MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d84d2ad35397d5b2b3d482886e2a15551053e903de3fb446704754b48ffa925. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d84d2ad35397d5b2b3d482886e2a15551053e903de3fb446704754b48ffa925
SHA3-384 hash: 03ac82909840cbfb831f58eee92045ce47d0114cedf29dc56a8115365fda2ee808df22bfa03b2eab5250cf894425c18c
SHA1 hash: ad2a2c83d70088b1fe69adb77b8efdccb280be04
MD5 hash: e6172650b97c48b350630e67e13387d9
humanhash: vermont-undress-nine-iowa
File name:atiflash_293.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:3'314'604 bytes
First seen:2021-01-11 11:48:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:qEDYwq+aDp4B6uWnjDrD6o4qemZimrOnc:DC+a6BTyXP5ZpOc
Threatray 371 similar samples on MalwareBazaar
TLSH 5FE52302B0E49AB2D4321D3065395B116879BC194B68C7DF23F89E9ECAB11D2B535BF3
Reporter o2genum
Tags:exe RemcosRAT


Avatar
o2genum
Distributed as RAR archive.
Packed into SFX RAR for analysis.

Intelligence

File Origin
# of uploads :
1
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
atiflash_293.exe
Verdict:
Malicious activity
Analysis date:
2021-01-11 11:51:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/98a85dbf-c89c-40f1-94f8-c39e95d0723f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/111282/
Detection(s):
SecuriteInfo.com.BackDoor.SiggenNET.5.27436.8753.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Deleting a recently created file
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Creating a file in the Windows subdirectories
Moving a file to the Windows subdirectory
Creating a file
Creating a service
Launching a service
Loading a system driver
Launching a process
Transferring files using the Background Intelligent Transfer Service (BITS)
DNS request
Sending a custom TCP request
Sending a UDP request
Enabling the 'hidden' option for files in the %temp% directory
Moving a recently created file
Enabling autorun for a service
Unauthorized injection to a system process
Forced shutdown of a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
46 / 100
Link:
https://www.joesandbox.com/analysis/577865
Signature
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Hijacks the control flow in another process
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sample is not signed and drops a device driver
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 337986 Sample: atiflash_293.exe Startdate: 11/01/2021 Architecture: WINDOWS Score: 46 87 Malicious sample detected (through community Yara rule) 2->87 89 Yara detected Remcos RAT 2->89 10 atiflash_293.exe 30 2->10         started        14 svchost.exe 2->14         started        16 svchost.exe 1 8 2->16         started        19 9 other processes 2->19 process3 dnsIp4 55 C:\Users\user\AppData\...\atiwinflash.exe, PE32 10->55 dropped 57 C:\Users\user\AppData\Local\...\atillk64.sys, PE32+ 10->57 dropped 59 C:\Users\user\AppData\Local\...\atikia64.sys, PE32+ 10->59 dropped 61 14 other files (1 malicious) 10->61 dropped 103 Sample is not signed and drops a device driver 10->103 21 atiwinflash.exe 3 13 10->21         started        105 Changes security center settings (notifications, updates, antivirus, firewall) 14->105 24 MpCmdRun.exe 14->24         started        71 ipv4.imgur.map.fastly.net 151.101.112.193, 443, 49714 FASTLYUS United States 16->71 73 127.0.0.1 unknown unknown 16->73 75 2 other IPs or domains 16->75 file5 signatures6 process7 file8 45 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 21->45 dropped 26 atiwinflash.exe 5 34 21->26         started        30 conhost.exe 24->30         started        process9 file10 63 C:\Windows\SysWOW64\is-T7A14.tmp, PE32 26->63 dropped 65 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 26->65 dropped 67 C:\Program Files (x86)\...\is-SPFVK.tmp, PE32 26->67 dropped 69 16 other files (none is malicious) 26->69 dropped 107 Drops executables to the windows directory (C:\Windows) and starts them 26->107 32 zatiwinflash.exe 26->32         started        35 amdvbflashWin.exe 26->35         started        signatures11 process12 signatures13 79 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 32->79 81 Hijacks the control flow in another process 32->81 83 Writes to foreign memory regions 32->83 85 Allocates memory in foreign processes 32->85 37 notepad.exe 32->37         started        process14 signatures15 91 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 37->91 93 Hijacks the control flow in another process 37->93 95 Writes to foreign memory regions 37->95 97 Maps a DLL or memory area into another process 37->97 40 cmd.exe 37->40         started        process16 dnsIp17 77 94.242.206.175, 49734, 49736, 49737 ROOTLU Luxembourg 40->77 47 C:\Users\user\AppData\Local\...\cghelp.dll, PE32 40->47 dropped 49 C:\Users\user\AppData\...\RuntimeBroker.exe, PE32 40->49 dropped 51 C:\Users\user\AppData\...\libcrypto-1_1.dll, PE32 40->51 dropped 53 C:\Users\user\AppData\...\HelpPane.exe, PE32 40->53 dropped 99 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 40->99 101 Drops executable to a common third party application directory 40->101 file18 signatures19
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3d84d2ad35397d5b2b3d482886e2a15551053e903de3fb446704754b48ffa925/
Threat name:
Win32.Exploit.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-11 11:49:05 UTC
AV detection:
7 of 29 (24.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hwcnfljvhf6vwkz5jauinyvbkviqkpuqhxr7wrdhar2uwsh7vesq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
1202173f3ce4f49947f8e6554991a320c7a6e5faced43bec6a3bd051d13f7666
RemcosRAT
2ca24ab7850aa7b67af4817c98c938b7c6e48f96028dee2c7fbe01f95d6f3ba1
RemcosRAT
40ed39645e952f345485dea73f460ed5aecc2c523f598e46f2b7f883b50b2281
RemcosRAT
4873869d22df0e7fcec173e490e31f14e42b55bf594bf5c722d08ed43a9e5292
RemcosRAT
4c25202298f76f1598a1e169ca435b80541e1db59c542f55e1eb8e3cbf76a419
RemcosRAT
86b0b53349b935048562758a34e08ae6190c67fa522e8742f60702b334625d36
RemcosRAT
91a63868ca56bae97b954c0ece75ed4f66e18bf2c258a9ed5712e376bae7220c
RemcosRAT
bcee5b3f4acfc85f500a2edd23402b92b87bca11263ffc3ef31f8c0a6c31f6a6
RemcosRAT
f50b95b06989cbfd7009c6e5638f9636d9b19218952e14b874488f036338fe33
RemcosRAT
fd59571b52f8bfc7244a8ecf6cc057f1690964091b7141227ddd8315bba4d93a
RemcosRAT
+ 361 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos rat
Link:
https://tria.ge/reports/210111-8xvw673nk2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
JavaScript code in executable
Loads dropped DLL
Executes dropped EXE
Blocklisted process makes network request
Remcos
Malware Config
C2 Extraction:
94.242.206.175:5883
Unpacked files
SH256 hash:
3d84d2ad35397d5b2b3d482886e2a15551053e903de3fb446704754b48ffa925
MD5 hash:
e6172650b97c48b350630e67e13387d9
SHA1 hash:
ad2a2c83d70088b1fe69adb77b8efdccb280be04
Link:
https://www.unpac.me/results/3716366a-3542-4e66-8f5e-6cafc3d8c0c5/
SH256 hash:
0bc406b8aeedf6cfbf782d2ac469bbb2a011007f2252bc69bd29295bd2d0391e
MD5 hash:
f7796e872c1e99668556c3d1ef39f99f
SHA1 hash:
508e58f728acdcc36659bee53e924f5824a53387
Link:
https://www.unpac.me/results/3716366a-3542-4e66-8f5e-6cafc3d8c0c5/
SH256 hash:
49abd20e0d59bdb5ac0314c88389d8f2b0f153f92d67eefbed53f9b2c4b91993
MD5 hash:
46aa2a9f353b7bffe61ee8004f90db03
SHA1 hash:
5539f46548b16db2455daedde2bf7cd30bed7ecd
Link:
https://www.unpac.me/results/3716366a-3542-4e66-8f5e-6cafc3d8c0c5/
SH256 hash:
c7fbdc61eb62c05e40295617e2db75877672931f751a770d2629e6eab6075f2c
MD5 hash:
abf6c724b20844d5b0073988a58faf1e
SHA1 hash:
7a8269d5b2ae623f8148ce9863f48f7e12ce036b
Link:
https://www.unpac.me/results/3716366a-3542-4e66-8f5e-6cafc3d8c0c5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d84d2ad35397d5b2b3d482886e2a15551053e903de3fb446704754b48ffa925

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 3d84d2ad35397d5b2b3d482886e2a15551053e903de3fb446704754b48ffa925

(this sample)

RemcosRAT

Executable exe 58c24970b7e3fd8a86585547df9a939b5cf6d5326b798400c804d9f55ddb3b10

anyrun
any.run
https://app.any.run/tasks/078ff24e-d056-4ae2-acbe-37933a1f01ed
  
Link
https://atiwinflash.com/
  
Dropping
SHA256 58c24970b7e3fd8a86585547df9a939b5cf6d5326b798400c804d9f55ddb3b10
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/111282/

Comments