MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61ca76f870979b256a19ef6bd2be6e54fafcbb5af20401e2811e16966f915b23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 61ca76f870979b256a19ef6bd2be6e54fafcbb5af20401e2811e16966f915b23
SHA3-384 hash: 23b44f6ebb2166b254c1cdf44c03062c9065adc2179ccd0bae5fba4f61d3b4a72b91556f4a94b3f2e034bafe213b97ae
SHA1 hash: c37f7d72d6f06e0037d7b17a7b7d4393929c6722
MD5 hash: babbb4eede7ddd720a38a515581a6238
humanhash: london-october-west-network
File name:61ca76f870979b256a19ef6bd2be6e54fafcbb5af20401e2811e16966f915b23
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'237'012 bytes
First seen:2021-08-30 07:04:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:lAHnh+eWsN3skA4RV1Hom2KXMmHaWbfD4+wvfMkAVf5:Uh+ZkldoPK8YaWY+we
Threatray 2'978 similar samples on MalwareBazaar
TLSH T1A045AD0263918036FFAE92739B6AB24156BD69253133CC3F13981DB9B9701B11E7D26F
dhash icon 3038b870e0828000 (2 x RemcosRAT)
Reporter JAMESWT_WT
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
61ca76f870979b256a19ef6bd2be6e54fafcbb5af20401e2811e16966f915b23
Verdict:
Suspicious activity
Analysis date:
2021-08-30 07:10:40 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/b687a077-82f4-48a1-9add-5c8aab99f629

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/183584/
Detection(s):
Win.Malware.Autoit-7080596-0
Create hunting rule

SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file
Unauthorized injection to a recently created process
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Deleting a recently created file
Running batch commands
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Connection attempt to an infection source
Unauthorized injection to a recently created process by context flags manipulation
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9f23d108-38ac-45e7-a8c7-67d3ccb78726
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/842004
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Detected Remcos RAT
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 474432 Sample: y0rtBjRc55 Startdate: 30/08/2021 Architecture: WINDOWS Score: 100 77 Multi AV Scanner detection for domain / URL 2->77 79 Found malware configuration 2->79 81 Malicious sample detected (through community Yara rule) 2->81 83 9 other signatures 2->83 10 y0rtBjRc55.exe 1 3 2->10         started        14 wscript.exe 1 2->14         started        16 remcos.exe 2->16         started        18 3 other processes 2->18 process3 file4 71 C:\Users\user\AppData\Roaming\...\setupcl.bat, PE32 10->71 dropped 73 C:\Users\Public\KHodniNRED.vbs, ASCII 10->73 dropped 113 Binary is likely a compiled AutoIt script file 10->113 115 Creates autostart registry keys with suspicious values (likely registry only malware) 10->115 117 Contains functionality to detect virtual machines (IN, VMware) 10->117 123 4 other signatures 10->123 20 y0rtBjRc55.exe 5 5 10->20         started        24 y0rtBjRc55.exe 3 1 10->24         started        26 y0rtBjRc55.exe 10->26         started        36 3 other processes 10->36 28 setupcl.bat 14->28         started        119 Injects a PE file into a foreign processes 16->119 30 remcos.exe 16->30         started        32 remcos.exe 16->32         started        121 Drops executables to the windows directory (C:\Windows) and starts them 18->121 34 setupcl.bat 18->34         started        38 2 other processes 18->38 signatures5 process6 file7 65 C:\Windows\SysWOW64\remcos\remcos.exe, PE32 20->65 dropped 67 C:\Windows\...\remcos.exe:Zone.Identifier, ASCII 20->67 dropped 69 C:\Users\user\AppData\Local\...\install.vbs, data 20->69 dropped 85 Creates multiple autostart registry keys 20->85 87 Creates an autostart registry key pointing to binary in C:\Windows 20->87 40 wscript.exe 1 20->40         started        89 Detected Remcos RAT 24->89 91 Writes to foreign memory regions 24->91 93 Allocates memory in foreign processes 24->93 42 iexplore.exe 24->42         started        95 Antivirus detection for dropped file 28->95 97 Multi AV Scanner detection for dropped file 28->97 99 Binary is likely a compiled AutoIt script file 28->99 45 setupcl.bat 28->45         started        47 setupcl.bat 28->47         started        49 setupcl.bat 28->49         started        101 Injects a PE file into a foreign processes 34->101 signatures8 process9 signatures10 51 cmd.exe 1 40->51         started        111 Injects a PE file into a foreign processes 42->111 53 iexplore.exe 42->53         started        55 iexplore.exe 42->55         started        process11 process12 57 remcos.exe 51->57         started        60 conhost.exe 51->60         started        signatures13 103 Antivirus detection for dropped file 57->103 105 Multi AV Scanner detection for dropped file 57->105 107 Binary is likely a compiled AutoIt script file 57->107 109 Injects a PE file into a foreign processes 57->109 62 remcos.exe 2 57->62         started        process14 dnsIp15 75 79.134.225.108, 49707, 49708, 49709 FINK-TELECOM-SERVICESCH Switzerland 62->75
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/61ca76f870979b256a19ef6bd2be6e54fafcbb5af20401e2811e16966f915b23/
Threat name:
Win32.Trojan.AutoitInject
Create hunting rule
Status:
Malicious
First seen:
2021-08-17 13:26:47 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
39 of 46 (84.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mhfhn6dqs6nsk2qz55v5fptokt5pzo226icadyubdyljm34rlmrq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1915126c27ba8566c624491bd2613215021cc2b28e5e6f3af69e9e994327f3ac
RemcosRAT
39326cdd0c863e1766ecc3d119ec18fdaa93ef886cfbc887f76784f745df73e4
RemcosRAT
41ce43aa875bf977ec9eb039e5853ade1af522dd0dff4f19282f6c8038ae2dff
RemcosRAT
6d1cfff093998c807b9c5dc3fd122adbea40c5bad0cad4cbe10b43932c28bdd9
RemcosRAT
76b87f4f61c849a8af46ebdcb899a0bea036b18f6b473bed34562212eab16b93
RemcosRAT
b254d7faa603b46c4c63f6d1f88d65767fb80638a000967fe527b9572b956e35
RemcosRAT
bc87f6ec38d359fdd4ddf35c345e4e82dc1235c3fc3e9fbb38df5ff778448375
RemcosRAT
c1eb88cc7f7b43de1ef71fae416c729483d71fa930314c36dfb03b01b8455d31
RemcosRAT
f60f32ec899bcb92fd50491a8c32f0548afbd4dc02462dfa373d484b4b161a86
RemcosRAT
+ 2'968 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat
Link:
https://tria.ge/reports/210830-lrrwfnw6we/
Behaviour
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
autoit_exe
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
79.134.225.108:6868
Unpacked files
SH256 hash:
f4ca638edcb15cf3ddfbda1c47fdb446984a6f0b4ccaf265f25bd0be7a8f8f86
MD5 hash:
4a60fccd3251d269c74cb1e3ccece6fe
SHA1 hash:
649dd3971e5638f097a9fcdf2b267edcb3c98539
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/ccff1d71-ddff-4c57-a395-004d85da1319/
SH256 hash:
61ca76f870979b256a19ef6bd2be6e54fafcbb5af20401e2811e16966f915b23
MD5 hash:
babbb4eede7ddd720a38a515581a6238
SHA1 hash:
c37f7d72d6f06e0037d7b17a7b7d4393929c6722
Link:
https://www.unpac.me/results/ccff1d71-ddff-4c57-a395-004d85da1319/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/61ca76f87097/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/61ca76f870979b256a19ef6bd2be6e54fafcbb5af20401e2811e16966f915b23

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/183584/

Comments