MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9165452d3a756f74bdc02fdc8477460abe31bcfa850f2211588e10dd0b1e084. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d9165452d3a756f74bdc02fdc8477460abe31bcfa850f2211588e10dd0b1e084
SHA3-384 hash: e7b36d417ecb7a72899d4d4834b24ea4b1ff2228607e0f417ba7075884cc5b5ec6df00f1daaac6aa872f0d9478f11927
SHA1 hash: a193808381174ce1b46f86ea4e768926f75f6347
MD5 hash: d5018dc7250488f8b343d9df033ad608
humanhash: burger-whiskey-quiet-lactose
File name:Kerenl.sfx.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:6'015'793 bytes
First seen:2021-01-12 12:42:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:qyBQemGUVgyUPFdQkpHbDoapqWXEz6sLuEC3zw2fsLqzXfT0LuqbOb:VBxmGUVgfPzlIaKz6quz7ULqzvTDqbOb
Threatray 416 similar samples on MalwareBazaar
TLSH 67563302F6C46172D5228D3A3A2A57411D7A78345B2ACF9F33785A6E57B04C27733BB2
Reporter o2genum
Tags:exe RemcosRAT


Avatar
o2genum
Multi-file payload that got extracted to %AppData%\NVIDIA

Intelligence

File Origin
# of uploads :
1
# of downloads :
170
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Kerenl.sfx.exe
Verdict:
Malicious activity
Analysis date:
2021-01-12 12:45:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/88427990-b717-430c-9bd2-e00b71609994

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/111493/
Detection(s):
SecuriteInfo.com.BackDoor.SiggenNET.5.27436.8753.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Launching a process
Transferring files using the Background Intelligent Transfer Service (BITS)
DNS request
Sending a custom TCP request
Sending a UDP request
Creating a file
Enabling the 'hidden' option for files in the %temp% directory
Moving a recently created file
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/578940
Signature
Allocates memory in foreign processes
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Detected Remcos RAT
Drops executable to a common third party application directory
Hijacks the control flow in another process
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sample is not signed and drops a device driver
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 338520 Sample: Kerenl.sfx.exe Startdate: 12/01/2021 Architecture: WINDOWS Score: 100 37 Malicious sample detected (through community Yara rule) 2->37 39 Detected Remcos RAT 2->39 41 Yara detected Remcos RAT 2->41 8 Kerenl.sfx.exe 57 2->8         started        process3 file4 27 C:\Users\user\AppData\Local\...\atillk64.sys, PE32+ 8->27 dropped 29 C:\Users\user\AppData\Local\...\atikia64.sys, PE32+ 8->29 dropped 31 C:\Users\user\AppData\Local\...\atidgllk.sys, PE32 8->31 dropped 33 45 other files (1 malicious) 8->33 dropped 51 Sample is not signed and drops a device driver 8->51 12 Kerenl.exe 8->12         started        signatures5 process6 signatures7 53 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->53 55 Hijacks the control flow in another process 12->55 57 Machine Learning detection for dropped file 12->57 59 2 other signatures 12->59 15 notepad.exe 12->15         started        process8 signatures9 61 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 15->61 63 Hijacks the control flow in another process 15->63 65 Writes to foreign memory regions 15->65 67 2 other signatures 15->67 18 cmd.exe 2 6 15->18         started        process10 dnsIp11 35 5.45.87.29, 49733, 8000 SCALAXY-ASNL Russian Federation 18->35 23 C:\Users\user\AppData\...\libcrypto-1_1.dll, PE32 18->23 dropped 25 C:\Users\user\AppData\Roaming\...\ads.exe, PE32 18->25 dropped 43 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 18->43 45 Contains functionality to steal Chrome passwords or cookies 18->45 47 Contains functionality to capture and log keystrokes 18->47 49 3 other signatures 18->49 file12 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d9165452d3a756f74bdc02fdc8477460abe31bcfa850f2211588e10dd0b1e084/
Threat name:
Win32.Trojan.Malrep
Create hunting rule
Status:
Suspicious
First seen:
2021-01-12 12:43:04 UTC
AV detection:
8 of 29 (27.59%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
3cc33ce58536242bc9b2029cd9475a287351a379ccbd12da6b8b7bf2cc68be89
RemcosRAT
3d84d2ad35397d5b2b3d482886e2a15551053e903de3fb446704754b48ffa925
RemcosRAT
61d9f4cbc76b7889d7d17d262b63c0fd2ee40642653063b1eb6ab84397f8c57b
RemcosRAT
6d5307f8ae9c15be09190b6ff1f2c557d7a0519b765b6ef020ac3e7343fb190c
RemcosRAT
9502b93f782ae19b93623605f74ebc2ee277a453ecd2286ef990d62c28a601e6
RemcosRAT
9bae8f0da8acb0e760eb61482cafc928199f841e10e0426a6650d140be0154c3
RemcosRAT
bcee5b3f4acfc85f500a2edd23402b92b87bca11263ffc3ef31f8c0a6c31f6a6
RemcosRAT
c6891f5d4c1d15cf0e820198cd140abd64106758dc19968a9b519dff85c5ec93
RemcosRAT
d1a4049ba690a122863c55c4c7b35e18fdd25225dcb1f5e0a08a7c9f8ddb77be
RemcosRAT
f7ae9bdd03e5df038aad0e809dbf31a00ca5e3b6aec3960417e14d5da18fd373
RemcosRAT
+ 406 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos rat
Link:
https://tria.ge/reports/210112-rfx7e7tfan/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Drops file in Windows directory
Loads dropped DLL
Executes dropped EXE
Blocklisted process makes network request
Remcos
Malware Config
C2 Extraction:
5.45.87.29:8000
Unpacked files
SH256 hash:
f0d95ae98875073c08ae114fc036b823d0890f7f5ae0fc34287ac89baf1b7c6f
MD5 hash:
b903b86fc5f15786b6ca8dba67ffffff
SHA1 hash:
02ee7184c1eaf5d4809220d0cfb37b16dc2aaec9
Link:
https://www.unpac.me/results/e17e0fc8-d8a8-4b4a-a82e-c7804d3b1ef1/
SH256 hash:
48e691a7b1876c18b4395ddaa6b2b918bf31695d9a3d725fbef525e5e680ffea
MD5 hash:
4c67c90cb15063825201326bbf02f6dc
SHA1 hash:
19469cc4dfa30194b781cd1b57ec1b69ce8d9c50
Link:
https://www.unpac.me/results/e17e0fc8-d8a8-4b4a-a82e-c7804d3b1ef1/
SH256 hash:
8cd4d81216323fe9bbe47bf35615c4e939d758416bc77022683deed138707bbb
MD5 hash:
416405818b92551c4d6c5be7a709650a
SHA1 hash:
2f5a0ae447d68ad7266017a1e0afbc25f6223755
Link:
https://www.unpac.me/results/e17e0fc8-d8a8-4b4a-a82e-c7804d3b1ef1/
SH256 hash:
13335f978924f3f1cb0b168657f91da8ea1fe3a3eac94d6cf76aef76eb744d00
MD5 hash:
96b5ee577f0c88c263f3882a9c95f913
SHA1 hash:
391948860187cce8312280083b5d282031122114
Link:
https://www.unpac.me/results/e17e0fc8-d8a8-4b4a-a82e-c7804d3b1ef1/
SH256 hash:
d1a23dfde9e03f428fd8aa67403fe23c8bfc1ec1c842d4225ed539de100a955a
MD5 hash:
b4018ae1603b169a9772944fbe8afd58
SHA1 hash:
60ece7e7e19686dc5895ce15791045414385aee0
Link:
https://www.unpac.me/results/e17e0fc8-d8a8-4b4a-a82e-c7804d3b1ef1/
SH256 hash:
286322be135ecc367c5dec481af7ee304095d36b0c67da9e7c0b536f1a216d6d
MD5 hash:
a6f435fc9ea148198e4c148f1e199689
SHA1 hash:
65b1d96ffad0e1ed5a70d2e6d26e9b3ca7927bb0
Link:
https://www.unpac.me/results/e17e0fc8-d8a8-4b4a-a82e-c7804d3b1ef1/
SH256 hash:
368f9b028ef1a0c1bfe666a690f939f3ca96955a1dd0b96026e2cdf3550ad219
MD5 hash:
0741703395198ccc125cf855a10092d5
SHA1 hash:
87defdca7904270dcc4d0d472402e7958f7e94ef
Link:
https://www.unpac.me/results/e17e0fc8-d8a8-4b4a-a82e-c7804d3b1ef1/
SH256 hash:
eedbd862fb1218ff2ecc7e4de4a15eb3bf566bb2c5ab82554c6584f73fd54717
MD5 hash:
94d6ffc1b6176acf94ed04101f91a55f
SHA1 hash:
94cb4b8ebc202b0917354a2c8bd2d4d36f361574
Link:
https://www.unpac.me/results/e17e0fc8-d8a8-4b4a-a82e-c7804d3b1ef1/
SH256 hash:
d100ac15c4d3a5035844865c0b75bfc34d51cfc702fa897813fa86bb819b7170
MD5 hash:
891c14b63a738beb61558f3362445bb6
SHA1 hash:
a4fc5497521b40f941f3fa747a3c984fc15121e2
Link:
https://www.unpac.me/results/e17e0fc8-d8a8-4b4a-a82e-c7804d3b1ef1/
SH256 hash:
4a72248ff9a23bbcac761ab301fd29cc097af94e3a5a56906dbf218c0da5dbe1
MD5 hash:
4bf44f454e736200d60a2832f0e34303
SHA1 hash:
bb49d3d5ef85eb75c1aa19c64e4e4c4f534067c0
Link:
https://www.unpac.me/results/e17e0fc8-d8a8-4b4a-a82e-c7804d3b1ef1/
SH256 hash:
6c92dd9d5cc7f671660d6e911f1925b117b5e483d5e70dd0c80ffaa3037fd8f5
MD5 hash:
629108a7b9545aa73c6397c287429b8b
SHA1 hash:
cb27ee8b776daeeb139752b0c4c9de4cabfa56de
Link:
https://www.unpac.me/results/e17e0fc8-d8a8-4b4a-a82e-c7804d3b1ef1/
SH256 hash:
1b0b2a0e4ee536c9a24aed04ae1a9676f6eec98c55597309b137282fafb4c0e5
MD5 hash:
e375a4301042af325456fb60b662c1e7
SHA1 hash:
e6da6bba62dd72617e7a73216ce9d3c4fe2746fe
Link:
https://www.unpac.me/results/e17e0fc8-d8a8-4b4a-a82e-c7804d3b1ef1/
SH256 hash:
d21e50dc60d86c8dd40b1232e4fa55cdbd993bcd03d1aff9c22b54db60f8aad3
MD5 hash:
07d00ce73b55d7fc92481f1e5f066793
SHA1 hash:
fa48a9711cf73ff4e784732b81ef046de177277e
Link:
https://www.unpac.me/results/e17e0fc8-d8a8-4b4a-a82e-c7804d3b1ef1/
SH256 hash:
c7fbdc61eb62c05e40295617e2db75877672931f751a770d2629e6eab6075f2c
MD5 hash:
abf6c724b20844d5b0073988a58faf1e
SHA1 hash:
7a8269d5b2ae623f8148ce9863f48f7e12ce036b
Link:
https://www.unpac.me/results/e17e0fc8-d8a8-4b4a-a82e-c7804d3b1ef1/
SH256 hash:
d9165452d3a756f74bdc02fdc8477460abe31bcfa850f2211588e10dd0b1e084
MD5 hash:
d5018dc7250488f8b343d9df033ad608
SHA1 hash:
a193808381174ce1b46f86ea4e768926f75f6347
Link:
https://www.unpac.me/results/e17e0fc8-d8a8-4b4a-a82e-c7804d3b1ef1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Backdoor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d9165452d3a756f74bdc02fdc8477460abe31bcfa850f2211588e10dd0b1e084

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe d1a4049ba690a122863c55c4c7b35e18fdd25225dcb1f5e0a08a7c9f8ddb77be

RemcosRAT

Executable exe d9165452d3a756f74bdc02fdc8477460abe31bcfa850f2211588e10dd0b1e084

(this sample)

  
Link
https://blockchain-media.org/atiflash-ati-winflash/
  
Dropped by
SHA256 d1a4049ba690a122863c55c4c7b35e18fdd25225dcb1f5e0a08a7c9f8ddb77be
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/111493/

Comments