MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b1aa2286d1b856ce45fc1bf075f36454aaac664460afb91185c4cc451291b62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b1aa2286d1b856ce45fc1bf075f36454aaac664460afb91185c4cc451291b62
SHA3-384 hash: c833022b02b461acec58a951947d5901c7312c4ea20533b7a15294471e4cddc8fc0830b6cd476f92b6ff0470e5167a21
SHA1 hash: ef799bbe58d3d576e9e27e60e17e071725c975d8
MD5 hash: abd99b6d60ee5d44f0e5448d3947b281
humanhash: glucose-video-indigo-sodium
File name:5b1aa2286d1b856ce45fc1bf075f36454aaac664460afb91185c4cc451291b62
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:3'015'168 bytes
First seen:2024-09-06 14:39:19 UTC
Last seen:2024-09-06 15:40:44 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 21290d9d3a8c60157412c08f4b84b335 (1 x RemcosRAT)
ssdeep 49152:hk8XGHSOdOoyWzL/bI7UAnuqSrtdBDmfKtTaeBiDw0uv+Kx55+v0UbpeQM/TNSWs:XGy0FfDEUYuqSvBDmS3YDw0+eha78
TLSH T13BD59C00B9908165D19230789D79A7D45629EEB517329CDB7A803E2F2AF4EF25333FC6
TrID 68.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
12.5% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon 9334b453aaaaa8c8 (1 x RemcosRAT)
Reporter JAMESWT_WT
Tags:dll privmerkt-com remcos RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
367
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BackDoor.AsyncRATNET.2.24637.14702.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66db1445f3d7ccf99f902e71
Tags:
Discovery Execution Infostealer Network Static Stealth Generickd
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Running batch commands
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm crypto finger fingerprint hacktool lolbin microsoft_visual_cc packed remcos remote setupapi
Link:
https://www.filescan.io/uploads/66db144ea87cd1493c61d436/reports/ecafcf85-7997-40c0-8dae-d6ebeae9b9a5/overview
Verdict:
Suspicious
Link:
https://www.hybrid-analysis.com/sample/5b1aa2286d1b856ce45fc1bf075f36454aaac664460afb91185c4cc451291b62
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/24991337-dc13-4662-8764-cc10dd45deb9
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1505693
Signature
AI detected suspicious sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Delayed program exit found
Detected Remcos RAT
Detected unpacking (creates a PE file in dynamic memory)
Drops large PE files
Drops PE files to the document folder of the user
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Rundll32 Execution Without CommandLine Parameters
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1505693 Sample: zz91Dcv5Kf.dll Startdate: 06/09/2024 Architecture: WINDOWS Score: 100 61 privmerkt.com 2->61 63 nwemarkets.com 2->63 65 geoplugin.net 2->65 73 Suricata IDS alerts for network traffic 2->73 75 Found malware configuration 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 7 other signatures 2->79 11 loaddll32.exe 1 2->11         started        13 rundll32.exe 2->13         started        15 rundll32.exe 2->15         started        signatures3 process4 process5 17 cmd.exe 1 11->17         started        19 rundll32.exe 11->19         started        22 rundll32.exe 11->22         started        24 2 other processes 11->24 signatures6 26 rundll32.exe 1 17->26         started        81 Contains functionality to bypass UAC (CMSTPLUA) 19->81 83 Drops PE files to the document folder of the user 19->83 85 Contains functionalty to change the wallpaper 19->85 89 4 other signatures 19->89 30 rundll32.exe 19->30         started        87 Injects a PE file into a foreign processes 22->87 32 rundll32.exe 22->32         started        34 rundll32.exe 24->34         started        process7 file8 57 C:\Users\user\Documents\FirefoxData.dll, PE32 26->57 dropped 97 Injects a PE file into a foreign processes 26->97 36 rundll32.exe 26->36         started        41 cmd.exe 1 26->41         started        99 Detected Remcos RAT 30->99 signatures9 process10 dnsIp11 69 privmerkt.com 172.111.244.7, 49706, 49708, 6042 M247GB United States 36->69 71 geoplugin.net 178.237.33.50, 49709, 80 ATOM86-ASATOM86NL Netherlands 36->71 55 C:\Users\user\AppData\Local\...\res_out.exe, PE32 36->55 dropped 93 System process connects to network (likely due to code injection or exploit) 36->93 95 Detected Remcos RAT 36->95 43 res_out.exe 2 2 36->43         started        47 reg.exe 1 1 41->47         started        49 conhost.exe 41->49         started        file12 signatures13 process14 file15 59 C:\Users\user\Pictures\...\ClipperNss.exe, PE32 43->59 dropped 101 Antivirus detection for dropped file 43->101 103 Multi AV Scanner detection for dropped file 43->103 105 Contains functionality to bypass UAC (CMSTPLUA) 43->105 111 7 other signatures 43->111 51 res_out.exe 3 13 43->51         started        107 Creates autostart registry keys with suspicious names 47->107 109 Creates multiple autostart registry keys 47->109 signatures16 process17 dnsIp18 67 nwemarkets.com 172.94.9.207 VOXILITYGB United States 51->67 91 Detected Remcos RAT 51->91 signatures19
Score:
2%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/5b1aa2286d1b856ce45fc1bf075f36454aaac664460afb91185c4cc451291b62
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b1aa2286d1b856ce45fc1bf075f36454aaac664460afb91185c4cc451291b62/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2024-08-20 03:53:23 UTC
File Type:
PE (Dll)
Extracted files:
35
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lmnkekdndocwzzc7yg7qoxzwivfkvrteiyfpxeiylrgmiujjdnra._file
Verdict:
malicious
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost discovery persistence rat
Link:
https://tria.ge/reports/240906-r1vsca1grm/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of NtCreateThreadExHideFromDebugger
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Remcos
Malware Config
C2 Extraction:
privmerkt.com:6042
nwemarkets.com:5290
Unpacked files
SH256 hash:
5b1aa2286d1b856ce45fc1bf075f36454aaac664460afb91185c4cc451291b62
MD5 hash:
abd99b6d60ee5d44f0e5448d3947b281
SHA1 hash:
ef799bbe58d3d576e9e27e60e17e071725c975d8
Link:
https://www.unpac.me/results/d7ccbfa1-ff0a-4ebc-acce-aaaf0a20b836/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5b1aa2286d1b856ce45fc1bf075f36454aaac664460afb91185c4cc451291b62

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_Malicious_VBScript_Base64
Create hunting rule
Author:daniyyell
Description:Detects malicious VBScript patterns, including Base64 decoding, file operations, and PowerShell.
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
NCRYPT_APIUses NCrypt APIncrypt.dll::NCryptCreatePersistedKey
ncrypt.dll::NCryptDecrypt
ncrypt.dll::NCryptOpenKey
ncrypt.dll::NCryptSignHash
SS_APIUses SS APIbcrypt.dll::BCryptVerifySignature
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::WriteConsoleA
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
WIN_BCRYPT_APICan Encrypt Filesbcrypt.dll::BCryptCreateHash
bcrypt.dll::BCryptDecrypt
bcrypt.dll::BCryptDestroyHash
bcrypt.dll::BCryptDestroyKey
bcrypt.dll::BCryptEncrypt
bcrypt.dll::BCryptFinishHash
WIN_CRYPT_APIUses Windows Crypt APICRYPT32.dll::CertAddCertificateContextToStore
CRYPT32.dll::CertAddCertificateLinkToStore
CRYPT32.dll::CertCreateSelfSignCertificate
CRYPT32.dll::CertFindCertificateInStore
CRYPT32.dll::CertFreeCertificateContext
CRYPT32.dll::CertGetCertificateContextProperty
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExA

Comments