MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34400bb7662a1aa0865f6ec06892fff142dd3ff8d09464141f75a96a42724493. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 34400bb7662a1aa0865f6ec06892fff142dd3ff8d09464141f75a96a42724493
SHA3-384 hash: 4de4a2c084532f9b7114a072ec6d39c2149237e9f3194cbe1b90c9fa594d35a8fec4a438915b404990703c94d5664482
SHA1 hash: 63cea165c1d9fcfcfa2fe8e6da5a185193e31c08
MD5 hash: c6855b8e550bcdd88084643f747070ac
humanhash: emma-march-juliet-foxtrot
File name:c6855b8e550bcdd88084643f747070ac
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'133'568 bytes
First seen:2021-09-21 23:09:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bc8cc1eea5c25ce2056d7da92bd98134 (9 x RemcosRAT, 3 x NetWire, 1 x AveMariaRAT)
ssdeep 12288:lIspEfnP8N/seflQTshT8aqeTW39KqGeoAdrL7SUbDz5Zp:320N/seflZhTmiW3AyrPzz5Z
Threatray 13 similar samples on MalwareBazaar
TLSH T1CD358DD6B38CD8F1EC65353EDC85B249D7147BF67C224C09DC703A8A9AB0991B92A05F
File icon (PE):PE icon
dhash icon 8ccc0c37e3969a68 (8 x RemcosRAT, 2 x NetWire, 1 x BitRAT)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
257
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c6855b8e550bcdd88084643f747070ac
Verdict:
Malicious activity
Analysis date:
2021-09-21 23:10:15 UTC
Tags:
installer rat remcos keylogger
Link:
https://app.any.run/tasks/5322e324-f58a-4277-b828-1a8fed5978e5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/190016/
Detection(s):
SecuriteInfo.com.ArtemisB8815A518089.2641.23959.UNOFFICIAL
Create hunting rule

Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8e0a1b08-e23d-42a6-ab6c-77160647b25e
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/855261
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 487692 Sample: DNDvTVR10T Startdate: 22/09/2021 Architecture: WINDOWS Score: 100 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 Detected Remcos RAT 2->70 72 4 other signatures 2->72 8 DNDvTVR10T.exe 1 22 2->8         started        13 Hjaysdp.exe 15 2->13         started        15 Hjaysdp.exe 15 2->15         started        process3 dnsIp4 52 sn-files.fe.1drv.com 8->52 54 qcjbog.sn.files.1drv.com 8->54 56 onedrive.live.com 8->56 48 C:\Users\Public\Libraries\...\Hjaysdp.exe, PE32 8->48 dropped 84 Writes to foreign memory regions 8->84 86 Creates a thread in another existing process (thread injection) 8->86 88 Injects a PE file into a foreign processes 8->88 17 DpiScaling.exe 5 5 8->17         started        22 cmd.exe 1 8->22         started        24 cmd.exe 1 8->24         started        58 sn-files.fe.1drv.com 13->58 62 2 other IPs or domains 13->62 90 Multi AV Scanner detection for dropped file 13->90 26 mobsync.exe 13->26         started        60 sn-files.fe.1drv.com 15->60 64 2 other IPs or domains 15->64 28 mobsync.exe 2 4 15->28         started        file5 signatures6 process7 dnsIp8 50 saptransmissions.dvrlists.com 185.140.53.32, 49742, 49763, 49768 DAVID_CRAIGGG Sweden 17->50 46 C:\Users\user\...\wbmhifxgvrditvyykz.vbs, data 17->46 dropped 74 Contains functionality to steal Chrome passwords or cookies 17->74 76 Contains functionality to inject code into remote processes 17->76 78 Contains functionality to register a low level keyboard hook 17->78 30 wscript.exe 17->30         started        32 reg.exe 1 22->32         started        34 conhost.exe 22->34         started        36 cmd.exe 1 24->36         started        38 conhost.exe 24->38         started        80 Contains functionality to steal Firefox passwords or cookies 26->80 82 Delayed program exit found 26->82 40 wscript.exe 28->40         started        file9 signatures10 process11 process12 42 conhost.exe 32->42         started        44 conhost.exe 36->44         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/34400bb7662a1aa0865f6ec06892fff142dd3ff8d09464141f75a96a42724493/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-09-21 23:10:06 UTC
AV detection:
15 of 45 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=graaxn3gfinkbbs7n3agrex76fbn2p7y2ckgifa7owuwuqtsisjq._file
Verdict:
malicious
Similar samples:
27bc88fd389ded5b1102d7ef23245aceeb4a516c7291afc954abb876898aa42f
RemcosRAT
3234ff5f304bb4f6a94ca5e0d56073a6fcfbb65e582dff4a509351d44b039fe9
RemcosRAT
3f032c4e18eced05282ae0a19f738dfef527c2281ce7bebaa28ca028941903f4
RemcosRAT
5f14d3a74387554c330e7ee790f26fb55c5bfeb1dbefc6f2de93ba69d46383e8
RemcosRAT
61005cab010bde9798cb5c7ee05497c08ba71d638644f05a1b5e58c8eac67ca1
RemcosRAT
68f59f9ceb6a93c4ce1cb450202bd0dd021543c5bf60d82f36c86252a5bd69e8
RemcosRAT
8fa72e87addead9671e573d7cb843ca784a10cfbf6acf5b6bc4830df66fe0bf0
RemcosRAT
a3aab02445dfa2ff67c27a8965fb2263965c2ad3f31475e6b6a4459b5c191827
RemcosRAT
b17c3b52340b1f33f4c2e5ce9eb6de617bd28c9525d12b56de031f5367bf7f9a
RemcosRAT
b8ff5642173ea1664b856f47468ebf4778be3154b7b0a6bfa6a0950f51973c69
RemcosRAT
+ 3 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:remcos family:xmrig botnet:sepbuild miner persistence rat
Link:
https://tria.ge/reports/210921-25pf8sdeam/
Behaviour
Modifies registry class
Modifies registry key
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Adds Run key to start application
Remcos
xmrig
Malware Config
C2 Extraction:
saptransmissions.dvrlists.com:6969
Unpacked files
SH256 hash:
8af0b1d0dd47bb390af4256646d4b07c56d811fc8d59ddd0caaae17e4fb8963c
MD5 hash:
bf6f925b0d88b4605d61d5a251e8ca6d
SHA1 hash:
c016fd257edfa231f52e43022fc6d403c5064485
Link:
https://www.unpac.me/results/7da2c255-6236-45de-8df6-1bd38c8f1d95/
SH256 hash:
34400bb7662a1aa0865f6ec06892fff142dd3ff8d09464141f75a96a42724493
MD5 hash:
c6855b8e550bcdd88084643f747070ac
SHA1 hash:
63cea165c1d9fcfcfa2fe8e6da5a185193e31c08
Link:
https://www.unpac.me/results/7da2c255-6236-45de-8df6-1bd38c8f1d95/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/34400bb7662a1aa0865f6ec06892fff142dd3ff8d09464141f75a96a42724493

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EnvVarScheduledTasks
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC (ab)using Environment Variables in Scheduled Tasks
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 34400bb7662a1aa0865f6ec06892fff142dd3ff8d09464141f75a96a42724493

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/190016/
  
URLhaus
https://urlhaus.abuse.ch/url/1638854/

Comments


Avatar
zbet commented on 2021-09-21 23:09:10 UTC

url : hxxp://198.12.127.187/zCloud.exe