MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9619dd90b103cea6ed31462e70f2419900b0f943295a7b773a0a77504ade15ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9619dd90b103cea6ed31462e70f2419900b0f943295a7b773a0a77504ade15ce
SHA3-384 hash: ab148c8bbdb1ef0331f71af003f876312f60831399982875c4068d18556d0df15722cffa806a2432c37d2e9a0d1fe826
SHA1 hash: 22824eb1d9f33bc6ee7d61267705eff8a635f377
MD5 hash: dae53a9811b6bb639191c85646dfb6ab
humanhash: blue-video-lake-hamper
File name:micro.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:865'792 bytes
First seen:2021-07-29 19:30:49 UTC
Last seen:2021-07-29 20:36:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 641b05b4dc6d8389ff08a789834da953 (1 x RemcosRAT)
ssdeep 12288:M7SqgtacuhJPH33i8ii74/vUagbqgFRWvqoHUL66opspF0dh0MgJ:M70uJ/3/ihLSXRfwdha
Threatray 379 similar samples on MalwareBazaar
TLSH T1F5057DF676B39937ECB305B84C0BAA7C891AAE101B10794136FAD9484FB614F3D7A057
dhash icon 89acae83529aaa82 (3 x RemcosRAT, 1 x AveMariaRAT)
Reporter James_inthe_box
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
160
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
micro.exe
Verdict:
Malicious activity
Analysis date:
2021-07-29 19:32:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/19b7e096-09ef-4ffe-bb65-6881c1bc43f7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175138/
Detection(s):
SecuriteInfo.com.Variant.Zusy.395680.25208.19410.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Variant.Zusy.395680.14603.4716.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a1394abd-897f-4d90-99d6-c92ac418ccd6
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/824098
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 456510 Sample: micro.exe Startdate: 29/07/2021 Architecture: WINDOWS Score: 100 59 Multi AV Scanner detection for domain / URL 2->59 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 3 other signatures 2->65 8 micro.exe 1 24 2->8         started        13 Yjpmvth.exe 16 2->13         started        15 Yjpmvth.exe 16 2->15         started        process3 dnsIp4 45 zydsqg.sn.files.1drv.com 8->45 47 sn-files.fe.1drv.com 8->47 49 onedrive.live.com 8->49 41 C:\Users\Public\Libraries\...\Yjpmvth.exe, PE32 8->41 dropped 79 Writes to foreign memory regions 8->79 81 Creates a thread in another existing process (thread injection) 8->81 83 Injects a PE file into a foreign processes 8->83 17 dialer.exe 2 3 8->17         started        21 cmd.exe 1 8->21         started        23 cmd.exe 1 8->23         started        51 zydsqg.sn.files.1drv.com 13->51 55 2 other IPs or domains 13->55 85 Multi AV Scanner detection for dropped file 13->85 87 Allocates memory in foreign processes 13->87 25 logagent.exe 13->25         started        53 zydsqg.sn.files.1drv.com 15->53 57 2 other IPs or domains 15->57 27 logagent.exe 15->27         started        file5 signatures6 process7 dnsIp8 43 twistednerd.dvrlists.com 185.189.112.27, 49753, 8618 M247GB United Kingdom 17->43 67 Contains functionalty to change the wallpaper 17->67 69 Contains functionality to steal Chrome passwords or cookies 17->69 71 Contains functionality to inject code into remote processes 17->71 73 Contains functionality to register a low level keyboard hook 17->73 29 reg.exe 1 21->29         started        31 conhost.exe 21->31         started        33 cmd.exe 1 23->33         started        35 conhost.exe 23->35         started        75 Contains functionality to steal Firefox passwords or cookies 25->75 77 Delayed program exit found 25->77 signatures9 process10 process11 37 conhost.exe 29->37         started        39 conhost.exe 33->39         started       
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9619dd90b103cea6ed31462e70f2419900b0f943295a7b773a0a77504ade15ce/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-07-29 19:30:36 UTC
File Type:
PE (Exe)
Extracted files:
51
AV detection:
10 of 46 (21.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sym53efraphkn3jriyxhb4sbtealb6kdffnhw5z2bj3vasw6cxha._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
00d52b668be725580bf1233a8bc805f62831f96ca8f7cf50807cd3481727981a
RemcosRAT
051bfc878cbfc9748f59edcb04b8d8cfdc75b566e403236385c51374b7afd393
RemcosRAT
22634cbaf1a60ca499a9b692aae881cffdaf205a4755ee34915e5512ea87cab4
RemcosRAT
4db943d3621a557370a3585cd61db3f9835c65f350a2284c9d5f3024adb0ff07
RemcosRAT
5fa4dc80cabd644491180f4af2bbe0001bf4082fe84b45e1452200318b912aee
RemcosRAT
963043215c54f2a5b1ae6a53787ed78c838beb576e2744e304665f611c7fcb60
RemcosRAT
d3257f22e55152e6f6814a0d273d4113f802e9cf39a4841622a7b82cf38bd6af
RemcosRAT
dfca1bf3a2bc630e60ee036b0fd5be55b2f2b44e7dc8d2005b86d763bfc7c8ac
RemcosRAT
f980b2377c9cd2ff4415608fff97031062be1788bfd981ae55f9e92c4985ada4
RemcosRAT
+ 369 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:jules persistence rat
Link:
https://tria.ge/reports/210729-f8py6qh4qa/
Behaviour
Modifies registry key
Suspicious use of WriteProcessMemory
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
twistednerd.dvrlists.com:8618
Unpacked files
SH256 hash:
a6dbc14cb792b7eb21fb78abbcfc50ab940717ff8bdebf2f8db47e1ab12b6f9b
MD5 hash:
49995a2953873c7265752d191ae9f40b
SHA1 hash:
2f911fc1c8371812fbe412cf60886cf7554b20c9
Link:
https://www.unpac.me/results/cc58176b-120b-4419-82f5-670a86251895/
SH256 hash:
9619dd90b103cea6ed31462e70f2419900b0f943295a7b773a0a77504ade15ce
MD5 hash:
dae53a9811b6bb639191c85646dfb6ab
SHA1 hash:
22824eb1d9f33bc6ee7d61267705eff8a635f377
Link:
https://www.unpac.me/results/cc58176b-120b-4419-82f5-670a86251895/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9619dd90b103cea6ed31462e70f2419900b0f943295a7b773a0a77504ade15ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EnvVarScheduledTasks
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC (ab)using Environment Variables in Scheduled Tasks
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/175138/

Comments