MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 622a12c9935eb8f0cfa499bb445642a837fa150a161e5393f7a1d759e6f94f02. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 622a12c9935eb8f0cfa499bb445642a837fa150a161e5393f7a1d759e6f94f02
SHA3-384 hash: 00c9a11b77a485ca6a7978026cd9cbef2589eed48818734c4b69220a17bedb1b1e040b3e6d1f6a77a1a113cbc6308fea
SHA1 hash: 499b648efe71c7bea8047e2acd133511cb77f87e
MD5 hash: d4506988d0df45f5896596328206f6fd
humanhash: black-pluto-bravo-mike
File name:zethpill.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:4'793'856 bytes
First seen:2020-12-18 17:46:11 UTC
Last seen:2020-12-18 19:32:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7a01c7fedddcd39114184f15c3eec9d8 (1 x RemcosRAT)
ssdeep 49152:QxmLLDKMAGV2HZWYUBQSwtPefiWQB/lXTj9QbA9thih0Ys06TLYGHw6TWT4JH9L2:FKMS9/Bx/ihyTLYr6
Threatray 1'271 similar samples on MalwareBazaar
TLSH 87267C227394543ED0670B3684BBA664A83EFF607712CD6B6BB02D4C9F36640792D35B
Reporter o2genum
Tags:exe RemcosRAT


Avatar
o2genum
This is a payload extracted with ANY.RUN.

The virus is packed along with a popular mining utility, distributed in a multi-file ZIP:
https://bazaar.abuse.ch/sample/4f04d7c75cc1231cb592ac343d3c059cb607ef3fded1a8b3e1fb4d93dc851761/

The packer is recognizable by *-0.bin, *-1.bin files.

Intelligence

File Origin
# of uploads :
2
# of downloads :
298
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
OhGodAnETHlargementPill-r2.zip
Verdict:
Malicious activity
Analysis date:
2020-12-18 17:19:44 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/3a67bfbd-d118-45fd-9a21-3f1486f3ad3b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/108468/
Detection(s):
PUA.Win.Packer.BorlandCpp-9
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Transferring files using the Background Intelligent Transfer Service (BITS)
DNS request
Sending a custom TCP request
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/566556
Signature
Allocates memory in foreign processes
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Detected Remcos RAT
Drops executable to a common third party application directory
Hijacks the control flow in another process
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Opens the same file many times (likely Sandbox evasion)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 332362 Sample: zethpill.exe Startdate: 18/12/2020 Architecture: WINDOWS Score: 100 28 Malicious sample detected (through community Yara rule) 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 Detected Remcos RAT 2->32 34 Yara detected Remcos RAT 2->34 7 zethpill.exe 2->7         started        process3 signatures4 36 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 7->36 38 Hijacks the control flow in another process 7->38 40 Writes to foreign memory regions 7->40 42 2 other signatures 7->42 10 extrac32.exe 7->10         started        process5 signatures6 44 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->44 46 Hijacks the control flow in another process 10->46 48 Writes to foreign memory regions 10->48 50 Maps a DLL or memory area into another process 10->50 13 cmd.exe 2 20 10->13         started        process7 dnsIp8 26 94.242.206.175, 49742, 5885 ROOTLU Luxembourg 13->26 18 C:\Users\user\AppData\...\libcrypto-1_1.dll, PE32 13->18 dropped 20 C:\Users\user\AppData\...\HelpPane.exe, PE32 13->20 dropped 22 C:\Users\user\AppData\Local\...\cghelp.dll, PE32 13->22 dropped 24 2 other files (1 malicious) 13->24 dropped 52 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->52 54 Contains functionality to steal Chrome passwords or cookies 13->54 56 Contains functionality to capture and log keystrokes 13->56 58 3 other signatures 13->58 file9 signatures10
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/622a12c9935eb8f0cfa499bb445642a837fa150a161e5393f7a1d759e6f94f02/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-12-18 17:47:05 UTC
AV detection:
10 of 28 (35.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mivbfsmtl24pbt5etg5uivscva37ufikcypfhe7xuhlvtzxzj4ba._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
08e52e60f250239dddd975184d94f0a41f93fc82ccfc2ecc7de0a030db54633b
RemcosRAT
11e021f5ccf8e8af0f64a10c1fae6285df671c2ad5a97d30f0d888374764128b
RemcosRAT
209280cbe0960634238fd3363bf0f311fe8620c7a38ba06e12c23b6614cdc67b
RemcosRAT
22e14a00dc576e766179076be3199fc04c28fa52fb74f5ba0a9692fbd742a3c0
RemcosRAT
232e0519807d6bd5adad7c4617644803d6e3b3524595dfd80d5eadcc001c99f1
RemcosRAT
4791861118e0be776fd14153e2feca7d25f5a91a6c32a997385f5ae272e3d7c8
RemcosRAT
5b10f4a23880b51923a0df3e9e3c37f40eb0d3cc93de7b463da62f936a501385
RemcosRAT
73feac20d7cdbe1e10ca26b196d60d68ea0c4e652ceacf534b1c549e4e597e74
RemcosRAT
b3220a05f0d1fbd5739d07701d1ba84373f9574f0904a464395fcf63246dd1ed
RemcosRAT
b9a23ce0f2e5309363143d5a659731015c710a0b834060f8ad0194a06d48ee01
RemcosRAT
+ 1'261 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos rat
Link:
https://tria.ge/reports/201218-bqhed8s3v2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Blocklisted process makes network request
Remcos
Malware Config
C2 Extraction:
94.242.206.175:5885
Unpacked files
SH256 hash:
622a12c9935eb8f0cfa499bb445642a837fa150a161e5393f7a1d759e6f94f02
MD5 hash:
d4506988d0df45f5896596328206f6fd
SHA1 hash:
499b648efe71c7bea8047e2acd133511cb77f87e
Link:
https://www.unpac.me/results/5b9f91c4-5954-4f26-a935-efb9c8163d4a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Backdoor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/622a12c9935eb8f0cfa499bb445642a837fa150a161e5393f7a1d759e6f94f02

File information

The table below shows additional information about this malware sample such as delivery method and external references.

2a49c044274a923629a9b7ed43b13c8894215bf37c90df9dbec19af5e6dfcebc

RemcosRAT

Executable exe 622a12c9935eb8f0cfa499bb445642a837fa150a161e5393f7a1d759e6f94f02

(this sample)

anyrun
any.run
https://app.any.run/tasks/3a67bfbd-d118-45fd-9a21-3f1486f3ad3b
  
Link
http://ohgodanethlargementpill.com/
  
Dropped by
SHA256 2a49c044274a923629a9b7ed43b13c8894215bf37c90df9dbec19af5e6dfcebc
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/108468/

Comments