MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97c1693cc21829a1b2139d13bc9b21a47555b18d6dc8943c4804890f1ab3b25c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 97c1693cc21829a1b2139d13bc9b21a47555b18d6dc8943c4804890f1ab3b25c
SHA3-384 hash: bf31e0bf9a3bea4bff503024022989bb235cbf92d4ce5d11aab42b4fe3d4373dda36f30cbf1780851d8f6e6b006de4a2
SHA1 hash: 786826282e4f20076f50b7648e45ca1df856dd12
MD5 hash: d0b73f883fdd6cc9097028375fdc6231
humanhash: fruit-mississippi-bakerloo-mississippi
File name:SecuriteInfo.com.Trojan.Siggen11.58832.24978.21590
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:666'624 bytes
First seen:2021-01-18 13:08:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3fa489abaee814a61ce0966e1954db55 (12 x Loki, 7 x RemcosRAT, 3 x SnakeKeylogger)
ssdeep 6144:Tczz4bs4TQEvq2Tomx93zXA0U4H444hBrOGluYWBnRNGbZm6Fcnik/:Q4b7TQEvxo8zE4H444hBrCYWdRNRv/
Threatray 1'734 similar samples on MalwareBazaar
TLSH 42E459503190E0B1D522DE3426A8C764DAAB7C61B7A16F8B7F90377F1AF32909B6431D
Reporter SecuriteInfoCom
Tags:RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
LC-0042002210001102.xlsx
Verdict:
Malicious activity
Analysis date:
2021-01-18 09:31:48 UTC
Tags:
encrypted exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/89a25620-daef-4c24-8882-4b531f42a878

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112567/
Detection(s):
SecuriteInfo.com.Trojan.Siggen11.58832.24978.21590.UNOFFICIAL
Create hunting rule

PUA.Win.Downloader.Firseria-6804617-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Creating a process with a hidden window
Creating a window
Running batch commands
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/583833
Signature
Allocates memory in foreign processes
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Detected Remcos RAT
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 340953 Sample: SecuriteInfo.com.Trojan.Sig... Startdate: 18/01/2021 Architecture: WINDOWS Score: 100 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Detected Remcos RAT 2->51 53 3 other signatures 2->53 9 SecuriteInfo.com.Trojan.Siggen11.58832.24978.exe 4 5 2->9         started        13 VLC.exe 2->13         started        15 VLC.exe 2->15         started        process3 file4 41 C:\Users\user\AppData\Roaming\...\VLC.exe, PE32 9->41 dropped 43 C:\Users\user\...\VLC.exe:Zone.Identifier, ASCII 9->43 dropped 63 Contains functionalty to change the wallpaper 9->63 65 Contains functionality to steal Chrome passwords or cookies 9->65 67 Contains functionality to capture and log keystrokes 9->67 69 3 other signatures 9->69 17 wscript.exe 1 9->17         started        19 VLC.exe 13->19         started        signatures5 process6 process7 21 cmd.exe 1 17->21         started        process8 23 VLC.exe 2 4 21->23         started        28 conhost.exe 21->28         started        dnsIp9 45 push4me.freeddns.org 79.134.225.114, 1814, 49704, 49705 FINK-TELECOM-SERVICESCH Switzerland 23->45 39 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 23->39 dropped 55 Tries to steal Mail credentials (via file registry) 23->55 57 Contains functionalty to change the wallpaper 23->57 59 Machine Learning detection for dropped file 23->59 61 6 other signatures 23->61 30 VLC.exe 23->30         started        33 VLC.exe 23->33         started        35 VLC.exe 1 23->35         started        37 10 other processes 23->37 file10 signatures11 process12 signatures13 71 Tries to steal Instant Messenger accounts or passwords 30->71 73 Tries to steal Mail credentials (via file access) 30->73 75 Tries to harvest and steal browser information (history, passwords, etc) 37->75
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/97c1693cc21829a1b2139d13bc9b21a47555b18d6dc8943c4804890f1ab3b25c/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-01-18 13:09:05 UTC
AV detection:
30 of 46 (65.22%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
07cb866df6df9ad51ce01426b0a0466834619e72c2653ff7c25320cc3c0a3f9a
RemcosRAT
605834c1fd1e1ad6e039fa17f7de298663ab902e84a70947a15ef18d088879e8
RemcosRAT
684e2e17f92d3a89e7251185582b357c796421e95bd4060e9e01fe667c6aab85
RemcosRAT
7988be86737cfdcc6f6aa3a7e283e950961d10a5efbcab14009a72a9134d8363
RemcosRAT
9d692165cbb8d2a181769b723e7300b02f534fec4563d4bd155b4c293d6ebe72
RemcosRAT
a2925ab4b7c0267fb273b9125b81673c84525a2e974119dd6c6f3c10ac6675f5
RemcosRAT
b8f93d593fb0feaa265c385ab4afb8c8e1bb7908b166cf68b6efb36ed1f7fa4f
RemcosRAT
bf0e82358921791e16998b942e600a500a967f6e5c5b034a675af7e49663a34f
RemcosRAT
e2d83de235b73fa4366db562daf7a16884eb632bc00ac8d12d371bdc7a2d1c2f
RemcosRAT
faca80f4cbe69a258c8075a6e5b83d0dd01c9bfcc67060240321e973f12a8ea5
RemcosRAT
+ 1'724 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat spyware
Link:
https://tria.ge/reports/210118-esz6sd76me/
Behaviour
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Executes dropped EXE
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
push4me.freeddns.org:1814
Unpacked files
SH256 hash:
cdec6b30838d2ee17392d100cbd519f3ab874a4fa98bbd20f17b62c19dc9f5a6
MD5 hash:
181bb911ccdd2743f837962d2da5a892
SHA1 hash:
49acf3104ef7b0fb8b74082eed7c7c372f0b92eb
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/d0a31ae4-5f57-42d2-b250-3ab37b5e2a4f/
Parent samples :
01c59004eb5e4390f96dc41ca001c9bd036068645fb55a922cded1ee1ecf014c
97c1693cc21829a1b2139d13bc9b21a47555b18d6dc8943c4804890f1ab3b25c
SH256 hash:
97c1693cc21829a1b2139d13bc9b21a47555b18d6dc8943c4804890f1ab3b25c
MD5 hash:
d0b73f883fdd6cc9097028375fdc6231
SHA1 hash:
786826282e4f20076f50b7648e45ca1df856dd12
Link:
https://www.unpac.me/results/d0a31ae4-5f57-42d2-b250-3ab37b5e2a4f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/97c1693cc21829a1b2139d13bc9b21a47555b18d6dc8943c4804890f1ab3b25c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 97c1693cc21829a1b2139d13bc9b21a47555b18d6dc8943c4804890f1ab3b25c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/969960/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/112567/

Comments