MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c5296a628df511b5a1cee6f32910c80afb607b2bc8412e6741f7feb2d93b0c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7c5296a628df511b5a1cee6f32910c80afb607b2bc8412e6741f7feb2d93b0c5
SHA3-384 hash: 28459a034f0d717e461235d7f0a91961f2d9745e5d4b40f4f1f14e3a607f32c9dbe1d8557e07f00f9cacebe272f33dae
SHA1 hash: 75e00f201a7ed6d2d1def492445a4fb7665eac68
MD5 hash: d2e7c1150693130bfd4aa71d482b8cf3
humanhash: oklahoma-uranus-hydrogen-don
File name:atikmdag-patcher_1.4.8.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:4'454'977 bytes
First seen:2021-01-06 00:32:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (865 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:qfT/4tri6X7yJqkzoMOnF8EvqBLzJrD0qhSvzPpQEg1Jy9odYqYvVg2N:i4BhKqks+Evq/Do7Y1Jy9odwNg2N
Threatray 1'670 similar samples on MalwareBazaar
TLSH CD263312B6D410B3C13A1972153D9711ADB9BD601F2C4E8B63E4AEE9CF718E1B631B63
Reporter o2genum
Tags:exe RemcosRAT


Avatar
o2genum
Distributed as ZIP.
Packed into RAR SFX for analysis.

Intelligence

File Origin
# of uploads :
1
# of downloads :
222
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
atikmdag-patcher_1.4.8.exe
Verdict:
Malicious activity
Analysis date:
2021-01-06 00:35:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8f1857f0-9ed4-4106-a8a6-a4593075da25

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/110640/
Detection(s):
SecuriteInfo.com.BackDoor.SiggenNET.5.27436.8753.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Deleting a recently created file
Creating a file in the Windows directory
Moving a file to the Windows directory
Sending a UDP request
Launching a process
Transferring files using the Background Intelligent Transfer Service (BITS)
DNS request
Sending a custom TCP request
Creating a file
Enabling the 'hidden' option for files in the %temp% directory
Moving a recently created file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
54 / 100
Link:
https://www.joesandbox.com/analysis/574728
Signature
Allocates memory in foreign processes
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Detected Remcos RAT
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Hijacks the control flow in another process
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 336422 Sample: atikmdag-patcher_1.4.8.exe Startdate: 06/01/2021 Architecture: WINDOWS Score: 54 51 Malicious sample detected (through community Yara rule) 2->51 53 Detected Remcos RAT 2->53 55 Yara detected Remcos RAT 2->55 10 atikmdag-patcher_1.4.8.exe 15 2->10         started        process3 file4 39 C:\Users\user\...\atikmdag-patcher.exe, PE32 10->39 dropped 13 atikmdag-patcher.exe 3 13 10->13         started        process5 file6 41 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 13->41 dropped 16 atikmdag-patcher.exe 5 14 13->16         started        process7 file8 33 C:\Windows\is-VLOPD.tmp, PE32 16->33 dropped 35 C:\Windows\is-1UBDO.tmp, PE32 16->35 dropped 37 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 16->37 dropped 49 Drops executables to the windows directory (C:\Windows) and starts them 16->49 20 versioncheck.exe 16->20         started        23 atikmdag-patcher.exe 16->23         started        signatures9 process10 signatures11 57 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 20->57 59 Hijacks the control flow in another process 20->59 61 Writes to foreign memory regions 20->61 63 Allocates memory in foreign processes 20->63 25 notepad.exe 20->25         started        process12 signatures13 65 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 25->65 67 Hijacks the control flow in another process 25->67 69 Writes to foreign memory regions 25->69 71 Maps a DLL or memory area into another process 25->71 28 cmd.exe 2 6 25->28         started        process14 dnsIp15 47 5.61.56.10, 49740, 49741, 49742 SCALAXY-ASNL United Kingdom 28->47 43 C:\Users\user\AppData\...\libcrypto-1_1.dll, PE32 28->43 dropped 45 C:\Users\user\AppData\Roaming\...\ads.exe, PE32 28->45 dropped 73 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 28->73 75 Contains functionality to steal Chrome passwords or cookies 28->75 77 Contains functionality to capture and log keystrokes 28->77 79 3 other signatures 28->79 file16 signatures17
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7c5296a628df511b5a1cee6f32910c80afb607b2bc8412e6741f7feb2d93b0c5/
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
17a87ce9f1b198eb1dacc4dde36af67169515d41b322d6bcbaf1861f2d812d39
RemcosRAT
44eb61ad9603cc802e8a59f356dadedf4be9dc315862a9bb2eddec1bcc9288a8
RemcosRAT
46f9b3a73b2ef17c7ace714e6b69b02e444096fb395d85e3b3220ed13d060a48
RemcosRAT
4f718a40662228b1b5efca4664eb07f6d1918b62bc8b29598410d1dc5bb76c70
RemcosRAT
9502b93f782ae19b93623605f74ebc2ee277a453ecd2286ef990d62c28a601e6
RemcosRAT
98d8bbdf43367821e74fd0c26f5bdda07fe9a750476cce1bb0df88c5aa18b745
RemcosRAT
bc8513a74ddfc1a9a78fbdbf39d90a61d59819dfb116846daf730693622c3c69
RemcosRAT
be9005c3def853773256e54e0d8f307a7cd323fa0e86b4691c6e8619b9632afd
RemcosRAT
d0fbaa4e5d7b512cdc4b3b63ddbed59d1cb741f3925381124ee91942ecfdf3a6
RemcosRAT
f7ae9bdd03e5df038aad0e809dbf31a00ca5e3b6aec3960417e14d5da18fd373
RemcosRAT
+ 1'660 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos rat
Link:
https://tria.ge/reports/210106-bjt7vddrj2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Drops file in Windows directory
Loads dropped DLL
Executes dropped EXE
Blocklisted process makes network request
Remcos
Malware Config
C2 Extraction:
5.61.56.10:9004
Unpacked files
SH256 hash:
7c5296a628df511b5a1cee6f32910c80afb607b2bc8412e6741f7feb2d93b0c5
MD5 hash:
d2e7c1150693130bfd4aa71d482b8cf3
SHA1 hash:
75e00f201a7ed6d2d1def492445a4fb7665eac68
Link:
https://www.unpac.me/results/7fcb0179-a9d4-4b28-8c9d-252d8150af07/
SH256 hash:
77283b212f311124dae6d645ad2928f4a91094b5750aca18a953d35fc924c150
MD5 hash:
9ee71c4f329456bab3e6a1eac7200c36
SHA1 hash:
4f882a834e4b2833d640e11db44a724d4938d9ab
Link:
https://www.unpac.me/results/7fcb0179-a9d4-4b28-8c9d-252d8150af07/
SH256 hash:
35bea59f55111a25b155a34b41d787c5f525dff505f297ff54059466cf560e49
MD5 hash:
cbd8fabfd69d141c636edbb1ca17ebe0
SHA1 hash:
e623579f84c29f62c08df8e4dc526ea4ad4a6055
Link:
https://www.unpac.me/results/7fcb0179-a9d4-4b28-8c9d-252d8150af07/
SH256 hash:
8b1f78c8f6f2d6ae21fa3b538d7bb596582fe08ba395390e6c65c26b702a7579
MD5 hash:
61656b52ba25d5437ad9ae9905340d41
SHA1 hash:
9c89057263535724b3191275d7483a9ec836edb7
Link:
https://www.unpac.me/results/7fcb0179-a9d4-4b28-8c9d-252d8150af07/
SH256 hash:
c7fbdc61eb62c05e40295617e2db75877672931f751a770d2629e6eab6075f2c
MD5 hash:
abf6c724b20844d5b0073988a58faf1e
SHA1 hash:
7a8269d5b2ae623f8148ce9863f48f7e12ce036b
Link:
https://www.unpac.me/results/7fcb0179-a9d4-4b28-8c9d-252d8150af07/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7c5296a628df511b5a1cee6f32910c80afb607b2bc8412e6741f7feb2d93b0c5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 7c5296a628df511b5a1cee6f32910c80afb607b2bc8412e6741f7feb2d93b0c5

(this sample)

  
Link
https://crypto-wikipedia.com/atikmdag-patcher-1-4-7-lastest/
anyrun
any.run
https://app.any.run/tasks/3e4305a7-e836-4b4f-b691-73657123e13e
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/110640/

Comments