MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5f1d96b75d6ed0846fac4d2ddfada97927dbcebc6fbd015cc08ac78387b28fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c5f1d96b75d6ed0846fac4d2ddfada97927dbcebc6fbd015cc08ac78387b28fd
SHA3-384 hash: 735969cf7a583ebd0b113ac495563ad85edc673349e10e2b1ee93bdb161cc023d53dba3cc5f91fd10838ebc84ab83b41
SHA1 hash: f22e34e9aebb8d9828ae74b9cd6b27d227f5d160
MD5 hash: ffd6a1b5596ed38e5235d475fd8ba466
humanhash: saturn-saturn-equal-massachusetts
File name:ffd6a1b5_by_Libranalysis
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'609'328 bytes
First seen:2021-05-12 16:02:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6d95d0da5c76c85881e48bf3cd181ce7 (1 x RemcosRAT)
ssdeep 24576:ayw0gHUG/avAxUq7FkKX4Lb9pB18hq1TMdDy9Ef1KMRogLK0OR5llvj:am6L4VT1xhMhfIqoeKJ
Threatray 1'596 similar samples on MalwareBazaar
TLSH 1975CF22B1F1883BC1632BB45CBFA765A53ABF052924494B7BF41C4C5F796803D1A2E7
Reporter Libranalysis
Tags:RemcosRAT


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Formulario Tributario 490 Vencido.exe
Verdict:
No threats detected
Analysis date:
2021-05-12 15:36:56 UTC
Tags:
installer rat remcos
Link:
https://app.any.run/tasks/3e814c81-f1a4-49d8-92e0-c56851e7d2c1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/155444/
Detection(s):
PUA.Win.Packer.BorlandCpp-9
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Transferring files using the Background Intelligent Transfer Service (BITS)
DNS request
Sending a custom TCP request
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Moving a file to the %temp% directory
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Forced shutdown of a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/780096
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Hijacks the control flow in another process
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 412493 Sample: ffd6a1b5_by_Libranalysis Startdate: 12/05/2021 Architecture: WINDOWS Score: 100 18 mirandli.mirandli.com 2->18 20 ipv4.imgur.map.fastly.net 2->20 22 i.imgur.com 2->22 26 Found malware configuration 2->26 28 Malicious sample detected (through community Yara rule) 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 3 other signatures 2->32 8 ffd6a1b5_by_Libranalysis.exe 2->8         started        signatures3 process4 signatures5 34 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->34 36 Hijacks the control flow in another process 8->36 38 Writes to foreign memory regions 8->38 40 2 other signatures 8->40 11 notepad.exe 8->11         started        process6 signatures7 42 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->42 44 Hijacks the control flow in another process 11->44 46 Writes to foreign memory regions 11->46 48 Maps a DLL or memory area into another process 11->48 14 cmd.exe 2 3 11->14         started        process8 dnsIp9 24 mirandli.mirandli.com 181.49.85.74, 49707, 49708, 49709 TelmexColombiaSACO Colombia 14->24 50 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 14->50 52 Contains functionality to steal Chrome passwords or cookies 14->52 54 Contains functionality to inject code into remote processes 14->54 56 3 other signatures 14->56 signatures10
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c5f1d96b75d6ed0846fac4d2ddfada97927dbcebc6fbd015cc08ac78387b28fd/
Threat name:
Win32.Downloader.Penguish
Create hunting rule
Status:
Malicious
First seen:
2021-05-12 01:15:14 UTC
AV detection:
16 of 47 (34.04%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yxy5s23v23wqqrx2ytjn36w2s6jh3phly355afombcwhqod3fd6q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
04ac77106a85dad9f430906c1363969a025b97675671479a0386ce6f6d0f7ece
RemcosRAT
04c950e9fb1cf6ff2de10fd17f04191f8e938189766482ef856efa2581df8dbb
RemcosRAT
0e79effa0348929c10e8aa39b07b38ba50872d4fe132fd7c131e4ac9892ed046
RemcosRAT
32560ccc4af2d37c587bbc551e1dd8127b8efaafb199f74c18ec111a812a7f30
RemcosRAT
823cb4b92a1266c880d917c7d6f71da37d524166287b30c0c89b6bb03c2e4b64
RemcosRAT
904adfc207b1c3b3862b16bd1d865967c270cf6de65979b849897f731e540cbb
RemcosRAT
a3fedff31a0349bc1b17791e2382179f465c870b3abd6b49040b3091be722f51
RemcosRAT
b401246b1d42e19f1d86ae14b21b2aa82868eb4197c482c8aa78be7f7e28e494
RemcosRAT
e431d81e245dd47b376162b55b07a341789498cbc19dba9271b98cd048002e01
RemcosRAT
eb7b058c625b1306c70d8a76546af054bd769347ca067f5db5e1b0b1c7306298
RemcosRAT
+ 1'586 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos rat
Link:
https://tria.ge/reports/210512-neehnvs34x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Blocklisted process makes network request
Remcos
Malware Config
C2 Extraction:
mirandli.mirandli.com:5145
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c5f1d96b75d6ed0846fac4d2ddfada97927dbcebc6fbd015cc08ac78387b28fd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_06aea76bac46a9e8cfe6d29e45aaf033
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:INDICATOR_KB_CERT_0c15be4a15bb0903c901b1d6c265302f
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/155444/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-12 17:12:42 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.025] Anti-Behavioral Analysis::Software Breakpoints
1) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
2) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
3) [F0002.002] Collection::Polling
5) [C0021] Cryptography Micro-objective::Generate Pseudo-random Sequence
6) [C0026.002] Data Micro-objective::XOR::Encode Data
8) [C0051] File System Micro-objective::Read File
9) [C0052] File System Micro-objective::Writes File
10) [E1510] Impact::Clipboard Modification
11) [C0007] Memory Micro-objective::Allocate Memory
12) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
13) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
14) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
15) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
16) [C0038] Process Micro-objective::Create Thread
17) [C0041] Process Micro-objective::Set Thread Local Storage Value
18) [C0018] Process Micro-objective::Terminate Process