MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34540a51780e487ff9426db2ea9e2ed985e6c46130439de2e434b4a804446566. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 34540a51780e487ff9426db2ea9e2ed985e6c46130439de2e434b4a804446566
SHA3-384 hash: be4b3b218f3d985a804f794330319f29df76d30e13b36aa9df0322eca87f588d8d252d517cd71b0c2478b837a0cfd6d6
SHA1 hash: fecfb1e3c47c27decb3ddd8528d99c97a63e39d5
MD5 hash: 0a18354ef4ec26659e704a0dcad48d9f
humanhash: lion-uniform-skylark-mobile
File name:MLO.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:23'216 bytes
First seen:2021-06-22 13:12:10 UTC
Last seen:2021-06-22 13:37:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'598 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 384:xJ+7gp7Ai7PPlcrTP2aUl5/Xc/j/LyoG/MojlekxXu9Shz:xJ+cyKP2RUfkDLyoGZjlejshz
Threatray 1'819 similar samples on MalwareBazaar
TLSH 9CA26C16FA844913D8FF7A3A21F68F2F1373A3F02B51C65A6F4D93A21C033C64969259
Reporter James_inthe_box
Tags:exe RemcosRAT signed

Code Signing Certificate

Organisation:9bta2af19MU
Issuer:9bta2af19MU
Algorithm:sha256WithRSAEncryption
Valid from:2021-06-22T12:19:28Z
Valid to:2022-06-22T12:19:28Z
Serial number: 2ca9c9e564af6e3cd991455095878f73
Thumbprint Algorithm:SHA256
Thumbprint: a02fbe2f1067816c19364674c7f5efd48e39f54821f4e9c2b7f83ce5dfa16ccd
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
37.230.178.57:6932 https://threatfox.abuse.ch/ioc/139929/

Intelligence

File Origin
# of uploads :
2
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MLO.exe
Verdict:
Malicious activity
Analysis date:
2021-06-22 13:19:10 UTC
Tags:
trojan rat remcos
Link:
https://app.any.run/tasks/ed09c3af-1a18-49f0-8cd8-699fe2900243

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167565/
Detection(s):
SecuriteInfo.com.Variant.Bulz.448942.17180.29677.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4fc0874a-331a-4c00-8ec1-9bb762948dec
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/805959
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Country aware sample found (crashes after keyboard check)
Detected Remcos RAT
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction which cause usermode exception
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 438370 Sample: MLO.exe Startdate: 22/06/2021 Architecture: WINDOWS Score: 100 107 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->107 109 Multi AV Scanner detection for domain / URL 2->109 111 Found malware configuration 2->111 113 7 other signatures 2->113 10 MLO.exe 15 8 2->10         started        15 vpn.exe 3 2->15         started        17 vpn.exe 2->17         started        process3 dnsIp4 101 apdocroto.gq 104.21.14.60, 49718, 80 CLOUDFLARENETUS United States 10->101 91 C:\Users\user\AppData\...\odfuj1l3.newcfg, XML 10->91 dropped 131 Contains functionality to detect virtual machines (IN, VMware) 10->131 133 Contains functionality to steal Chrome passwords or cookies 10->133 135 Contains functionality to capture and log keystrokes 10->135 141 2 other signatures 10->141 19 MLO.exe 1 4 10->19         started        22 cmd.exe 1 10->22         started        25 WerFault.exe 10->25         started        27 MLO.exe 10->27         started        137 Hides threads from debuggers 15->137 139 Injects a PE file into a foreign processes 15->139 29 WerFault.exe 15->29         started        32 cmd.exe 15->32         started        34 vpn.exe 15->34         started        36 WerFault.exe 17->36         started        38 2 other processes 17->38 file5 signatures6 process7 dnsIp8 77 C:\Users\user\AppData\Roaming\vpn.exe, PE32 19->77 dropped 79 C:\Users\user\...\vpn.exe:Zone.Identifier, ASCII 19->79 dropped 40 cmd.exe 1 19->40         started        115 Uses ping.exe to sleep 22->115 117 Uses ping.exe to check the status of other devices and networks 22->117 43 conhost.exe 22->43         started        45 timeout.exe 1 22->45         started        81 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 25->81 dropped 119 Tries to evade analysis by execution special instruction which cause usermode exception 25->119 103 192.168.2.1 unknown unknown 29->103 83 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 29->83 dropped 47 conhost.exe 32->47         started        49 timeout.exe 32->49         started        85 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 36->85 dropped 51 conhost.exe 38->51         started        53 timeout.exe 38->53         started        file9 signatures10 process11 signatures12 121 Uses ping.exe to sleep 40->121 55 vpn.exe 14 7 40->55         started        60 PING.EXE 1 40->60         started        62 conhost.exe 40->62         started        process13 dnsIp14 95 apdocroto.gq 55->95 97 172.67.158.27, 49725, 80 CLOUDFLARENETUS United States 55->97 89 C:\Users\user\AppData\...\2e5ow13v.newcfg, XML 55->89 dropped 123 Multi AV Scanner detection for dropped file 55->123 125 Contains functionality to steal Chrome passwords or cookies 55->125 127 Contains functionality to capture and log keystrokes 55->127 129 3 other signatures 55->129 64 vpn.exe 55->64         started        68 WerFault.exe 55->68         started        71 cmd.exe 55->71         started        99 127.0.0.1 unknown unknown 60->99 file15 signatures16 process17 dnsIp18 93 ghsgatvxbznmklopwagdhusvxbznxgtewuahjkop.ydns.eu 37.230.178.57, 49729, 6932 AS40676US Netherlands 64->93 105 Installs a global keyboard hook 64->105 87 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 68->87 dropped 73 conhost.exe 71->73         started        75 timeout.exe 71->75         started        file19 signatures20 process21
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/34540a51780e487ff9426db2ea9e2ed985e6c46130439de2e434b4a804446566/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-06-22 13:11:58 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
16 of 46 (34.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=grkauulybzeh76kcnwzovhro3gc6nrdbgbbz3yxegs2kqbcemvta._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
23735f88fafab80a318fe17447a9eaff8d898daf2f31108c0ab051e50ae16ef5
RemcosRAT
36c0ddbebaeec834aefef44ead907270d13814c446634d4856e9ac27d30ba355
RemcosRAT
56fee643ba39ac908309688827397099ca6b707c45154eb14da1b693f6b16571
RemcosRAT
62115059096fc430f5e8b4cfe6884444fbb2b0733760a7f4a9856791f1151ba9
RemcosRAT
6654c75acd136f37aad63d828eea396361326bb422a91563998ff0302de2bd20
RemcosRAT
753883fa972dda966abb3adad3cfc94f0a82ca128d1908df58bac3ba93e60bd3
RemcosRAT
c851749fd6c9fa19293d8ee2c5b45b3dc8561115ddfe7166fbaefcb9b353b7c4
RemcosRAT
ce4962d3126223b4bd68704159cbdc7479fb2df4263fb9f3d57492e770b74a94
RemcosRAT
d45d40989488d330e82db097aa2d857ea5d620526171cd8fb145ef62cb4ea701
RemcosRAT
d72b99be6c28cec8f3672df1ef58a69cb08524e181fb7ba53edbdab73f3ccf44
RemcosRAT
+ 1'809 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:host persistence rat
Link:
https://tria.ge/reports/210622-v7zl6zfjgj/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
ghsgatvxbznmklopwagdhusvxbznxgtewuahjkop.ydns.eu:6932
Unpacked files
SH256 hash:
34540a51780e487ff9426db2ea9e2ed985e6c46130439de2e434b4a804446566
MD5 hash:
0a18354ef4ec26659e704a0dcad48d9f
SHA1 hash:
fecfb1e3c47c27decb3ddd8528d99c97a63e39d5
Link:
https://www.unpac.me/results/7b4b9e12-1f00-4667-87e4-f85f85948208/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/34540a51780e487ff9426db2ea9e2ed985e6c46130439de2e434b4a804446566

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:pe_imphash
Create hunting rule
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/167565/
  
URLhaus
https://urlhaus.abuse.ch/url/1388331/

Comments