MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0fa5f308271acceabd13e15871b230e030550825e17bdd0b3b1e53724ca5abd6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0fa5f308271acceabd13e15871b230e030550825e17bdd0b3b1e53724ca5abd6
SHA3-384 hash: 59e081cf226b9367ce9b0122f2d6767224f12455111bf892ff6c8a0442b81b2a8dc93bec9d04e59b41d3a94995f4666c
SHA1 hash: 2f2cb13dbeb72a8e946c7aa0c8f1fc59b06ab196
MD5 hash: ef39ea0b41b06ea6c8ea7259e538f2d0
humanhash: florida-alpha-alpha-mockingbird
File name:libcrypto-1_1.sfx.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:2'005'281 bytes
First seen:2021-01-12 12:44:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 49152:qUdQHNctQc4xQsdvekwIdivVF4wS8uN5467B0+:qF+tQc4xRdZwIO+wa4a0+
Threatray 1'711 similar samples on MalwareBazaar
TLSH AA952341B8C584B2D4A31E365A38E721A93DBC601F25CA9FA3E4592DDF301D1A539FB3
Reporter o2genum
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
175
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
libcrypto-1_1.sfx.exe
Verdict:
Malicious activity
Analysis date:
2021-01-12 12:45:31 UTC
Tags:
keylogger rat remcos
Link:
https://app.any.run/tasks/5206815c-8111-4c4e-ae7b-184b9792d96c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/111494/
Detection(s):
SecuriteInfo.com.BackDoor.SiggenNET.5.27436.8753.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Launching a process
Sending a UDP request
Transferring files using the Background Intelligent Transfer Service (BITS)
DNS request
Sending a custom TCP request
Creating a file
Enabling the 'hidden' option for files in the %temp% directory
Moving a recently created file
Launching cmd.exe command interpreter
Connecting to a non-recommended domain
Unauthorized injection to a system process
Setting a global event handler for the keyboard
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/578942
Signature
Allocates memory in foreign processes
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Detected Remcos RAT
Hijacks the control flow in another process
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 338521 Sample: libcrypto-1_1.sfx.exe Startdate: 12/01/2021 Architecture: WINDOWS Score: 100 27 Malicious sample detected (through community Yara rule) 2->27 29 Multi AV Scanner detection for dropped file 2->29 31 Multi AV Scanner detection for submitted file 2->31 33 2 other signatures 2->33 8 libcrypto-1_1.sfx.exe 10 2->8         started        process3 file4 21 C:\Users\user\AppData\Local\Temp\...\ads.exe, PE32 8->21 dropped 23 C:\Users\user\AppData\...\libcrypto-1_1.dll, PE32 8->23 dropped 11 ads.exe 8->11         started        process5 signatures6 43 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->43 45 Hijacks the control flow in another process 11->45 47 Writes to foreign memory regions 11->47 49 Allocates memory in foreign processes 11->49 14 notepad.exe 11->14         started        process7 signatures8 51 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 14->51 53 Hijacks the control flow in another process 14->53 55 Writes to foreign memory regions 14->55 57 Maps a DLL or memory area into another process 14->57 17 cmd.exe 2 3 14->17         started        process9 dnsIp10 25 5.45.87.29, 49754, 8000 SCALAXY-ASNL Russian Federation 17->25 35 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 17->35 37 Contains functionality to steal Chrome passwords or cookies 17->37 39 Contains functionality to capture and log keystrokes 17->39 41 2 other signatures 17->41 signatures11
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0fa5f308271acceabd13e15871b230e030550825e17bdd0b3b1e53724ca5abd6/
Threat name:
Win32.Exploit.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-12 12:45:07 UTC
AV detection:
11 of 29 (37.93%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
17a87ce9f1b198eb1dacc4dde36af67169515d41b322d6bcbaf1861f2d812d39
RemcosRAT
17bb1028f9d0ed56ea18c4c3ebde034d105532bc191f9214e1f5971a747f6447
RemcosRAT
44eb61ad9603cc802e8a59f356dadedf4be9dc315862a9bb2eddec1bcc9288a8
RemcosRAT
46f9b3a73b2ef17c7ace714e6b69b02e444096fb395d85e3b3220ed13d060a48
RemcosRAT
4f718a40662228b1b5efca4664eb07f6d1918b62bc8b29598410d1dc5bb76c70
RemcosRAT
7c5296a628df511b5a1cee6f32910c80afb607b2bc8412e6741f7feb2d93b0c5
RemcosRAT
9502b93f782ae19b93623605f74ebc2ee277a453ecd2286ef990d62c28a601e6
RemcosRAT
98d8bbdf43367821e74fd0c26f5bdda07fe9a750476cce1bb0df88c5aa18b745
RemcosRAT
bc8513a74ddfc1a9a78fbdbf39d90a61d59819dfb116846daf730693622c3c69
RemcosRAT
d0fbaa4e5d7b512cdc4b3b63ddbed59d1cb741f3925381124ee91942ecfdf3a6
RemcosRAT
+ 1'701 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos rat
Link:
https://tria.ge/reports/210112-w65lrxb3qs/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
5.45.87.29:8000
Unpacked files
SH256 hash:
35e4d7cf7381c03b7eea62e3b56493903ec0fad222608b4a6087f1a03f889662
MD5 hash:
840b09d1903e500c76ab7a582ba6b0b5
SHA1 hash:
8eb84c4573c2a3012213cec657683afbf30cdb06
Link:
https://www.unpac.me/results/9b09e7ae-793d-4d3a-a8fe-220705d4ca3b/
SH256 hash:
7aef5998afbb459e1e5ab71966d8d5cf2bb00107b0e59e81934d0cbc22c18839
MD5 hash:
067868a646f8dd235b082e8896fe5186
SHA1 hash:
9ada873ebf7b410d09f5d33f66482bd0ae6be4eb
Link:
https://www.unpac.me/results/9b09e7ae-793d-4d3a-a8fe-220705d4ca3b/
SH256 hash:
0fa5f308271acceabd13e15871b230e030550825e17bdd0b3b1e53724ca5abd6
MD5 hash:
ef39ea0b41b06ea6c8ea7259e538f2d0
SHA1 hash:
2f2cb13dbeb72a8e946c7aa0c8f1fc59b06ab196
Link:
https://www.unpac.me/results/9b09e7ae-793d-4d3a-a8fe-220705d4ca3b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DriveBy Activity
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/0fa5f308271acceabd13e15871b230e030550825e17bdd0b3b1e53724ca5abd6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe d1a4049ba690a122863c55c4c7b35e18fdd25225dcb1f5e0a08a7c9f8ddb77be

RemcosRAT

Executable exe 0fa5f308271acceabd13e15871b230e030550825e17bdd0b3b1e53724ca5abd6

(this sample)

  
Link
https://blockchain-media.org/atiflash-ati-winflash/
  
Dropped by
SHA256 d1a4049ba690a122863c55c4c7b35e18fdd25225dcb1f5e0a08a7c9f8ddb77be
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/111494/

Comments