MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 458a03ecc28d7f704b5059263cfcad7cb94e51d5f5f2e0ad85e4e5b25da1e253. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 458a03ecc28d7f704b5059263cfcad7cb94e51d5f5f2e0ad85e4e5b25da1e253
SHA3-384 hash: 50459b57eb6b9358c7b6af7a4d2dbe7dc4dcdcdac2511b9ce4813efc10385a6dde18d237d0c96fb15de760dba8cc143f
SHA1 hash: de0d305c12f60191beabbd5e875ac410dac8cde1
MD5 hash: 1d8a78003b98c9af50cc28803971e576
humanhash: hydrogen-lake-echo-lithium
File name:atikmdag-patcher 1.4.7.sfx.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:5'736'062 bytes
First seen:2021-01-18 22:27:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:qLjUMaieixBvC/Gf0Cl5YMHZnyrDrP3OK6Q54FwQcmb6Ef7Cq:maiLPvR58DrP3sQQ2q
Threatray 729 similar samples on MalwareBazaar
TLSH 04463305B9C0C931D4271AB22AB6D610E6B8BC356B24CDCB63D5743DAA710D25A34FFB
Reporter o2genum
Tags:exe RemcosRAT


Avatar
o2genum
Distributed as ZIP.
Packed into SFX RAR for analysis.

Intelligence

File Origin
# of uploads :
1
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
atikmdag-patcher 1.4.7.sfx.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-18 22:29:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/615b26ef-2b82-4482-87ed-7d081a9117d1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112702/
Detection(s):
SecuriteInfo.com.BackDoor.SiggenNET.5.27436.8753.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Launching a process
Transferring files using the Background Intelligent Transfer Service (BITS)
DNS request
Sending a custom TCP request
Sending a UDP request
Creating a file
Enabling the 'hidden' option for files in the %temp% directory
Moving a recently created file
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Forced shutdown of a system process
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/584319
Signature
Allocates memory in foreign processes
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Detected Remcos RAT
Drops executable to a common third party application directory
Hijacks the control flow in another process
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 341195 Sample: atikmdag-patcher 1.4.7.sfx.exe Startdate: 18/01/2021 Architecture: WINDOWS Score: 100 52 Malicious sample detected (through community Yara rule) 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 Detected Remcos RAT 2->56 58 Yara detected Remcos RAT 2->58 10 atikmdag-patcher 1.4.7.sfx.exe 14 2->10         started        process3 file4 42 C:\Users\user\...\atikmdag-patcher.exe, PE32 10->42 dropped 13 atikmdag-patcher.exe 3 13 10->13         started        process5 file6 44 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 13->44 dropped 16 atikmdag-patcher.exe 5 45 13->16         started        process7 file8 34 C:\Users\user\AppData\...\is-5GU0N.tmp, PE32 16->34 dropped 36 C:\Users\user\AppData\...\is-SMS2K.tmp, PE32 16->36 dropped 38 C:\Users\user\AppData\...\is-SHTQE.tmp, PE32 16->38 dropped 40 29 other files (none is malicious) 16->40 dropped 19 StringJ.exe 16->19         started        22 atikmdag-patcher.exe 16->22         started        process9 signatures10 60 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 19->60 62 Hijacks the control flow in another process 19->62 64 Writes to foreign memory regions 19->64 66 Allocates memory in foreign processes 19->66 24 notepad.exe 19->24         started        process11 signatures12 68 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 24->68 70 Hijacks the control flow in another process 24->70 72 Writes to foreign memory regions 24->72 74 Maps a DLL or memory area into another process 24->74 27 cmd.exe 24->27         started        30 cmd.exe 2 6 24->30         started        process13 dnsIp14 76 Contains functionality to steal Chrome passwords or cookies 27->76 78 Contains functionality to capture and log keystrokes 27->78 80 Contains functionality to inject code into remote processes 27->80 82 Contains functionality to steal Firefox passwords or cookies 27->82 50 5.45.87.29, 49739, 8000 SCALAXY-ASNL Russian Federation 30->50 46 C:\Users\user\AppData\...\libcrypto-1_1.dll, PE32 30->46 dropped 48 C:\Users\user\AppData\Roaming\...\ads.exe, PE32 30->48 dropped 84 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 30->84 86 Drops executable to a common third party application directory 30->86 file15 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/458a03ecc28d7f704b5059263cfcad7cb94e51d5f5f2e0ad85e4e5b25da1e253/
Verdict:
malicious
Similar samples:
2c1cef7d208ce8f0094415d06cc61fa37dd9c9308cfcd9fde0f7a32703220e90
RemcosRAT
61d9f4cbc76b7889d7d17d262b63c0fd2ee40642653063b1eb6ab84397f8c57b
RemcosRAT
7c5296a628df511b5a1cee6f32910c80afb607b2bc8412e6741f7feb2d93b0c5
RemcosRAT
b2f7094f521419809d946a68870b02bdd3a928c5a4d57ccdaea3b8f49bb96151
RemcosRAT
b46b5b42ac74dfcff2d6dcd0ea1492c7065428ced5276fff88bbb06415315bef
RemcosRAT
cb7a74842bedcc2a37001978778e146e251cd2aac681d349d8f448f08f1a9868
RemcosRAT
d1a4049ba690a122863c55c4c7b35e18fdd25225dcb1f5e0a08a7c9f8ddb77be
RemcosRAT
d9165452d3a756f74bdc02fdc8477460abe31bcfa850f2211588e10dd0b1e084
RemcosRAT
e37fafdd25f747743179e4b4a444b6c30767c727f343a20b7b3f2d09eaf3d485
RemcosRAT
f7ae9bdd03e5df038aad0e809dbf31a00ca5e3b6aec3960417e14d5da18fd373
RemcosRAT
+ 719 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos rat
Link:
https://tria.ge/reports/210118-8kr4p26j3s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Loads dropped DLL
Executes dropped EXE
Blocklisted process makes network request
Remcos
Malware Config
C2 Extraction:
5.45.87.29:8000
Unpacked files
SH256 hash:
c7fbdc61eb62c05e40295617e2db75877672931f751a770d2629e6eab6075f2c
MD5 hash:
abf6c724b20844d5b0073988a58faf1e
SHA1 hash:
7a8269d5b2ae623f8148ce9863f48f7e12ce036b
Link:
https://www.unpac.me/results/c8c9f3ea-0f02-43de-a7c6-c9263aae7381/
SH256 hash:
f570526d0fa2df2875fafd51dc8fe92922346760e886ca38234671aa235d17dd
MD5 hash:
a373b738475b015bc346762bc0f09e81
SHA1 hash:
f51340d5b349e802495fe0468c59d15e5afe02fb
Link:
https://www.unpac.me/results/c8c9f3ea-0f02-43de-a7c6-c9263aae7381/
SH256 hash:
97d05a17a1a1bd83fa5e39a3175f7ebf70fcc21739b86bce57be0e67026b8216
MD5 hash:
2a58e1da018b45d632b12c373ebfeae7
SHA1 hash:
f169f17d2ea3285c4be3cfcf98a1e5153d62e1a7
Link:
https://www.unpac.me/results/c8c9f3ea-0f02-43de-a7c6-c9263aae7381/
SH256 hash:
9f1d71531d15acd0cfa1d758d20fe61b839dcdc76dc88cb939c6cd95173a1444
MD5 hash:
256f9d0efe38819e722a49aa681bedc1
SHA1 hash:
ca87abfebac381797e189f3a5adc954c1030cbaf
Link:
https://www.unpac.me/results/c8c9f3ea-0f02-43de-a7c6-c9263aae7381/
SH256 hash:
e415776912c4d82ca7617202297ae20146f45ff394ddd8f86303a535e7c17503
MD5 hash:
aedaad1c60b3b70f0528637c0d8330a0
SHA1 hash:
c77aebe5501fec9b30dd224a95b794a431246cac
Link:
https://www.unpac.me/results/c8c9f3ea-0f02-43de-a7c6-c9263aae7381/
SH256 hash:
a2a83dad0a1da487fe9d5f0b04066879ebb91bd4f0a25c728394088a13736f7e
MD5 hash:
1c94946870b385f777397780212b5197
SHA1 hash:
b716e1b5f7dfe54f574484e8b8c09be99559e0d2
Link:
https://www.unpac.me/results/c8c9f3ea-0f02-43de-a7c6-c9263aae7381/
SH256 hash:
9a1f03da8724abd07a272b7a57c97b1847bdae43c47041c1ef4ebf2c369f683d
MD5 hash:
ce336aff6f7186fa3c60564211acd2fc
SHA1 hash:
a72c8d786f1ab341a7050088dd3c35d3650a65c3
Link:
https://www.unpac.me/results/c8c9f3ea-0f02-43de-a7c6-c9263aae7381/
SH256 hash:
e4ce782a7ac619ecab11de124085c6754e47367459f93c6a14fb0c50eed4573f
MD5 hash:
d9a23980e0643a91e2877f3b934b6f4a
SHA1 hash:
9c70ae68cf7dae1582445a576726db17276e2ae2
Link:
https://www.unpac.me/results/c8c9f3ea-0f02-43de-a7c6-c9263aae7381/
SH256 hash:
c864b2f0328a9f1b3c9082137672e61e6d1800f22565832ee673a65607a41ed8
MD5 hash:
82244b1731e53f0f8ad064aa48092009
SHA1 hash:
90ef308679c24db54b71fcace0be638e82a35704
Link:
https://www.unpac.me/results/c8c9f3ea-0f02-43de-a7c6-c9263aae7381/
SH256 hash:
84aa5b064722da44dc5006432e7d5eb5fc934ff816d5e4c67de4aeb3af8e8625
MD5 hash:
b8459d8be89ce349ad18be04e6f95ef3
SHA1 hash:
7631b9d8c081cb881a1dcf45185d556f60d5f66b
Link:
https://www.unpac.me/results/c8c9f3ea-0f02-43de-a7c6-c9263aae7381/
SH256 hash:
a6172cf654620ba05cf90a940e401f9f857d71d16f5d8cc0f53797e8a8960a5b
MD5 hash:
363bdd2bfea2879e9d7cdc21ab67be31
SHA1 hash:
2db3207b4a50245ab8025352aac948ebbccf1b29
Link:
https://www.unpac.me/results/c8c9f3ea-0f02-43de-a7c6-c9263aae7381/
SH256 hash:
bfa329e7ce59ec12557b21e72192a3d70796a20cb44986c475cc3968a3d580dd
MD5 hash:
dd09ef6f66f2b551f4cfbf77f1cf53ca
SHA1 hash:
2d450eede1ce1f247fb8228941471cd5ec8754b7
Link:
https://www.unpac.me/results/c8c9f3ea-0f02-43de-a7c6-c9263aae7381/
SH256 hash:
a0181c4913b1b8d3f3c981afdec8586144fc17ddb31f67bf2c6e8edfca7529d4
MD5 hash:
b83222c4677e1b58da16e730b87d4188
SHA1 hash:
28049899c172919510f8ef83c22527d5c935fcb2
Link:
https://www.unpac.me/results/c8c9f3ea-0f02-43de-a7c6-c9263aae7381/
SH256 hash:
006ed8de1f8e650bd23bda9f6448f0caccc97e1673005d79ff74831603a20251
MD5 hash:
da6245c6be4fccd30d607b3694028a05
SHA1 hash:
1086a65d22847cffaf01c138aa25699dbb37dc84
Link:
https://www.unpac.me/results/c8c9f3ea-0f02-43de-a7c6-c9263aae7381/
SH256 hash:
c07908e91f50c117e6a1d7e410ecaabdf9c44ff162a649feae30d8a65e3435e7
MD5 hash:
be7798ae5c2ab7d11f92e9ec10139b77
SHA1 hash:
04dc4a6d36ccf2ad2a8212e12b2a333990706ba5
Link:
https://www.unpac.me/results/c8c9f3ea-0f02-43de-a7c6-c9263aae7381/
SH256 hash:
3ef90c577b1e3bc5055598c5201c7cc21d1f11aec678c514a44156e38abc9fdf
MD5 hash:
b2ab314b49a0ac9f3a05ca541dac92b9
SHA1 hash:
39e1f71801323f2df350186b48f6bf5744ce5cc3
Link:
https://www.unpac.me/results/c8c9f3ea-0f02-43de-a7c6-c9263aae7381/
SH256 hash:
458a03ecc28d7f704b5059263cfcad7cb94e51d5f5f2e0ad85e4e5b25da1e253
MD5 hash:
1d8a78003b98c9af50cc28803971e576
SHA1 hash:
de0d305c12f60191beabbd5e875ac410dac8cde1
Link:
https://www.unpac.me/results/c8c9f3ea-0f02-43de-a7c6-c9263aae7381/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/458a03ecc28d7f704b5059263cfcad7cb94e51d5f5f2e0ad85e4e5b25da1e253

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://crypto-wikipedia.com/atikmdag-patcher-1-4-7-lastest/
  
Link
https://blockchain-media.org/atikmdag-patcher/
Cape
Cape
https://www.capesandbox.com/analysis/112702/

Comments