MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a12adcef2a153e0926843befaad18c7378d8d1b698400c51a69b229f99979d54. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a12adcef2a153e0926843befaad18c7378d8d1b698400c51a69b229f99979d54
SHA3-384 hash: 172c517e97d1856ee4225c98ae6ff4310d4630ade321555e0d9787ac73a301ee72d19deaf383cce718e844577e147fc9
SHA1 hash: f945339ba02aef28ac7fcedf922081fe5507b397
MD5 hash: 56de3f4de890ed5d08ee23d162ccb5b3
humanhash: pizza-west-fanta-five
File name:5_MedicationRoy.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'125'590 bytes
First seen:2024-02-14 12:22:10 UTC
Last seen:2024-02-14 14:30:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 36603b42a93421cfa64e8207b9ee7696 (3 x LummaStealer, 2 x RemcosRAT)
ssdeep 24576:lzCmT/4sKowJXrP+garXNKZQCawrKdIQZgMCNBypVD1yX36G7fbZcK:lzbT/dw7kXaawrMIQZgMC/yv1S36G7Ff
Threatray 2'268 similar samples on MalwareBazaar
TLSH T1CA3522256AC08476E27327301EE1F6B1D5BDBA410761C2CB2B5C251A6FB17D6B32C39B
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon c1f4fc7ecef47c04 (1 x RemcosRAT)
Reporter angel11VR
Tags:AsyncRAT AutoIT exe RemcosRAT


Avatar
angel11VR
malware by phising URL https://bitbucket.org/obmens/file/downloads/
#AutoIt possibly Remcos or AsyncRAT/VenomRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
345
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/476126/
Detection(s):
SecuriteInfo.com.Trojan.Win32.7zip.14066.10262.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Launching cmd.exe command interpreter
Creating a process with a hidden window
Moving a file to the %temp% subdirectory
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Running batch commands
Creating a process from a recently created file
Creating a file
DNS request
Possible injection to a system process
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint hook installer keylogger lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65ccb0a8179f724a95518ef3/reports/3e6c82cd-ce88-4de3-ab37-651d7466c912/overview
Verdict:
Malicious
Labled as:
Infostealer/CryptBot
Link:
https://www.hybrid-analysis.com/sample/a12adcef2a153e0926843befaad18c7378d8d1b698400c51a69b229f99979d54
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/11336337-a14c-411e-90ad-187bdc2ccb96
Result
Threat name:
AsyncRAT, Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1392106
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Drops PE files with a suspicious file extension
Found API chain indicative of sandbox detection
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: HackTool - CACTUSTORCH Remote Thread Creation
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: WScript or CScript Dropper
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1392106 Sample: 5_MedicationRoy.exe Startdate: 14/02/2024 Architecture: WINDOWS Score: 100 110 lmEhdjOuFDIs.lmEhdjOuFDIs 2->110 112 MWUEoHcGWGSlkNWwqxMvSvxWE.MWUEoHcGWGSlkNWwqxMvSvxWE 2->112 114 geoplugin.net 2->114 132 Malicious sample detected (through community Yara rule) 2->132 134 Antivirus detection for URL or domain 2->134 136 Multi AV Scanner detection for submitted file 2->136 138 13 other signatures 2->138 13 5_MedicationRoy.exe 13 2->13         started        17 wscript.exe 1 1 2->17         started        19 wscript.exe 2->19         started        21 2 other processes 2->21 signatures3 process4 file5 104 C:\Users\user\AppData\Local\...\Reduction, PE32 13->104 dropped 156 Contains functionality to register a low level keyboard hook 13->156 23 cmd.exe 1 13->23         started        26 conhost.exe 13->26         started        158 Windows Scripting host queries suspicious COM object (likely to drop second stage) 17->158 28 SkillForge.pif 17->28         started        30 SecureSphereR.pif 19->30         started        32 SecureSphereR.pif 21->32         started        34 SecureSphereR.pif 21->34         started        signatures6 process7 signatures8 146 Uses ping.exe to sleep 23->146 148 Drops PE files with a suspicious file extension 23->148 150 Uses schtasks.exe or at.exe to add and modify task schedules 23->150 152 Uses ping.exe to check the status of other devices and networks 23->152 36 Supporting.pif 3 19 23->36         started        41 cmd.exe 2 23->41         started        43 cmd.exe 2 23->43         started        45 7 other processes 23->45 process9 dnsIp10 116 77.105.132.92, 2404, 49706, 49707 PLUSTELECOM-ASRU Russian Federation 36->116 118 geoplugin.net 178.237.33.50, 49709, 80 ATOM86-ASATOM86NL Netherlands 36->118 96 C:\Users\user\AppData\...\SkillForge.pif, PE32 36->96 dropped 98 C:\Users\user\AppData\Local\...\SkillForge.js, ASCII 36->98 dropped 100 C:\Users\user\AppData\Local\Temp\vns.exe, PE32 36->100 dropped 140 Found API chain indicative of sandbox detection 36->140 142 Drops PE files with a suspicious file extension 36->142 144 Maps a DLL or memory area into another process 36->144 47 vns.exe 36->47         started        50 Supporting.pif 1 36->50         started        53 Supporting.pif 36->53         started        55 2 other processes 36->55 102 C:\Users\user\AppData\...\Supporting.pif, PE32 41->102 dropped file11 signatures12 process13 file14 106 C:\Users\user\AppData\Local\Temp\...\Compound, PE32 47->106 dropped 57 cmd.exe 47->57         started        60 conhost.exe 47->60         started        126 Tries to steal Instant Messenger accounts or passwords 50->126 128 Tries to steal Mail credentials (via file / registry access) 50->128 130 Tries to harvest and steal browser information (history, passwords, etc) 53->130 108 C:\Users\user\AppData\...\SkillForge.url, MS 55->108 dropped 62 conhost.exe 55->62         started        signatures15 process16 signatures17 154 Uses ping.exe to sleep 57->154 64 Be.pif 57->64         started        68 cmd.exe 57->68         started        70 conhost.exe 57->70         started        72 7 other processes 57->72 process18 file19 88 C:\Users\user\AppData\...\SecureSphereR.pif, PE32 64->88 dropped 90 C:\Users\user\AppData\...\SecureSphereR.js, ASCII 64->90 dropped 92 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 64->92 dropped 120 Drops PE files with a suspicious file extension 64->120 122 Writes to foreign memory regions 64->122 124 Injects a PE file into a foreign processes 64->124 74 cmd.exe 64->74         started        76 cmd.exe 64->76         started        78 RegAsm.exe 64->78         started        94 C:\Users\user\AppData\Local\Temp\...\Be.pif, PE32 68->94 dropped signatures20 process21 process22 80 conhost.exe 74->80         started        82 schtasks.exe 74->82         started        84 conhost.exe 76->84         started        86 WerFault.exe 78->86         started       
Score:
71%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a12adcef2a153e0926843befaad18c7378d8d1b698400c51a69b229f99979d54
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a12adcef2a153e0926843befaad18c7378d8d1b698400c51a69b229f99979d54/
Threat name:
Win32.Backdoor.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2024-02-14 12:23:05 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uevnz3zkcu7asjuehpx2vummon4nrunwtbaayungtmrj7gmxtvka._file
Verdict:
unknown
Similar samples:
140653704128a6aa88f80e80b387e87892367b26da00e392e9ccf181bb48408b
RemcosRAT
2d43530c81da22814e9debab6cc5dc8583d87b50c374e84c4ef153b0e51e4430
RemcosRAT
345ff30f046fefaf38981f65238c022878d9ecab54437a88a7b5bddcba6ebc3d
RemcosRAT
3726fd2adc46647baeedba9144d1fa6e0634c08f55f183fcf4c5e67c763b446a
RemcosRAT
58d47e392f91578d5820d3625103ffd9461e66d7328a7016d0a69a39bc04f3af
RemcosRAT
5c946bc51595505a29eb5d16ed410aef05c8b09a1b7ddc8a261835ad2b935a77
RemcosRAT
a567c1f01f6bed6d88712149472f5262d2ddc14aa4d6c1b0544e81dd0929931f
RemcosRAT
b4a130338bd6099c1ca3c0e0866127db0b5df6ac51e74347654b5b6d2ee0de96
RemcosRAT
cdf64a111349a82f90434e360e6312f107a45a6dafa24f8fcddb497e1584ee79
RemcosRAT
e7f0e5b269709e0c1038f76d1073bf614308dfc5cac8beb1c2c39d6704eb804d
RemcosRAT
+ 2'258 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:remcos botnet:default botnet:host collection discovery rat spyware stealer
Link:
https://tria.ge/reports/240214-pkfmdaac3v/
Behaviour
Creates scheduled task(s)
Enumerates processes with tasklist
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Checks installed software on the system
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
AsyncRat
Remcos
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
77.105.132.92:2404
77.105.132.92:21
77.105.132.92:81
77.105.132.92:80
77.105.132.92:465
77.105.132.92:463
77.105.132.92:60989
77.105.132.92:4899
77.105.132.94:4449
77.105.132.94:80
77.105.132.94:8080
77.105.132.94:465
Unpacked files
SH256 hash:
9437b5cd85f01ae5f0fcffab34b33a10b18beee3d559431a512b977596576fd6
MD5 hash:
0e5f8c77f7d8e72afb90a58098bdfaf7
SHA1 hash:
4f7884661c4b200210ac250b914b2464ced3dd12
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/afc6c56e-035a-4a05-bb5e-7e614ab613ff/
Parent samples :
99792e2eda5c50df332f2ba9bde7dbe158398acd913c16f980ff54bfda274f36
32a3ae3f8473db4b0526e456c67da605202afbfc4db584db9275d62e80884bf5
4315c14af0772f50b9b383cae378f26e71e77156886209344791c7f931d6425c
c70a6bb61af33042ad6131ed456847c36ddf8a20cfd711646d2f673ec851c754
8eed969439caae425cac85ad5b221e4f19ab22b40182a8d6beeb035dc50cf6a1
fc3085b354e1e35b4a9b15166cbbead6a63fb3f2cd18f00f546868d5392408b7
2afe2fed654c4514265a3d1b0f50cef25b9fc34351887a13d770457ba018492d
b9371b217090aadf41da567face2032494d9fc5d7e4bb438dad702814c88fb97
2fcffd3914b2555cd521d7c2d3c43e8e8af300f9ee161d3ae0c028206f55775b
6a7afd800f236e6bf6cdaa2fc93869daade49c2b5698bbb39c3d8ecc13d0fd9c
6115d0dc0349f7cbab3fe4b4b769b389a60aab336519d4b42952bb0f0501428f
9f706c4488db8c3f51761fe450003199948b489b39bfaf56560eac498a954356
e326efbd611e0d48875fabb475c73e40628ec2948ef3f59eb1f8326374d92393
a8c2d6bf4c101746a89855247e2472a8d4871b4bd75726d41948e802ebaf3e43
9ac629ed8e07b6c99b05edd46b86e1795e5f96908ab1fe85a06282b0a982cd1b
487aa8d7d2c3f85140a7dc9c8704329c6e42a296e6a89ec66a7e0de58d309ded
e3c6537ef0c305d9c7b242b88dcbff7b1a762b277b6d15d1372a41f44aa67c46
b756f04d1cd713bb11d5ae1032f8e8580d7cb11ad9e58f0219c9a9fb02c20d42
d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee
40aa56690dafef35b08b83eebf12c694f5cec88c6ba1ff9f499fff5a5da1ef02
baeced1519471f5b87271beb193b279983078f0bba9ba4daef9af842b3c361b8
a12adcef2a153e0926843befaad18c7378d8d1b698400c51a69b229f99979d54
7a3506f60a337bd104291e6f01bf18cbf3dad4058e9e79d7861fc2a1c11258c2
43c59cd33371691282d4f781b6f5d0b280da41d71fceeecc7b7052a1db11ac79
634bf075d6d8a187a316a7ff567c867dea7454f4c414fc1dfb5e8a6bae2ab38e
8b66a3ecbb30f4351758c45f1c11dfa8faa9804b2976e108e9557ba39bae3202
0464478d0f6c9992dcfd81471fe69b418deab070f4f7852d756a4138d21f5cac
bdf72e1c0964b7a7b96651b278b6f8d4b42849c01ff2aa6c6844b5ac2a893f3b
9b95dc37744055c1d9cec9f4383ddb52bf0436a3ae88112b782211a02533fa88
1814457fbd890028ff409edc2d23a11bbac93fb7318aa54523ada7e04f53ea7f
c27c1e00bb778d222efa52a9dbb9335230052cd7eaacf34a8d28b4436aae580c
8ac262e42dc9b061481f38467e202f22271f204cf595b610eb0ad4f5bbcd560b
c2ec58019152493525ab9962c758fff777c96af2407599751fc5f100874222f3
a857af8b33c62e7897af86264a2c8959545cacf74329b76730e2a84b35ef20a4
83f7e97876bb82d57f77f675e4b9ed0d3cd18c75e1cee4ec9661f653ba522e5b
6d4114742eb27a4e99c398904607bbfb07f91c2f2d25c921d888c0879f22d646
8bfa18179880147b29fd76adbba9c2818d5ba600ef22f17a5fcb9897287c4d34
fa8e3f10f85d54f5ac081ec4e9f5bb4c46716c55940c811489abd325d67a9fd1
44ed4970306de81ea87869369b9a1473e119d9a7d4a825fddd1405aa1f6dbe85
ec78b7b9f3560e19d0c723d7d114747d3833cb940631f9a3dbe83634e8d68491
087a6dafebbe457fd2085fc08162a3298891986290e3dd9fef21eec45e0df40f
4be740b7411f644b92749c5fd9be10b827f885c13690aaf7857a6d58b44e9c8c
d75697e57eee3f6f63114075c15995fef359eeb7a3f554e40d55dee19bead4fd
ceb6b3d9b2ae0430495caaecedbdd494ff5cd44cb24780cbbb2863efa9386182
fa80871e2a0b0384f09f41d1a0a6715b7d32b915e70516152b10c32da4151556
80441fcf20760b653d36c4bc78c58c9e05b190e811767c7ed523a904e53b0684
f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2
379a446e3c57a9c7fd56eee88d1b9c8ad89c892307db989b3edd53be1d8913bf
0df79273aea792b72c2218a616b36324e31aaf7da59271969a23a0c392f58451
585d0e01d18cf7acfb8cb1b7ba54ffbb64e187e0a69372e2dc7f6f6b285a8493
707d8153cfae722c0c834bb06bb9dc04d6f3224a39a9b9c33aa524389561ffaa
2ad1b5261442f87a5e7a1c53cd0335c61652b39da8f54587fe0adc45e0813661
a8b2c1d4067978b61076e9ad9848c27ff31611c3a201cafa0b8a4005d80e7321
e4fe2b92480a8ad512c643358c7add07588e8028c1526e5e874d292e6053d4a6
3a339d1c2c786bde38552618b21b647fd61e583ba7cefb9eee6b0647201e5ca6
add35b72ac24e4056dac7aa46dc03ac8ccf717b0891026da8028fb9cbd8f5b7f
SH256 hash:
a12adcef2a153e0926843befaad18c7378d8d1b698400c51a69b229f99979d54
MD5 hash:
56de3f4de890ed5d08ee23d162ccb5b3
SHA1 hash:
f945339ba02aef28ac7fcedf922081fe5507b397
Link:
https://www.unpac.me/results/afc6c56e-035a-4a05-bb5e-7e614ab613ff/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a12adcef2a153e0926843befaad18c7378d8d1b698400c51a69b229f99979d54

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://bitbucket.org/obmens/file/downloads/
  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/476126/

Comments


Avatar
commented on 2024-02-14 14:32:34 UTC

#Remcos #AsyncRAT #AutoIT #PWD
IOC`s
https://pastebin.com/Ddgk9Uuv