MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a00a856f0d85fcb7f485777ae81a0b1c52974bb1cd2482ba5e987a7ce8207511. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a00a856f0d85fcb7f485777ae81a0b1c52974bb1cd2482ba5e987a7ce8207511
SHA3-384 hash: a758423bf4b26733e9e149318218a4e800d7e82876dd96d6a0e4f22967d6ddf4205b77879bc7156256c8b8c2f45db4f6
SHA1 hash: 32e93d278b70caf5156e8bb1d7bfc8e29658fccc
MD5 hash: 2cb79bcce5050528580bf880f47d9d61
humanhash: march-network-video-juliet
File name:BKLULYOT.EXE
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:773'120 bytes
First seen:2021-11-26 06:43:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fa05048bfda17ad908358f66259767df (1 x Formbook, 1 x RemcosRAT, 1 x DBatLoader)
ssdeep 12288:a+3V1iARDZ1Wv7GFdc6v8cnr3pB7PeDhxYjAKJtWcpEL36U:a+FrZ1Wv74d9lTrbeDhmxJtWf36U
Threatray 1'395 similar samples on MalwareBazaar
TLSH T1F5F45B11B2919C72C1772679DC3BB6945F39BE806AF47C963EF47D480AB8381742E392
File icon (PE):PE icon
dhash icon 74f0888a8c8880b4 (5 x Formbook, 2 x RemcosRAT, 2 x DBatLoader)
Reporter cocaman
Tags:DHL exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
166
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BKLULYOT.EXE
Verdict:
Malicious activity
Analysis date:
2021-11-26 06:45:11 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/ca1f65a6-5b99-4104-9d68-bf61eb9cb223

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

SecuriteInfo.com.Malware.AI.3961113016.25418.17593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger
Link:
https://www.filescan.io/uploads/61a0823702c80febc2a9ee1e/reports/7bbb5595-fd37-4e70-bc01-ae72475b3430/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3531ae53-1359-4c1b-a886-be7eab2f66a5
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/896497
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 528975 Sample: BKLULYOT.EXE Startdate: 26/11/2021 Architecture: WINDOWS Score: 100 34 fanta.nsupdate.info 2->34 36 coke.nsupdate.info 2->36 52 Multi AV Scanner detection for domain / URL 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 5 other signatures 2->58 7 BKLULYOT.EXE 1 18 2->7         started        12 Bklulyot.exe 13 2->12         started        14 Bklulyot.exe 15 2->14         started        signatures3 process4 dnsIp5 38 cdn.discordapp.com 162.159.134.233, 443, 49744, 49751 CLOUDFLARENETUS United States 7->38 24 C:\Users\user\Contacts\Bklulyot.exe, PE32 7->24 dropped 26 C:\Users\...\Bklulyot.exe:Zone.Identifier, ASCII 7->26 dropped 60 Writes to foreign memory regions 7->60 62 Creates a thread in another existing process (thread injection) 7->62 64 Injects a PE file into a foreign processes 7->64 16 logagent.exe 2 3 7->16         started        40 162.159.129.233, 443, 49772 CLOUDFLARENETUS United States 12->40 42 192.168.2.1 unknown unknown 12->42 66 Multi AV Scanner detection for dropped file 12->66 68 Machine Learning detection for dropped file 12->68 20 DpiScaling.exe 12->20         started        22 mobsync.exe 14->22         started        file6 signatures7 process8 dnsIp9 28 latua.nsupdate.info 20.115.34.57, 49770, 49776, 49791 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 16->28 30 goldie.nsupdate.info 52.188.104.150, 7722 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 16->30 32 2 other IPs or domains 16->32 44 Contains functionality to steal Chrome passwords or cookies 16->44 46 Contains functionality to inject code into remote processes 16->46 48 Contains functionality to steal Firefox passwords or cookies 16->48 50 Delayed program exit found 20->50 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a00a856f0d85fcb7f485777ae81a0b1c52974bb1cd2482ba5e987a7ce8207511/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2021-11-26 02:11:32 UTC
File Type:
PE (Exe)
Extracted files:
48
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uafik3ynqx6lp5efo55oqgqldrjjos5rzusifos6tb5hz2baouiq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
3f9fd47a1850bb51e06ce78cabb32d839b4d4f68daf028aa0465d7cb85099b1a
RemcosRAT
41d511392fc1e9e37a96d7e0d1e2a947d3de3da299d1a0fab9f522b98e38b659
RemcosRAT
502f18997fa73c5af97c3f8f3cd7a8a12d7d648642bd238b4eb15c0457e879a1
RemcosRAT
75d58f5b4293ffc19d29586f96508fe473b3688503ab75a9fecf8b280af3b55a
RemcosRAT
8f1eefd14608fae865576d9f7a24be116eb9d8dcebf89c954e2e645b06174c4e
RemcosRAT
9f87aa938179953b88e6d47d4f2d07f82ec683a90ff0d77d8f50ad67ab55ad89
RemcosRAT
cd43f136f1d3221cd64fc792a37744dfa9656a9ea5889e52929275c05eb4e33b
RemcosRAT
ed78db064dfb4ae791498b2d08410a69bdad684ff709319d179c2383dd8e2f1c
RemcosRAT
f26f9e3fccab0e855f132f00715cfdbaa9efbbc923fc702961d826987d7c15aa
RemcosRAT
+ 1'385 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:tls persistence rat
Link:
https://tria.ge/reports/211126-hhhkmaebf6/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
latua.nsupdate.info:7722
goldie.nsupdate.info:7722
coke.nsupdate.info:7722
fanta.nsupdate.info:7722
Unpacked files
SH256 hash:
80862d46bdac152572d0faa96c99edb9bcb3d5d3ff5d1d41771f5cb8ad164a2c
MD5 hash:
7c09b28f7639c8b2a033e88db5d9df53
SHA1 hash:
fbcccc3c2d024228a3e1dab743b3912ed8ccbb3c
Detections:
win_temple_loader_w0
Create hunting rule
Link:
https://www.unpac.me/results/1eada972-35cb-46b9-b9a9-cb3e6fcf93a1/
Parent samples :
e50290f9b9cf781a2d64f7e3190de28d2b673cd24099675d3b65a80ab70cf9e1
a00a856f0d85fcb7f485777ae81a0b1c52974bb1cd2482ba5e987a7ce8207511
7c491171fbe25c5f47f560db3a857cfc716d0c4733466ac08660e8a8be9bc8cd
5627d54b0f87a8fa0e9a33d2cbce145140eb0e88e77f1076e7658310b742aa83
46e51f41840a1a08e695f8b5dbd03efd3b3f7071edc00d9e916a73a02d8176a1
bc42c1e528e70d0f4152e78278ed1a0e4bacf4cab8bb21da9ea8f99a48676355
62d54d23908b06fb851da8829798a3d82110e0c189a8794f9d7deb9642f1542d
91b5c318543587a212464565a4df06eae2ad2823338389134f06c4409047e18e
57e117773ebe7caaac7d1db9759f5c8313d15db896f7b736459c65164770a5f5
6c2c4e5bb1275643184f07bd2bce3f51722e3b3e0557fbf0d83c0dc6461c4a5b
2d086daa30c03800b673011e6ee10d5ccdfa56842f67188ac348e30ed5cc803c
SH256 hash:
a00a856f0d85fcb7f485777ae81a0b1c52974bb1cd2482ba5e987a7ce8207511
MD5 hash:
2cb79bcce5050528580bf880f47d9d61
SHA1 hash:
32e93d278b70caf5156e8bb1d7bfc8e29658fccc
Link:
https://www.unpac.me/results/1eada972-35cb-46b9-b9a9-cb3e6fcf93a1/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a00a856f0d85/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a00a856f0d85fcb7f485777ae81a0b1c52974bb1cd2482ba5e987a7ce8207511

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

img 00d0dcc155b889107ad32e90f8172490dc32280cc62e762bfa5e7deecea1099d

RemcosRAT

Executable exe a00a856f0d85fcb7f485777ae81a0b1c52974bb1cd2482ba5e987a7ce8207511

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 00d0dcc155b889107ad32e90f8172490dc32280cc62e762bfa5e7deecea1099d
Cape
Cape
https://www.capesandbox.com/analysis/209585/

Comments