MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d4d221fa98163aa9b8be6b342188405f191427ffeb8da3d262f6e2c7e3db9b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 15

Intelligence 15 IOCs YARA 9 File information Comments

SHA256 hash:	4d4d221fa98163aa9b8be6b342188405f191427ffeb8da3d262f6e2c7e3db9b6
SHA3-384 hash:	69902742457094bf6811ff34b12c15bdb05c4680952c5f0801d17aca9613777b9848f06f1c6eaa641d08db5ad194a59b
SHA1 hash:	b86da9962b8c692dc42ab656504433ef68be4cfe
MD5 hash:	ec3b22a4ee66a0a0814f42521d34466e
humanhash:	tennis-north-yankee-april
File name:	noob.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	243'779 bytes
First seen:	2022-04-14 17:01:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b34f154ec913d2d2c435cbd644e91687 (548 x GuLoader, 117 x RemcosRAT, 80 x EpsilonStealer)
ssdeep	6144:y5lz/tAkx7ZBATV6XomeYqzv896bPevuv38pbEahfVz:ybNhZmxoeRLAnvucbEaz
Threatray	2'465 similar samples on MalwareBazaar
TLSH	T1363412A51E31C093CAA5CEF14E2E7262ABB7F2116480674FCB44BB4937352C5846DBF6
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	968ee8e8aa8ecce8 (1 x RemcosRAT)
Reporter	adm1n_usa32
Tags:	exe remcos RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

396

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

noob.exe

Verdict:

Malicious activity

Analysis date:

2022-04-14 17:00:30 UTC

Tags:

remcos rat keylogger

Link:

https://app.any.run/tasks/24c7d3c3-db51-4271-89da-69a2c6c4a93e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Remcos

Link:

https://www.capesandbox.com/analysis/263830/

Detection(s):

SecuriteInfo.com.Trojan.Multi.Generic.4c.11520.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% directory

Creating a file in the %AppData% subdirectories

Creating a file in the %temp% directory

Searching for the window

Creating a file

Delayed writing of the file

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Enabling autorun with system ini files

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/13908/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll wacatac

Link:

https://www.filescan.io/uploads/625853aa482f2f41caaf5904/reports/2ad31430-1404-4aab-9e51-a8724a0fe0b8/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Parallax RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6abb8312-9b2c-4290-89e9-9ad491335a3a

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/977069

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (creates a PE file in dynamic memory)

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected KeepHala Crypter

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4d4d221fa98163aa9b8be6b342188405f191427ffeb8da3d262f6e2c7e3db9b6/

Threat name:

Win32.Trojan.Makoob

Status:

Malicious

First seen:

2022-03-16 03:49:37 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 42 (61.90%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jvgseh5jqfr2vg4l42zuegeeaxyzcqt7724nupjgf5xcy7r5xg3a._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

5bddffdbdadb3f5d1f08cb87b5227b914d7e844b2fb3b626d1fa42dda37f182d

RemcosRAT

8c67e9754246bec65af380abf8daf397d6ab4a0ae2e57143622fdf6e8dc37b50

RemcosRAT

92a5e29476cdb43a5d56b2709e98a54e1ef4e4af24d4c136caa8a147014898a6

RemcosRAT

a01d4a1b86c5cef8726cc8f8c26a93739f10d1f68d101f9d2d94302dc248704e

RemcosRAT

aeaf83e513f357bf42bfe176f3706029604e3012b92a57fe4e7c83f5450175d9

RemcosRAT

d5a390826c535824c9e5b67ac883e10880df541b463d68de4187fdb9adc614ba

RemcosRAT

f5e9c92a15746fdf49171ed78dbea3250cefe1beeffe6c6f706d8241d3f60739

RemcosRAT

faec6f7ecdb79531edf3c1bb871a71d923a51b18aa5955d3ba804fe7ac598518

RemcosRAT

+ 2'455 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:dis rat

Link:

https://tria.ge/reports/220414-vj4kpsdchk/

Behaviour

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Windows directory

Loads dropped DLL

Blocklisted process makes network request

Remcos

Malware Config

C2 Extraction:

37.1.206.146:11011

Unpacked files

SH256 hash:

ebf9e51ac807deb602da7c5d6ee7f90c46a800a46e86947dec206811b47d11e3

MD5 hash:

36921473d1ee96ccb0c1236ab0bf7c4b

SHA1 hash:

160183db3e3d2b3df2389a8257fd696a5b2addbf

Link:

https://www.unpac.me/results/202e7ace-b159-420b-be65-29f83f58cdda/

SH256 hash:

e457bf97dedc3a13e4d07665bb559edafde145798057d8d48cc892adc7ad1960

MD5 hash:

ee526797868d4ef8407045a78dfb8e72

SHA1 hash:

c17ecf8ae4518c6120ad9f9e91ad66bba239ead5

Link:

https://www.unpac.me/results/202e7ace-b159-420b-be65-29f83f58cdda/

SH256 hash:

4d4d221fa98163aa9b8be6b342188405f191427ffeb8da3d262f6e2c7e3db9b6

MD5 hash:

ec3b22a4ee66a0a0814f42521d34466e

SHA1 hash:

b86da9962b8c692dc42ab656504433ef68be4cfe

Link:

https://www.unpac.me/results/202e7ace-b159-420b-be65-29f83f58cdda/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4d4d221fa98163aa9b8be6b342188405f191427ffeb8da3d262f6e2c7e3db9b6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	malware_Remcos_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Remcos Create hunting rule
Author:	kevoreilly
Description:	Remcos Payload

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	SUSP_VBS_Wscript_Shell Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects the definition of 'Wscript.Shell' which is often used by Malware, FPs are possible and commmon

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/263830/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample