MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17bb1028f9d0ed56ea18c4c3ebde034d105532bc191f9214e1f5971a747f6447. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 11

Intelligence 11 IOCs YARA 9 File information Comments

SHA256 hash:	17bb1028f9d0ed56ea18c4c3ebde034d105532bc191f9214e1f5971a747f6447
SHA3-384 hash:	787f50cf3f8bdfeb0ff30a939e0f89ca8b850e3c3751489ea95880f326514b3acaa5a66e1f2eb74e2087528088052afd
SHA1 hash:	ed97a91ba32692641199543a7129e6708a41dc26
MD5 hash:	84e06c1d9614393007b2801d32e2d391
humanhash:	apart-missouri-football-pluto
File name:	libcrypto-1_1.sfx.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	2'375'543 bytes
First seen:	2020-12-25 17:42:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep	49152:qeSJwQvTer74mYJMK+QAMslPxThz5NhrpekQzn:qeuv4UWfVMslPphz5NhrGn
Threatray	1'558 similar samples on MalwareBazaar
TLSH	2CB5234179D480B3C2222D3A6C35EB255D397D105F189EEF73E46A2EEA352C1A634B73
Reporter	o2genum
Tags:	RemcosRAT

o2genum

Clean EXE with infected DLL, packed into WinRAR SFX for analysis.

Intelligence

File Origin

# of uploads :

# of downloads :

511

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

libcrypto-1_1.sfx.exe

Verdict:

Malicious activity

Analysis date:

2020-12-25 17:45:28 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ac1a74df-a273-4930-a02d-2b1aefdf2bda

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.BackDoor.SiggenNET.5.27436.8753.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Launching a process

Transferring files using the Background Intelligent Transfer Service (BITS)

DNS request

Sending a custom TCP request

Sending a UDP request

Creating a file

Enabling the 'hidden' option for files in the %temp% directory

Moving a recently created file

Launching cmd.exe command interpreter

Connection attempt

Unauthorized injection to a system process

Setting a global event handler for the keyboard

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/570078

Signature

Allocates memory in foreign processes

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Detected Remcos RAT

Hijacks the control flow in another process

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Writes to foreign memory regions

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/17bb1028f9d0ed56ea18c4c3ebde034d105532bc191f9214e1f5971a747f6447/

Threat name:

Win32.Trojan.Bulz

Status:

Malicious

First seen:

2020-12-25 17:43:06 UTC

AV detection:

17 of 48 (35.42%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=c65rakhz2dwvn2qyytb6xxqdjuifkmv4depzefhb6wlru5d7mrdq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

08e52e60f250239dddd975184d94f0a41f93fc82ccfc2ecc7de0a030db54633b

RemcosRAT

22e14a00dc576e766179076be3199fc04c28fa52fb74f5ba0a9692fbd742a3c0

RemcosRAT

26448f5f651589c5fd39721e68693c8eba2ada59eee363b365b984e90f0a47b0

RemcosRAT

3746f6d2d5f3e12e69c80085eef48b25f06974965b930563d773eac6e5c2f291

RemcosRAT

452daf183846078dffb7fb5595860656cbff08f53bf710dd33c17590e2f13177

RemcosRAT

622a12c9935eb8f0cfa499bb445642a837fa150a161e5393f7a1d759e6f94f02

RemcosRAT

891c233cff0f39e408dea777835b5a9de9169152c7778d37bbd443d55cae18de

RemcosRAT

b3220a05f0d1fbd5739d07701d1ba84373f9574f0904a464395fcf63246dd1ed

RemcosRAT

b9a23ce0f2e5309363143d5a659731015c710a0b834060f8ad0194a06d48ee01

RemcosRAT

+ 1'548 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos rat

Link:

https://tria.ge/reports/201225-8m3pcc9wmn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Loads dropped DLL

Blocklisted process makes network request

Executes dropped EXE

Remcos

Malware Config

C2 Extraction:

95.217.144.93:5865

Unpacked files

SH256 hash:

17bb1028f9d0ed56ea18c4c3ebde034d105532bc191f9214e1f5971a747f6447

MD5 hash:

84e06c1d9614393007b2801d32e2d391

SHA1 hash:

ed97a91ba32692641199543a7129e6708a41dc26

Link:

https://www.unpac.me/results/edc937e5-0f1b-4df1-ab25-488596a8911d/

SH256 hash:

6a8f5a5c13d168cac6f34e46dca175b134bb21e850da36122945885fa4d3cc35

MD5 hash:

cb23f436a8ac8cc89e9971484a0d7e29

SHA1 hash:

d6aeb3f527194fcf16d481598f895753b4360fff

Link:

https://www.unpac.me/results/edc937e5-0f1b-4df1-ab25-488596a8911d/

SH256 hash:

7aef5998afbb459e1e5ab71966d8d5cf2bb00107b0e59e81934d0cbc22c18839

MD5 hash:

067868a646f8dd235b082e8896fe5186

SHA1 hash:

9ada873ebf7b410d09f5d33f66482bd0ae6be4eb

Link:

https://www.unpac.me/results/edc937e5-0f1b-4df1-ab25-488596a8911d/

SH256 hash:

3151d5aeec57edd43d4fd38cafe7f37f74d5f08f73fe90fcc40f6621101a09e3

MD5 hash:

d0e7de2abad059ff0541b3684e52a40e

SHA1 hash:

5a565592fe1725d546f7dec6f645071abd27b775

Link:

https://www.unpac.me/results/edc937e5-0f1b-4df1-ab25-488596a8911d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Backdoor

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/17bb1028f9d0ed56ea18c4c3ebde034d105532bc191f9214e1f5971a747f6447

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample