MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f5ccdc99b29651852d447f8587f5cfa5e108ea10dba0eed36d436a4b6e73719. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f5ccdc99b29651852d447f8587f5cfa5e108ea10dba0eed36d436a4b6e73719
SHA3-384 hash: aa84d58babe6bc215935b603704f40ea7ffa2b7c366e399b69af02d2b0e57f395e0bda0aa4ba81e4c3ef3f4f7154bb3a
SHA1 hash: db47280c828d40c34522f3acf88ec2b71e907ff5
MD5 hash: c9be6f0e1c9c5cad19e97353bbdbf857
humanhash: oscar-red-double-avocado
File name:newr.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'004'384 bytes
First seen:2021-06-15 14:33:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0b326f03279d25cd7d2b11f5e25abd5b (1 x RemcosRAT)
ssdeep 12288:AGG4Q59OZnlp7UwjmJomJsCEGo8rzVNvAHl0AqX0uNb+T0HXX+jBnnXLVgKR3Zxh:3+5mlpmXqCWC8F9q/XQBQG
Threatray 79 similar samples on MalwareBazaar
TLSH 94258E499656C535D82B36F9886736AC082B3F057A249C4D32F93B46FEB47D02C1E39B
Reporter ffforward
Tags:exe RAT remcos RemcosRAT signed

Code Signing Certificate

Organisation:Ralink Technology Corporation
Issuer:VeriSign Class 3 Code Signing 2009-2 CA
Algorithm:sha1WithRSAEncryption
Valid from:2010-02-24T00:00:00Z
Valid to:2011-02-24T23:59:59Z
Serial number: 54cc50d147fa549e3f721c754e4e3a91
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 7c0d94ca9c871e324302c124373a5a00346e3c8206ff4ccc1024ec558f195d7d
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
265
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
newr.exe
Verdict:
Malicious activity
Analysis date:
2021-06-15 14:38:37 UTC
Tags:
installer rat remcos keylogger
Link:
https://app.any.run/tasks/b9e00f01-52f2-4834-ac2e-475bca9e036a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Dropper.Fareit-9838621-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Reading critical registry keys
Deleting a recently created file
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2b915e89-1684-4c6d-96d1-2996b4d5d71f
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/802524
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Performs DNS queries to domains with low reputation
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 434924 Sample: newr.exe Startdate: 15/06/2021 Architecture: WINDOWS Score: 100 39 cdn.discordapp.com 2->39 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->51 53 5 other signatures 2->53 9 newr.exe 1 23 2->9         started        14 Mzifsvd.exe 2->14         started        16 Mzifsvd.exe 2->16         started        signatures3 process4 dnsIp5 45 cdn.discordapp.com 162.159.133.233, 443, 49728, 49729 CLOUDFLARENETUS United States 9->45 37 C:\Users\Public\Libraries\...\Mzifsvd.exe, PE32 9->37 dropped 65 Writes to foreign memory regions 9->65 67 Allocates memory in foreign processes 9->67 69 Creates a thread in another existing process (thread injection) 9->69 71 Injects a PE file into a foreign processes 9->71 18 mobsync.exe 2 3 9->18         started        22 cmd.exe 1 9->22         started        73 Multi AV Scanner detection for dropped file 14->73 75 Machine Learning detection for dropped file 14->75 file6 signatures7 process8 dnsIp9 41 top.killedifabused1.xyz 194.5.98.147, 12489, 49731, 49734 DANILENKODE Netherlands 18->41 43 192.168.2.1 unknown unknown 18->43 55 Performs DNS queries to domains with low reputation 18->55 57 Contains functionality to steal Chrome passwords or cookies 18->57 59 Contains functionality to inject code into remote processes 18->59 61 3 other signatures 18->61 24 mobsync.exe 13 18->24         started        27 mobsync.exe 1 18->27         started        29 mobsync.exe 18->29         started        31 cmd.exe 1 22->31         started        33 conhost.exe 22->33         started        signatures10 process11 signatures12 63 Tries to harvest and steal browser information (history, passwords, etc) 24->63 35 conhost.exe 31->35         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3f5ccdc99b29651852d447f8587f5cfa5e108ea10dba0eed36d436a4b6e73719/
Verdict:
malicious
Similar samples:
0da92ee5ab7eeb708288a5738697bf61857dfdc9ab3115dbb9e94392ea786696
RemcosRAT
36f34d118ee0769d818d0cdb9b7562262e23233f97fd78c9280e8d5a7c390636
RemcosRAT
4cadcc2d7a8ecf067470f99305eca7473fb339936290259643ece74a8502dfb3
RemcosRAT
6f536ae781fd98358126408aa6991b4bb3ec3f9940929a22b25f785b71ec770d
RemcosRAT
84f9e8abd4682870a94655c297e283b12de8162454217deb5d56d33603a04b35
RemcosRAT
92258f992fbf15509591d96b11cb50eda41cf0c19f35fdd089c311ca5eace947
RemcosRAT
960cd364b10841b71b638aca1807d5667cf340e76102389d45d7df4c17401ed2
RemcosRAT
c3677d5791ac1a6939f2ab462201f257d9a4707f57bd6ee86d6b4dfa38378e3a
RemcosRAT
f4f27e005b5381e5d1eb3d1d95cd4ae5c963c7601934254ebe266f08cfaf78d2
RemcosRAT
fc1f23fd25b2eeb98a872bd0152b891d505e06e56db8f270b1e2a52462a6ecc8
RemcosRAT
+ 69 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:derrick persistence rat
Link:
https://tria.ge/reports/210615-dswhaekpxn/
Behaviour
Modifies registry key
Suspicious use of WriteProcessMemory
Adds Run key to start application
Blocklisted process makes network request
Remcos
Malware Config
C2 Extraction:
top.killedifabused1.xyz:12489
Unpacked files
SH256 hash:
5381c6276fc0f552d71efe7fb4d43a9e1a1e776c4cb7a572f72207b777ff2a32
MD5 hash:
3e9b080fb62948db627a904b7af653ea
SHA1 hash:
93a66126bdeb846724b41d44c6a7cac15c5ed636
Link:
https://www.unpac.me/results/d38bdad5-4c80-49e7-b565-b42776ecb8f3/
SH256 hash:
3f5ccdc99b29651852d447f8587f5cfa5e108ea10dba0eed36d436a4b6e73719
MD5 hash:
c9be6f0e1c9c5cad19e97353bbdbf857
SHA1 hash:
db47280c828d40c34522f3acf88ec2b71e907ff5
Link:
https://www.unpac.me/results/d38bdad5-4c80-49e7-b565-b42776ecb8f3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/3f5ccdc99b29651852d447f8587f5cfa5e108ea10dba0eed36d436a4b6e73719

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:MALWARE_Win_DLAgent07
Create hunting rule
Author:ditekSHen
Description:Detects delf downloader agent

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 3f5ccdc99b29651852d447f8587f5cfa5e108ea10dba0eed36d436a4b6e73719

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1369130/
  
Delivery method
Distributed via web download

Comments