MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93f79e179e242b4b2cb0edfc4499597b0ba9ba7f0f8c7126100ff82fc58175d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 93f79e179e242b4b2cb0edfc4499597b0ba9ba7f0f8c7126100ff82fc58175d2
SHA3-384 hash: 6ae9ef1b53feec98ffe9205ce2f20f7d4ec65f5e7f01296f19b5473db8d0f7597145b13c3ac4b8cb10c242c4a0da9d58
SHA1 hash: c1d8c76a469e1ee753d1d7f69f59b20ebdb2b1fe
MD5 hash: 2043ca6e23c1e8f2d31f7ab88376ed65
humanhash: earth-king-princess-comet
File name:2043CA6E23C1E8F2D31F7AB88376ED65.dll
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:75'924 bytes
First seen:2021-07-19 14:30:52 UTC
Last seen:2021-07-19 15:37:36 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 3f397b0f4f0a50e11cf8301d0c2f95c7 (1 x RemcosRAT)
ssdeep 1536:dVc726qltnuJtvEAMp6/CQclcmgmtzo8:dua6ktIEP6qWmgmtz9
Threatray 3'081 similar samples on MalwareBazaar
TLSH T1D773BF01B0A1C0B3C54A95BD144AC7431F6E76905FF298437BBB87DE6B326E1663E30A
Reporter abuse_ch
Tags:dll RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
23.106.124.111:4551

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
23.106.124.111:4551 https://threatfox.abuse.ch/ioc/161058/

Intelligence

File Origin
# of uploads :
2
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172560/
Detection(s):
SecuriteInfo.com.Trojan.DownLoad4.14197.32464.7770.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Parallax RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/43d7b416-168d-4293-b420-e3162b56158c
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/818317
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected Remcos RAT
Drops executable to a common third party application directory
Found malware configuration
Hijacks the control flow in another process
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Copying Sensitive Files with Credential Data
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 450731 Sample: VUBuRErqKh.dll Startdate: 19/07/2021 Architecture: WINDOWS Score: 100 78 ipv4.imgur.map.fastly.net 2->78 80 i.imgur.com 2->80 118 Found malware configuration 2->118 120 Malicious sample detected (through community Yara rule) 2->120 122 Multi AV Scanner detection for dropped file 2->122 124 5 other signatures 2->124 11 loaddll32.exe 1 2->11         started        13 openvpn-gui.exe 2->13         started        16 openvpn-gui.exe 2->16         started        signatures3 process4 signatures5 18 cmd.exe 1 11->18         started        21 rundll32.exe 11->21         started        23 rundll32.exe 11->23         started        134 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->134 136 Hijacks the control flow in another process 13->136 138 Writes to foreign memory regions 13->138 25 cmd.exe 1 13->25         started        140 Allocates memory in foreign processes 16->140 27 cmd.exe 16->27         started        29 cmd.exe 16->29 injected process6 signatures7 100 Contains functionalty to change the wallpaper 18->100 102 Contains functionality to steal Chrome passwords or cookies 18->102 104 Contains functionality to capture and log keystrokes 18->104 116 3 other signatures 18->116 31 rundll32.exe 18->31         started        106 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 21->106 108 Hijacks the control flow in another process 21->108 34 mstsc.exe 15 21->34         started        110 Writes to foreign memory regions 23->110 112 Allocates memory in foreign processes 23->112 37 mstsc.exe 20 23->37         started        114 Maps a DLL or memory area into another process 25->114 39 cmd.exe 25->39         started        41 conhost.exe 25->41         started        43 cmd.exe 27->43         started        45 conhost.exe 27->45         started        process8 dnsIp9 142 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 31->142 144 Hijacks the control flow in another process 31->144 47 mstsc.exe 16 31->47         started        82 145.239.131.60, 443, 49711 OVHFR France 34->82 52 openvpn-gui.exe 34->52         started        54 cmd.exe 1 34->54         started        84 i.ibb.co 145.239.131.51, 443, 49707, 49709 OVHFR France 37->84 146 Drops executable to a common third party application directory 37->146 56 cmd.exe 1 37->56         started        86 eventsbypearce.host 23.106.124.111, 4551, 49729 LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG Singapore 39->86 signatures10 process11 dnsIp12 88 i.ibb.co 47->88 74 C:\Users\user\AppData\...\openvpn-gui.exe, PE32 47->74 dropped 76 C:\Users\user\AppData\Local\...\cmpbk32.dll, PE32 47->76 dropped 90 Drops executable to a common third party application directory 47->90 58 cmd.exe 1 47->58         started        92 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 52->92 94 Hijacks the control flow in another process 52->94 96 Writes to foreign memory regions 52->96 98 Allocates memory in foreign processes 52->98 60 cmd.exe 1 52->60         started        63 conhost.exe 54->63         started        65 conhost.exe 56->65         started        file13 signatures14 process15 signatures16 67 conhost.exe 58->67         started        128 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 60->128 130 Hijacks the control flow in another process 60->130 132 Maps a DLL or memory area into another process 60->132 69 cmd.exe 60->69         started        72 conhost.exe 60->72         started        process17 signatures18 126 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 69->126
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/93f79e179e242b4b2cb0edfc4499597b0ba9ba7f0f8c7126100ff82fc58175d2/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-07-16 00:56:31 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sp3z4f46eqvuwlfq5x6ejgkzpmf2tot7b6ghcjqqb74c7rmboxja._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
015899ba7ca42d54316d63f5ed222f2f6c0ab3c784b855c646df4c89b05c71c8
RemcosRAT
598fbc003f3775d3441846dec51317b6e81422a78c9a0d1b53353025d6953175
RemcosRAT
5a4f75c16948eb90210b50a2af901dad431a231d5a4406ce55dad0cd943d5cd0
RemcosRAT
6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e
RemcosRAT
91e13d173fb96f025e17161b61686fa06272a048eececeb7d4e95ecdcb3de4b8
RemcosRAT
a3fedff31a0349bc1b17791e2382179f465c870b3abd6b49040b3091be722f51
RemcosRAT
a40c51565228f1fef2028b90fd49051372828871d8eeb5df19e5d8049c977ed2
RemcosRAT
ba52101e664d1ab4110977264bb16ff13c5bf4bdb004ddcacba915006d275b81
RemcosRAT
dfca1bf3a2bc630e60ee036b0fd5be55b2f2b44e7dc8d2005b86d763bfc7c8ac
RemcosRAT
eb7b058c625b1306c70d8a76546af054bd769347ca067f5db5e1b0b1c7306298
RemcosRAT
+ 3'071 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  4/10
Tags:
n/a
Link:
https://tria.ge/reports/210719-p5zqhzvvp2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Unpacked files
SH256 hash:
93f79e179e242b4b2cb0edfc4499597b0ba9ba7f0f8c7126100ff82fc58175d2
MD5 hash:
2043ca6e23c1e8f2d31f7ab88376ed65
SHA1 hash:
c1d8c76a469e1ee753d1d7f69f59b20ebdb2b1fe
Link:
https://www.unpac.me/results/00edc5ee-3924-4bc0-ac0f-1c8a2aebaf9a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/93f79e179e242b4b2cb0edfc4499597b0ba9ba7f0f8c7126100ff82fc58175d2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_rat_parralax_shell_bin
Create hunting rule
Author:@VK_Intel
Description:Detects Parallax injected code
Reference:https://twitter.com/VK_Intel/status/1257714191902937088
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MAL_crime_win32_rat_parallax_shell_bin
Create hunting rule
Author:@VK_Intel
Description:Detects Parallax injected code
Reference:https://twitter.com/VK_Intel/status/1257714191902937088

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172560/

Comments