MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 891c233cff0f39e408dea777835b5a9de9169152c7778d37bbd443d55cae18de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 11

Intelligence 11 IOCs YARA 13 File information Comments

SHA256 hash:	891c233cff0f39e408dea777835b5a9de9169152c7778d37bbd443d55cae18de
SHA3-384 hash:	6fa36da7508d6e7710b3f6516b92bf49543d1ae52490f5c33fb640e62c2b212967d857ad07a184b39f67bb8b67316381
SHA1 hash:	03e68d10cbe6dfca2af6a3b88905c078025cb9e1
MD5 hash:	fb0b58548f18718f51bb0a189064b9da
humanhash:	oregon-bluebird-early-sodium
File name:	zphoenixminer.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	4'423'680 bytes
First seen:	2020-12-23 22:35:08 UTC
Last seen:	2020-12-24 00:57:33 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a5cb7a1765571ee21e2c7f0659ae8b75 (1 x RemcosRAT)
ssdeep	49152:D3zWtcb1X8oh1zSnnfCpqOHQHtuU/AM6XuTlTwtExDt:bvBUfhOHWEwD
Threatray	1'284 similar samples on MalwareBazaar
TLSH	2A267D13B281943ED06B1B36493BAAB4953FFF612A26C90B57F51D8C4F36680693D34B
Reporter	o2genum
Tags:	exe RemcosRAT

o2genum

Fake PhoenixMiner version distributed by bots in the bitcointalk.com thread.

Intelligence

File Origin

# of uploads :

# of downloads :

854

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PhoenixMiner_5.4d_Windows.zip

Verdict:

Malicious activity

Analysis date:

2020-12-23 22:19:55 UTC

Tags:

rat remcos keylogger

Link:

https://app.any.run/tasks/eb7e4931-6abd-4acc-a4c3-895c05013337

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/109247/

Detection(s):

PUA.Win.Packer.BorlandCpp-9

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Sending a UDP request

Transferring files using the Background Intelligent Transfer Service (BITS)

DNS request

Sending a custom TCP request

Creating a file in the %temp% directory

Enabling the 'hidden' option for files in the %temp% directory

Moving a file to the %temp% directory

Launching cmd.exe command interpreter

Creating a file in the %AppData% subdirectories

Creating a file

Unauthorized injection to a system process

Setting a global event handler for the keyboard

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Remcos

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/569471

Signature

Allocates memory in foreign processes

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Detected Remcos RAT

Drops executable to a common third party application directory

Hijacks the control flow in another process

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

System process connects to network (likely due to code injection or exploit)

Uses nslookup.exe to query domains

Writes to foreign memory regions

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/891c233cff0f39e408dea777835b5a9de9169152c7778d37bbd443d55cae18de/

Threat name:

Win32.Exploit.Generic

Status:

Suspicious

First seen:

2020-12-23 22:36:24 UTC

AV detection:

5 of 48 (10.42%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=reocgph7b446icg6u53ygw22txurneksy53y2n532rb5kxfoddpa._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

11e021f5ccf8e8af0f64a10c1fae6285df671c2ad5a97d30f0d888374764128b

RemcosRAT

209280cbe0960634238fd3363bf0f311fe8620c7a38ba06e12c23b6614cdc67b

RemcosRAT

22e14a00dc576e766179076be3199fc04c28fa52fb74f5ba0a9692fbd742a3c0

RemcosRAT

4791861118e0be776fd14153e2feca7d25f5a91a6c32a997385f5ae272e3d7c8

RemcosRAT

5b10f4a23880b51923a0df3e9e3c37f40eb0d3cc93de7b463da62f936a501385

RemcosRAT

622a12c9935eb8f0cfa499bb445642a837fa150a161e5393f7a1d759e6f94f02

RemcosRAT

73feac20d7cdbe1e10ca26b196d60d68ea0c4e652ceacf534b1c549e4e597e74

RemcosRAT

b3220a05f0d1fbd5739d07701d1ba84373f9574f0904a464395fcf63246dd1ed

RemcosRAT

b9a23ce0f2e5309363143d5a659731015c710a0b834060f8ad0194a06d48ee01

RemcosRAT

+ 1'274 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos rat

Link:

https://tria.ge/reports/201223-mrs77jy4px/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Blocklisted process makes network request

Remcos

Malware Config

C2 Extraction:

94.242.206.175:5886

Unpacked files

SH256 hash:

891c233cff0f39e408dea777835b5a9de9169152c7778d37bbd443d55cae18de

MD5 hash:

fb0b58548f18718f51bb0a189064b9da

SHA1 hash:

03e68d10cbe6dfca2af6a3b88905c078025cb9e1

Link:

https://www.unpac.me/results/0366adca-c8a4-4124-aa24-7a288da59406/

SH256 hash:

c7fbdc61eb62c05e40295617e2db75877672931f751a770d2629e6eab6075f2c

MD5 hash:

abf6c724b20844d5b0073988a58faf1e

SHA1 hash:

7a8269d5b2ae623f8148ce9863f48f7e12ce036b

Link:

https://www.unpac.me/results/0366adca-c8a4-4124-aa24-7a288da59406/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/891c233cff0f39e408dea777835b5a9de9169152c7778d37bbd443d55cae18de

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	crime_win32_rat_parralax_shell_bin Create hunting rule
Author:	@VK_Intel
Description:	Detects Parallax injected code
Reference:	https://twitter.com/VK_Intel/status/1257714191902937088

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	MAL_crime_win32_rat_parallax_shell_bin Create hunting rule
Author:	@VK_Intel
Description:	Detects Parallax injected code
Reference:	https://twitter.com/VK_Intel/status/1257714191902937088

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Ping_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	Select_from_enumeration Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator