MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 210aba7001d319d2c2c365aa0362fb1c2c7a9b5f208b9a189d6571e4a5c149bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 210aba7001d319d2c2c365aa0362fb1c2c7a9b5f208b9a189d6571e4a5c149bf
SHA3-384 hash: 6d9be57ee275a82bbd6813eb2191c1325a2be72feb48ba2bff9486914ed162902d0afcbd440d738c48115e449401ac11
SHA1 hash: ad7085e07536ca69857691a5cdc0ace7a52591f3
MD5 hash: c73b9d798dc08c4df18123d625233978
humanhash: wisconsin-fix-robin-zulu
File name:libcrypto-1_1.sfx.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'513'372 bytes
First seen:2021-01-14 17:54:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:5HLmCiIhiXcyMUzGPn6Hq2RoQxIFqwnivcaSQig2RijodIfmRcabe:qCmGPn6K2VI4PZiYfmRcaC
Threatray 422 similar samples on MalwareBazaar
TLSH 84651252B9D589B3D4221A32667DEB201D3ABC200F148DEB67E86D1DDE711C1B634BB3
Reporter o2genum
Tags:exe RemcosRAT


Avatar
o2genum
Clean EXE + infected DLL payload, packed as SFX RAR for analysis.

Intelligence

File Origin
# of uploads :
1
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
libcrypto-1_1.sfx.exe
Verdict:
Malicious activity
Analysis date:
2021-01-14 17:56:58 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/baf9447b-59d7-41d4-9809-1c4652dd333b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112012/
Detection(s):
SecuriteInfo.com.BackDoor.SiggenNET.5.27436.8753.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Launching a process
Transferring files using the Background Intelligent Transfer Service (BITS)
DNS request
Sending a custom TCP request
Creating a file
Sending a UDP request
Enabling the 'hidden' option for files in the %temp% directory
Moving a recently created file
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Forced shutdown of a system process
Setting a global event handler for the keyboard
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/581616
Signature
Command shell drops VBS files
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Detected Remcos RAT
Hijacks the control flow in another process
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 339845 Sample: libcrypto-1_1.sfx.exe Startdate: 14/01/2021 Architecture: WINDOWS Score: 100 35 Malicious sample detected (through community Yara rule) 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Detected Remcos RAT 2->39 41 Yara detected Remcos RAT 2->41 9 libcrypto-1_1.sfx.exe 13 2->9         started        process3 file4 29 C:\Users\user\AppData\Local\Temp\...\mdrs.exe, PE32 9->29 dropped 31 C:\Users\user\AppData\...\libcrypto-1_1.dll, PE32 9->31 dropped 12 mdrs.exe 9->12         started        process5 signatures6 55 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->55 57 Hijacks the control flow in another process 12->57 15 notepad.exe 12->15         started        process7 signatures8 59 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 15->59 61 Hijacks the control flow in another process 15->61 63 Writes to foreign memory regions 15->63 65 Maps a DLL or memory area into another process 15->65 18 cmd.exe 15->18         started        21 cmd.exe 5 5 15->21         started        process9 dnsIp10 43 Contains functionality to steal Chrome passwords or cookies 18->43 45 Contains functionality to capture and log keystrokes 18->45 47 Contains functionality to inject code into remote processes 18->47 49 Contains functionality to steal Firefox passwords or cookies 18->49 33 51.222.10.175, 49735, 49741, 5861 OVHFR France 21->33 27 C:\Users\user\AppData\Local\...\uninstall.vbs, data 21->27 dropped 51 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 21->51 53 Command shell drops VBS files 21->53 25 wscript.exe 21->25         started        file11 signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/210aba7001d319d2c2c365aa0362fb1c2c7a9b5f208b9a189d6571e4a5c149bf/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eeflu4ab2mm5fqwdmwvagyx3dqwhvg27ecfzuge5mvy6jjobjg7q._file
Verdict:
malicious
Similar samples:
0fa5f308271acceabd13e15871b230e030550825e17bdd0b3b1e53724ca5abd6
RemcosRAT
34f907b9f543ecf0f4f99adb7e55963ab5bc1c8e6e64081a8fef9a06043828b7
RemcosRAT
3d84d2ad35397d5b2b3d482886e2a15551053e903de3fb446704754b48ffa925
RemcosRAT
4873869d22df0e7fcec173e490e31f14e42b55bf594bf5c722d08ed43a9e5292
RemcosRAT
6624ce134dd16a37d6615483002f24b74c74c55b45259bc5408b7ae804d0fe22
RemcosRAT
7c5296a628df511b5a1cee6f32910c80afb607b2bc8412e6741f7feb2d93b0c5
RemcosRAT
86b0b53349b935048562758a34e08ae6190c67fa522e8742f60702b334625d36
RemcosRAT
bcee5b3f4acfc85f500a2edd23402b92b87bca11263ffc3ef31f8c0a6c31f6a6
RemcosRAT
ee2e84f75b0b6043c2a2e3b84bdeabc0be4a4a1e4c6ec6a3ff255963b545425d
RemcosRAT
fd59571b52f8bfc7244a8ecf6cc057f1690964091b7141227ddd8315bba4d93a
RemcosRAT
+ 412 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos rat
Link:
https://tria.ge/reports/210114-atfvz88nj2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Loads dropped DLL
Executes dropped EXE
Blocklisted process makes network request
Remcos
Malware Config
C2 Extraction:
51.222.10.175:5861
Unpacked files
SH256 hash:
0fd29a16e72b55f02b675285b8ca3a1876707001702b15563923fee62b6bb4c4
MD5 hash:
a5435b8fbe0e9f889fe9e8fb1d20d8ff
SHA1 hash:
3ff9452817ba1f1e1f3eb03aa990f48fa1bde739
Link:
https://www.unpac.me/results/a12529d6-6ce7-4c8d-8035-408aeac117a8/
SH256 hash:
7aef5998afbb459e1e5ab71966d8d5cf2bb00107b0e59e81934d0cbc22c18839
MD5 hash:
067868a646f8dd235b082e8896fe5186
SHA1 hash:
9ada873ebf7b410d09f5d33f66482bd0ae6be4eb
Link:
https://www.unpac.me/results/a12529d6-6ce7-4c8d-8035-408aeac117a8/
SH256 hash:
3151d5aeec57edd43d4fd38cafe7f37f74d5f08f73fe90fcc40f6621101a09e3
MD5 hash:
d0e7de2abad059ff0541b3684e52a40e
SHA1 hash:
5a565592fe1725d546f7dec6f645071abd27b775
Link:
https://www.unpac.me/results/a12529d6-6ce7-4c8d-8035-408aeac117a8/
SH256 hash:
210aba7001d319d2c2c365aa0362fb1c2c7a9b5f208b9a189d6571e4a5c149bf
MD5 hash:
c73b9d798dc08c4df18123d625233978
SHA1 hash:
ad7085e07536ca69857691a5cdc0ace7a52591f3
Link:
https://www.unpac.me/results/a12529d6-6ce7-4c8d-8035-408aeac117a8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Password Stealer
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/210aba7001d319d2c2c365aa0362fb1c2c7a9b5f208b9a189d6571e4a5c149bf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:crime_win32_rat_parralax_shell_bin
Create hunting rule
Author:@VK_Intel
Description:Detects Parallax injected code
Reference:https://twitter.com/VK_Intel/status/1257714191902937088
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MAL_crime_win32_rat_parallax_shell_bin
Create hunting rule
Author:@VK_Intel
Description:Detects Parallax injected code
Reference:https://twitter.com/VK_Intel/status/1257714191902937088
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 210aba7001d319d2c2c365aa0362fb1c2c7a9b5f208b9a189d6571e4a5c149bf

(this sample)

anyrun
any.run
https://app.any.run/tasks/234f5b0d-6a75-4e45-8547-73c1f34f03c1
  
Link
https://mining-help.ru/articles/58-atikmdag-patcher-1-4-5-skachat.html
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/112012/

Comments