedia |
| Rule name: | classified |
|---|---|
| Author: | classified |
| TLP : | TLP:GREEN |
| Rule name: | Windows_Generic_Threat_994f2330 |
|---|---|
| Author: | Elastic Security |
| TLP: | TLP:WHITE |
| Repository: | elastic |
| Rule name: | Windows_Trojan_Remcos_b296e965 |
|---|---|
| Author: | Elastic Security |
| TLP: | TLP:WHITE |
| Repository: | elastic |
Unpacker
The following YARA rules matched on the unpacked file.
Disabled by submitter
Unpacked Files
The following files could be unpacked from this sample.
Disabled by submitter