MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1a4049ba690a122863c55c4c7b35e18fdd25225dcb1f5e0a08a7c9f8ddb77be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1a4049ba690a122863c55c4c7b35e18fdd25225dcb1f5e0a08a7c9f8ddb77be
SHA3-384 hash: da539b1b2dcc04a78faa60286f325c6e7e2fdcc17068a343f408b71f63d25c78e3e8ee8f0d83a55bb55c51068f192486
SHA1 hash: 3c6e62e21f2b58461c4b888f55ee2c1a5712003a
MD5 hash: 6e1b3fc0daa62b5de4bdbc7d694c0e15
humanhash: hotel-bluebird-cardinal-green
File name:atiflash_293.sfx.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:6'828'048 bytes
First seen:2021-01-12 10:02:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:qsyXTKo7mAAi28nms5vJfqwvHMqbPZEmysLfRwZnKKJWdEICByiSKrBCwO0xyMA:QDL7m1il1N0GEs1WnKoW2by0smyMA
Threatray 372 similar samples on MalwareBazaar
TLSH 94663301B8D281B3D5126C734435BBA0687B7D600F798ECBB794791ECA38AD1BA317D6
Reporter o2genum
Tags:exe RemcosRAT


Avatar
o2genum
Distributed as ZIP.
Packed into SFX RAR for analysis.

Intelligence

File Origin
# of uploads :
1
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
atiflash_293.sfx.exe
Verdict:
Malicious activity
Analysis date:
2021-01-12 10:09:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/769519b9-4708-4341-897f-f14a901a82d5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/111467/
Detection(s):
SecuriteInfo.com.BackDoor.SiggenNET.5.27436.8753.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Deleting a recently created file
Sending a UDP request
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Creating a service
Launching a service
Loading a system driver
Creating a file in the Windows subdirectories
Launching a process
Transferring files using the Background Intelligent Transfer Service (BITS)
DNS request
Sending a custom TCP request
Creating a file
Enabling the 'hidden' option for files in the %temp% directory
Moving a recently created file
Enabling autorun for a service
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/578852
Signature
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executable to a common third party application directory
Hijacks the control flow in another process
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sample is not signed and drops a device driver
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 338475 Sample: atiflash_293.sfx.exe Startdate: 12/01/2021 Architecture: WINDOWS Score: 48 80 Malicious sample detected (through community Yara rule) 2->80 82 Yara detected Remcos RAT 2->82 10 atiflash_293.sfx.exe 31 2->10         started        14 svchost.exe 2->14         started        16 svchost.exe 1 2 2->16         started        19 9 other processes 2->19 process3 dnsIp4 56 C:\Users\user\AppData\Local\...\atillk64.sys, PE32+ 10->56 dropped 58 C:\Users\user\AppData\Local\...\atikia64.sys, PE32+ 10->58 dropped 60 C:\Users\user\AppData\Local\...\atidgllk.sys, PE32 10->60 dropped 62 15 other files (none is malicious) 10->62 dropped 98 Sample is not signed and drops a device driver 10->98 21 amdvbflashWin.exe 3 13 10->21         started        100 Changes security center settings (notifications, updates, antivirus, firewall) 14->100 24 MpCmdRun.exe 14->24         started        72 h9i4k4c8.stackpathcdn.com 151.139.128.11, 443, 49726 HIGHWINDS3US United States 16->72 74 127.0.0.1 unknown unknown 16->74 76 2 other IPs or domains 16->76 file5 signatures6 process7 file8 50 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 21->50 dropped 26 amdvbflashWin.exe 5 62 21->26         started        29 conhost.exe 24->29         started        process9 file10 64 C:\Users\user\AppData\...\is-V8530.tmp, PE32 26->64 dropped 66 C:\Users\user\AppData\...\is-V31GT.tmp, PE32 26->66 dropped 68 C:\Users\user\AppData\...\is-UHA40.tmp, PE32 26->68 dropped 70 46 other files (none is malicious) 26->70 dropped 31 Kerenl.exe 26->31         started        34 amdvbflashWin.exe 26->34         started        process11 signatures12 102 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 31->102 104 Hijacks the control flow in another process 31->104 106 Writes to foreign memory regions 31->106 108 Allocates memory in foreign processes 31->108 36 notepad.exe 31->36         started        process13 signatures14 84 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 36->84 86 Hijacks the control flow in another process 36->86 88 Writes to foreign memory regions 36->88 90 2 other signatures 36->90 39 notepad.exe 36->39         started        44 cmd.exe 36->44         started        46 cmd.exe 36->46         started        48 4 other processes 36->48 process15 dnsIp16 78 5.45.87.29, 49741, 8000 SCALAXY-ASNL Russian Federation 39->78 52 C:\Users\user\AppData\...\libcrypto-1_1.dll, PE32 39->52 dropped 54 C:\Users\user\AppData\Roaming\...\ads.exe, PE32 39->54 dropped 92 System process connects to network (likely due to code injection or exploit) 39->92 94 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 39->94 96 Drops executable to a common third party application directory 39->96 file17 signatures18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d1a4049ba690a122863c55c4c7b35e18fdd25225dcb1f5e0a08a7c9f8ddb77be/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2021-01-12 10:03:05 UTC
AV detection:
13 of 29 (44.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2gsajg5gscqsfbr4kxcmpm26dd65eurf3sy7lyfarj6j7do3o67a._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
1202173f3ce4f49947f8e6554991a320c7a6e5faced43bec6a3bd051d13f7666
RemcosRAT
17bb1028f9d0ed56ea18c4c3ebde034d105532bc191f9214e1f5971a747f6447
RemcosRAT
3d84d2ad35397d5b2b3d482886e2a15551053e903de3fb446704754b48ffa925
RemcosRAT
47470dc6911824b1a903197f0d06acedeba47415ebf3d212dd6514a14eec0ded
RemcosRAT
4b1ffe4df1fa405add5439e82aca1f7c49070d5f7935fe0d50fa653d754b630c
RemcosRAT
6624ce134dd16a37d6615483002f24b74c74c55b45259bc5408b7ae804d0fe22
RemcosRAT
7c5296a628df511b5a1cee6f32910c80afb607b2bc8412e6741f7feb2d93b0c5
RemcosRAT
9502b93f782ae19b93623605f74ebc2ee277a453ecd2286ef990d62c28a601e6
RemcosRAT
da58d100900745d6a15113e8b8cb5c2a3252a3c4a063ccc64fd09cc75cfb21ff
RemcosRAT
f7ae9bdd03e5df038aad0e809dbf31a00ca5e3b6aec3960417e14d5da18fd373
RemcosRAT
+ 362 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos rat
Link:
https://tria.ge/reports/210112-vdfste1nlx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
JavaScript code in executable
Loads dropped DLL
Executes dropped EXE
Blocklisted process makes network request
Remcos
Malware Config
C2 Extraction:
5.45.87.29:8000
Unpacked files
SH256 hash:
d1a4049ba690a122863c55c4c7b35e18fdd25225dcb1f5e0a08a7c9f8ddb77be
MD5 hash:
6e1b3fc0daa62b5de4bdbc7d694c0e15
SHA1 hash:
3c6e62e21f2b58461c4b888f55ee2c1a5712003a
Link:
https://www.unpac.me/results/9d31306c-f19e-4f33-9d40-b788317bb84d/
SH256 hash:
50e4801240093dba94af1d592ccee466ef75d637a498b507ab20f984027577fb
MD5 hash:
0a63ea87ce94c10c22405cfc8428ec86
SHA1 hash:
ca63f3a4e5d47aec2bfeb32d0c52d548ec91a267
Link:
https://www.unpac.me/results/9d31306c-f19e-4f33-9d40-b788317bb84d/
SH256 hash:
e349d8d9f843dd8f7327d447a1b0e6dd4ce9b652058b2055c1b32bde27c06218
MD5 hash:
e273559ef1bd5aa56110b280058b8530
SHA1 hash:
2d91a2c9620ed06070e0a34092a9c721b04e36fa
Link:
https://www.unpac.me/results/9d31306c-f19e-4f33-9d40-b788317bb84d/
SH256 hash:
4c5bdb313d1987f0fd12e97232c0a311f9a4dec07109f02a992d333dae8a91bf
MD5 hash:
22e67951db520344584911db34882af3
SHA1 hash:
61253986181604fa7b750eccb8ac93c931a1eec5
Link:
https://www.unpac.me/results/9d31306c-f19e-4f33-9d40-b788317bb84d/
SH256 hash:
62502f5e6b7ac4e14fcacc768344b6f847043521f3abedaf9dcc4f7d6760ca90
MD5 hash:
2d1009706553c2560b027df134ba9711
SHA1 hash:
65753dff67928bfda51f0c7e7bba96637cf87580
Link:
https://www.unpac.me/results/9d31306c-f19e-4f33-9d40-b788317bb84d/
SH256 hash:
eefefc984065118d6e8fe29bd05a82aaba9cb2745ba9476d17070c4e852ab8cb
MD5 hash:
ba5dea7b00b7486d209793091c275cf0
SHA1 hash:
6813d7c69566db55ea2a2a715e09b5cc766550a5
Link:
https://www.unpac.me/results/9d31306c-f19e-4f33-9d40-b788317bb84d/
SH256 hash:
4dbcd7e93270e3063b9725aca6ca5df2b63952e9d76664614146abae01353561
MD5 hash:
d76f14410afc62cc80e394a086ec4ac1
SHA1 hash:
70aaece319212b4a267d36025c74091df38c6207
Link:
https://www.unpac.me/results/9d31306c-f19e-4f33-9d40-b788317bb84d/
SH256 hash:
4e5235c536c8b4f10769e4e659fe1b3f51c0509a1206ae184c9c1feb366a9a07
MD5 hash:
ffd48e04ba550b145e50375ae5346dce
SHA1 hash:
743560d32d640b60895bd4a2287bc1b4a7ff6271
Link:
https://www.unpac.me/results/9d31306c-f19e-4f33-9d40-b788317bb84d/
SH256 hash:
8e5ab3e70fbcfda29bc9eec3d1f41be12ad1cf085ce397d51d078cf0c97ecb29
MD5 hash:
026d2d63a4a48b3f5326b6308dfecd6b
SHA1 hash:
96b2283c60b60e8fcd1cd96c145ad3bb9a55cbdb
Link:
https://www.unpac.me/results/9d31306c-f19e-4f33-9d40-b788317bb84d/
SH256 hash:
e4ce782a7ac619ecab11de124085c6754e47367459f93c6a14fb0c50eed4573f
MD5 hash:
d9a23980e0643a91e2877f3b934b6f4a
SHA1 hash:
9c70ae68cf7dae1582445a576726db17276e2ae2
Link:
https://www.unpac.me/results/9d31306c-f19e-4f33-9d40-b788317bb84d/
SH256 hash:
26870cb267b5e8cff053b98b066c74617cca19081e4c4bb73e1c7dc6acddaee3
MD5 hash:
114a5b6fd3b6b2af8091a635940e7d55
SHA1 hash:
a4102d98f44b8cec7be81cd566d91c0fe4862871
Link:
https://www.unpac.me/results/9d31306c-f19e-4f33-9d40-b788317bb84d/
SH256 hash:
4b57603d11a9bb3fd4e7cf8c94c84a69a771eac7a73da1de733dba93942b9d5a
MD5 hash:
ba7f72a45227358c7f0f376e2eceaa30
SHA1 hash:
b2bd9ee0cee1facd63ae3bf6693c993ee0c0f76f
Link:
https://www.unpac.me/results/9d31306c-f19e-4f33-9d40-b788317bb84d/
SH256 hash:
a96a6abc7ea0684d38065be2cfab9701ea9dadc30fd9e191e974d025f6335eed
MD5 hash:
d048cac06bc92585e6f6cb19ca4ea3e2
SHA1 hash:
d9d311d808ad8c216d229f6f8715374d32fceb14
Link:
https://www.unpac.me/results/9d31306c-f19e-4f33-9d40-b788317bb84d/
SH256 hash:
31dae496bafc95fd67331bcb48eeb6db0ce85e7b35a9c7aed44ed88a9358e888
MD5 hash:
6d902943bb364eaec8a1495bd5cd826b
SHA1 hash:
e5c83b9d31c84e640a5005e9177db23e23196755
Link:
https://www.unpac.me/results/9d31306c-f19e-4f33-9d40-b788317bb84d/
SH256 hash:
0f98b9ea89f04de45e3cc2a594363eb4e8a3b9f1dacec62db69387596afbbd3b
MD5 hash:
cc88343505e27b88e3e99852642e8cb2
SHA1 hash:
75194f9287ff1dbebff37f7a066da5860619cab3
Link:
https://www.unpac.me/results/9d31306c-f19e-4f33-9d40-b788317bb84d/
SH256 hash:
c7fbdc61eb62c05e40295617e2db75877672931f751a770d2629e6eab6075f2c
MD5 hash:
abf6c724b20844d5b0073988a58faf1e
SHA1 hash:
7a8269d5b2ae623f8148ce9863f48f7e12ce036b
Link:
https://www.unpac.me/results/9d31306c-f19e-4f33-9d40-b788317bb84d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NJRat
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d1a4049ba690a122863c55c4c7b35e18fdd25225dcb1f5e0a08a7c9f8ddb77be

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe d1a4049ba690a122863c55c4c7b35e18fdd25225dcb1f5e0a08a7c9f8ddb77be

(this sample)

Executable exe e2c896f6addd6e7b87f6c86e9cbf91ad828ee425cde30134aad2d6d5b8e8875e

  
Link
https://blockchain-media.org/atiflash-ati-winflash/
  
Dropping
SHA256 e2c896f6addd6e7b87f6c86e9cbf91ad828ee425cde30134aad2d6d5b8e8875e
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/111467/

Comments