MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28455b1a0b29240e95877cff96528b3a196f0cf3a63d9980dc70349cdc0e1e74. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 28455b1a0b29240e95877cff96528b3a196f0cf3a63d9980dc70349cdc0e1e74
SHA3-384 hash: 9c1891d696b4d2283aceed0bde29e92b2869e9464a4f0ef461429520da6af36650bafa4a2bbdbe1bf8495d6c15ed9266
SHA1 hash: ebe7c3ac64ce312ca370bcd07d49de5ad1369d93
MD5 hash: 08802514f3c2c303d54e4a47a8db54f2
humanhash: ceiling-two-asparagus-romeo
File name:08802514f3c2c303d54e4a47a8db54f2
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'028'096 bytes
First seen:2022-07-14 05:02:27 UTC
Last seen:2022-08-10 09:28:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bf2c8924eb497431bbc72248941dbd65 (1 x Loki, 1 x RemcosRAT, 1 x ArkeiStealer)
ssdeep 12288:6CReQqCL/WvnYDWT+oNnar+B4gyvY4U+UVHoQP2XjsyvY4U+UVH2QP2Xq:6CRebCWYDWTXNnTB4gQU+6SsQU+69
Threatray 14'431 similar samples on MalwareBazaar
TLSH T1BE2578181F87063EFDB7CD703AA544BDC76A28F2EC95356A6E14150736B2E308778E62
TrID 71.4% (.EXE) Win32 Executable MS Visual C++ 5.0 (60687/85)
7.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter openctibr
Tags:dropped exe goldrushaw-ug OpenCTI.BR RemcosRAT Sandboxed

Intelligence

File Origin
# of uploads :
8
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/288081/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.22916.11990.32582.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm greyware hacktool obfuscated packed
Link:
https://www.filescan.io/uploads/62cfa38f3ec0b068997859bb/reports/e40cb22e-83db-4848-9601-458f10dc845f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4555b389-3d28-414a-94f5-401bfaeb7852
Result
Threat name:
Azorult, Clipboard Hijacker, Raccoon Ste
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1032010
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Detected unpacking (creates a PE file in dynamic memory)
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Clipboard Hijacker
Yara detected Generic Downloader
Yara detected Raccoon Stealer v2
Yara detected Remcos RAT
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 664504 Sample: YZT3H7ZVUQ Startdate: 15/07/2022 Architecture: WINDOWS Score: 100 76 tuekisaa.ac.ug 2->76 78 parthaha.ac.ug 2->78 80 2 other IPs or domains 2->80 98 Snort IDS alert for network traffic 2->98 100 Multi AV Scanner detection for domain / URL 2->100 102 Malicious sample detected (through community Yara rule) 2->102 104 17 other signatures 2->104 11 YZT3H7ZVUQ.exe 15 2->11         started        15 Yjlgdlfzs.exe 2->15         started        17 oobeldr.exe 2->17         started        19 Yjlgdlfzs.exe 2->19         started        signatures3 process4 file5 72 C:\Users\user\AppData\Local\...\nfdsame.exe, PE32 11->72 dropped 120 Maps a DLL or memory area into another process 11->120 122 Contains functionality to detect sleep reduction / modifications 11->122 21 YZT3H7ZVUQ.exe 30 11->21         started        26 nfdsame.exe 4 11->26         started        124 Antivirus detection for dropped file 15->124 126 Machine Learning detection for dropped file 15->126 signatures6 process7 dnsIp8 82 193.106.191.146, 49823, 80 BOSPOR-ASRU Russian Federation 21->82 84 wiwirdo.ac.ug 21->84 64 C:\Users\user\AppData\Local\...\aREOvGZu.exe, PE32+ 21->64 dropped 66 C:\Users\user\AppData\Local\...\Y5ZZVUfy.exe, PE32 21->66 dropped 68 C:\Users\user\AppData\Local\...\TQNmRHxo.exe, PE32 21->68 dropped 70 8 other files (1 malicious) 21->70 dropped 106 Tries to harvest and steal browser information (history, passwords, etc) 21->106 108 Tries to steal Crypto Currency Wallets 21->108 28 TQNmRHxo.exe 21->28         started        32 Y5ZZVUfy.exe 3 21->32         started        34 9l9yCxhV.exe 21->34         started        36 aREOvGZu.exe 2 21->36         started        110 Antivirus detection for dropped file 26->110 112 Detected unpacking (creates a PE file in dynamic memory) 26->112 114 Machine Learning detection for dropped file 26->114 116 2 other signatures 26->116 38 nfdsame.exe 75 26->38         started        file9 signatures10 process11 dnsIp12 74 C:\Users\user\AppData\...\Yjlgdlfzs.exe, PE32 28->74 dropped 128 Antivirus detection for dropped file 28->128 130 Machine Learning detection for dropped file 28->130 132 Writes to foreign memory regions 28->132 41 InstallUtil.exe 28->41         started        134 Allocates memory in foreign processes 32->134 136 Injects a PE file into a foreign processes 32->136 45 InstallUtil.exe 32->45         started        47 InstallUtil.exe 32->47         started        138 Uses schtasks.exe or at.exe to add and modify task schedules 34->138 49 9l9yCxhV.exe 34->49         started        86 goldrushaw.ug 45.143.201.4, 49822, 49851, 49859 PATENT-MEDIA-ASRU Russian Federation 38->86 88 192.168.2.1 unknown unknown 38->88 140 Tries to harvest and steal browser information (history, passwords, etc) 38->140 142 Tries to steal Crypto Currency Wallets 38->142 52 cmd.exe 1 38->52         started        file13 signatures14 process15 dnsIp16 90 nikahuve.ac.ug 194.5.98.107, 49863, 49865, 49867 DANILENKODE Netherlands 41->90 92 tuekisaa.ac.ug 41->92 94 kalskala.ac.ug 41->94 118 Installs a global keyboard hook 41->118 96 goldrushaw.ac.ug 45->96 62 C:\Users\user\AppData\Roaming\...\oobeldr.exe, PE32 49->62 dropped 54 schtasks.exe 49->54         started        56 conhost.exe 52->56         started        58 timeout.exe 1 52->58         started        file17 signatures18 process19 process20 60 conhost.exe 54->60         started       
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/28455b1a0b29240e95877cff96528b3a196f0cf3a63d9980dc70349cdc0e1e74/
Threat name:
Win32.Spyware.Vidar
Create hunting rule
Status:
Malicious
First seen:
2022-07-10 12:49:34 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
32 of 40 (80.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fbcvwgqlfesa5fmhpt7zmuulhimw6dhtuy6ztag4oa2jzxaodz2a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
082525150d7aace7e21b3bfb469f86c2e7239593c50cebc143d7f8a66b898b83
RemcosRAT
0a7baae0933a14082beb95b1c5484dd958e333f7fc499f645c1d550d8ad124a1
RemcosRAT
21323faa5f74ccc103e64f30bc31b36e0cfc971a601b59502713151ad4f465db
RemcosRAT
33f3c909f7610bfcbcb76ad337ab357fefa8847ee1fd81a74a872dd7da4871ed
RemcosRAT
5482c9775362ce202cf44b082ce747f7e69f522a903ccc031c975cc714c82a8c
RemcosRAT
7484e671f44dff5800c656985f8dc0540913622989a3d799bd012cb9dfb23762
RemcosRAT
b7deac676ee163bb88faedd6e4a460b1fd0a0154823a4dfcda9b4804e05a4ba8
RemcosRAT
db8a8a4bf1e1e63ef1bd27f8131dfeb14bca74e9d68605cf71e9eac5126baa48
RemcosRAT
dfa6c38c1b3b33a94e1e884e47e0864808c8af196c260b6b8045cb4ed37d300e
RemcosRAT
+ 14'421 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:arkei family:raccoon family:remcos botnet:06192022 botnet:default discovery persistence rat spyware stealer suricata
Link:
https://tria.ge/reports/220714-fpscashgb4/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
Arkei
Raccoon
Remcos
Malware Config
C2 Extraction:
nikahuve.ac.ug:6968
kalskala.ac.ug:6968
tuekisaa.ac.ug:6968
parthaha.ac.ug:6968
Unpacked files
SH256 hash:
eec4eee8a07d08b12dd0e6a358069f3a85b412fb6b13e7ed982e81a7ee35df8b
MD5 hash:
a51c3da7d173de178e52ad2b634bf78b
SHA1 hash:
aa70a7aa949fa920439f07ff23c922ad14a55e12
Link:
https://www.unpac.me/results/d9717c82-7646-4d65-9f54-e52082b5f367/
SH256 hash:
3ef8296f0f4acad7b3e61e80fcd2e2afbaa5188934502fcbe30acda1d2b2e9d4
MD5 hash:
a3026d327765ec18fc4bf3a75edd855a
SHA1 hash:
ddd54b5fdcc47db6ff17be644328e6eab59ac52b
Link:
https://www.unpac.me/results/d9717c82-7646-4d65-9f54-e52082b5f367/
SH256 hash:
156e35ba34971de7ed8c213c5c5d23504064eac0f30cc16183d73d8b729de56a
MD5 hash:
4a9e7c6b22d23fa48567e39a02881cf0
SHA1 hash:
15f0d997178a0f9fbeb85f066de7c7ce74d7a184
Link:
https://www.unpac.me/results/d9717c82-7646-4d65-9f54-e52082b5f367/
SH256 hash:
28455b1a0b29240e95877cff96528b3a196f0cf3a63d9980dc70349cdc0e1e74
MD5 hash:
08802514f3c2c303d54e4a47a8db54f2
SHA1 hash:
ebe7c3ac64ce312ca370bcd07d49de5ad1369d93
Link:
https://www.unpac.me/results/d9717c82-7646-4d65-9f54-e52082b5f367/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/28455b1a0b29/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/28455b1a0b29240e95877cff96528b3a196f0cf3a63d9980dc70349cdc0e1e74

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 28455b1a0b29240e95877cff96528b3a196f0cf3a63d9980dc70349cdc0e1e74

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2223026/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/265919/
  
URLhaus
https://urlhaus.abuse.ch/url/1539388/
  
URLhaus
https://urlhaus.abuse.ch/url/2202207/
  
URLhaus
https://urlhaus.abuse.ch/url/1746809/
  
URLhaus
https://urlhaus.abuse.ch/url/437013/
  
URLhaus
https://urlhaus.abuse.ch/url/1746813/
  
URLhaus
https://urlhaus.abuse.ch/url/2254175/
Cape
Cape
https://www.capesandbox.com/analysis/288081/
  
URLhaus
https://urlhaus.abuse.ch/url/2257492/

Comments