MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed61a0c490e5b16ba93721a48865fb3312c314d2b42df1c45c997e2347e0fbea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ed61a0c490e5b16ba93721a48865fb3312c314d2b42df1c45c997e2347e0fbea
SHA3-384 hash: 7e415d4d5845344369284049be47b661840e6c7f8128f7bb931d5a27688b9d5a4d251ad71ddc5166ec511af40bcef306
SHA1 hash: c046b31552ed57ca77a8290c6c75f61a7a02cdac
MD5 hash: b63c3a21783b1641807dc1b35e0c27e3
humanhash: five-emma-robin-cup
File name:echomiragePC.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:522'695 bytes
First seen:2023-05-13 22:50:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fe0b55a75647240d63e8d2d6140a4c09 (10 x RedLineStealer, 7 x Amadey, 5 x Smoke Loader)
ssdeep 12288:NlFEwX5Lb/RymrFZClHanU7nQUk1IrqntFxUBjvrEH79EAu:N9LzFZU2UMyrEH79ru
TLSH T1FCB402223980C3F9D1660534392CFA417AD9A93C097E594BB71D57ADAF3C6E2172A30F
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon ce0c8e8e4a067260 (1 x RemcosRAT)
Reporter JaffaCakes118
Tags:RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
55
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
floxif
Create hunting rule
ID:
1
File name:
echomiragePC.exe
Verdict:
Malicious activity
Analysis date:
2023-05-14 00:55:22 UTC
Tags:
floxif trojan rat remcos
Link:
https://app.any.run/tasks/6e3f7ffe-4990-49f2-a39a-94e40ed78fa8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
FloodFix
Create hunting rule
Link:
https://www.capesandbox.com/analysis/389026/
Detection(s):
SecuriteInfo.com.MSIL-44.UNOFFICIAL
Create hunting rule

Win.Virus.Pioneer-9111434-0
Create hunting rule

Win.Virus.Pioneer-6804573-0
Create hunting rule

MiscreantPunch.SingleXOR.EXE.197.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Creating a file in the Program Files subdirectories
Replacing executable files
DNS request
Sending an HTTP GET request
Сreating synchronization primitives
Creating a file in the %temp% subdirectories
Creating a file in the %AppData% subdirectories
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Creating a process from a recently created file
Creating a file in the mass storage device
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Infecting executable files
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/83943/overview
Behaviour
MalwareBazaar
GetTempPath
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
floxif greyware obfuscated overlay packed
Link:
https://www.filescan.io/uploads/64601459e6ddc946fb82173c/reports/220ef765-d83d-4996-9ece-ffe60771475e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ed61a0c490e5b16ba93721a48865fb3312c314d2b42df1c45c997e2347e0fbea
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Floxif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f68e09cd-27eb-409f-b4e3-1ed1973e004e
Result
Threat name:
FloodFix, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1232585
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected FloodFix
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 865565 Sample: echomiragePC.exe Startdate: 14/05/2023 Architecture: WINDOWS Score: 100 53 solo.chessregister.rss-search.anondns.net 2->53 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Antivirus detection for dropped file 2->63 65 9 other signatures 2->65 7 echomiragePC.exe 1 7 2->7         started        12 _echosoftwarelic.exe 2->12         started        14 _echosoftwarelic.exe 2->14         started        16 _echosoftwarelic.exe 2->16         started        signatures3 process4 dnsIp5 55 192.168.2.1 unknown unknown 7->55 45 C:\Users\user\...\_echosoftwarelic.exe, PE32 7->45 dropped 47 C:\Users\user\AppData\...\5F8B940B18.tmp, PE32 7->47 dropped 49 C:\Program Files\Common Files\...\symsrv.dll, PE32 7->49 dropped 51 2 other malicious files 7->51 dropped 67 Contains functionality to bypass UAC (CMSTPLUA) 7->67 69 Detected unpacking (changes PE section rights) 7->69 71 Detected unpacking (overwrites its own PE header) 7->71 73 Delayed program exit found 7->73 18 WerFault.exe 9 7->18         started        21 WerFault.exe 9 7->21         started        23 WerFault.exe 20 9 7->23         started        25 WerFault.exe 7->25         started        75 Contains functionality to steal Chrome passwords or cookies 12->75 77 Contains functionality to modify clipboard data 12->77 79 Contains functionality to steal Firefox passwords or cookies 12->79 81 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 12->81 27 WerFault.exe 10 12->27         started        29 WerFault.exe 10 12->29         started        31 WerFault.exe 12->31         started        57 solo.chessregister.rss-search.anondns.net 58.96.75.176, 8443, 8448 EXETEL-AS-APExetelPtyLtdAU Australia 14->57 83 Writes to foreign memory regions 14->83 85 Maps a DLL or memory area into another process 14->85 33 WerFault.exe 10 16->33         started        35 2 other processes 16->35 file6 signatures7 process8 file9 37 C:\ProgramData\Microsoft\...\Report.wer, Unicode 18->37 dropped 39 C:\ProgramData\Microsoft\...\Report.wer, Unicode 21->39 dropped 41 C:\ProgramData\Microsoft\...\Report.wer, Unicode 23->41 dropped 43 C:\ProgramData\Microsoft\...\Report.wer, Unicode 25->43 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ed61a0c490e5b16ba93721a48865fb3312c314d2b42df1c45c997e2347e0fbea/
Threat name:
Win32.Virus.Floxif
Create hunting rule
Status:
Malicious
First seen:
2023-02-04 15:39:43 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
36 of 37 (97.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5vq2breq4wywxkjxegsiqzp3gmjmgfgswqw7drc4tf7cgr7a7pva._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:r43-rel2 persistence rat upx
Link:
https://tria.ge/reports/230513-2st6yshf56/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Enumerates connected drives
ACProtect 1.3x - 1.4x DLL software
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
UPX packed file
Remcos
Malware Config
C2 Extraction:
solo.chessregister.rss-search.anondns.net:8443
Unpacked files
SH256 hash:
9b430cf0279ea266bee0497fd21628c65442342d6270a8f7918522fa4fe9c387
MD5 hash:
f598b6379f84e43532b6adc2198bfd9c
SHA1 hash:
73fcd6e681a26ab2ea356a9b951a8557bbc43f4c
Detections:
win_floxif_auto
Create hunting rule
Link:
https://www.unpac.me/results/9d51099e-f1a8-461f-a354-c0f67fb01a94/
Parent samples :
ed61a0c490e5b16ba93721a48865fb3312c314d2b42df1c45c997e2347e0fbea
5824816c15c14812f8d8fe64a2317520ac6e1e96f59d4477aacbaff84d706718
8603a6629d84f5151f3c14463f58a86b24baff50280fa66cc26c086e3211b89f
fd05a5d4e619781f5e1affdfb88dfd117b616df12c8c42e8f05fbcc24ebcfaae
aed65c4e500b4d5da1b557da1b4c7d916868aa100f0b0eab243892036422a3db
e40e040b7604a94d6f9db5175e1a1cc4eb762c035c90ba49f952e723a9c8258a
d014b70080dc2525f222f7eb5aa8c97b35ac366f2c1ad0e0b656f7879d4cb4a1
038d79354607ff85b37621bed1e5e33c68ae21b483730b0e6067abcdd5276c9a
ea201b8fe8ee9d0514b5cc3e273e02b1a06872ebadec937a57285c049de1854d
e58eb39c66efd238b3d957301383ab74099577cf79204d0f7ead51d9cb9c4b1c
56f790633aa97cca376318d0f6f9055ac17c0f102e12f2bf6f078b361c316aa3
e0b7c369ac7cd497c804fe503a65a76606fabed39db60c117ad196607f9c8aa4
3672c48abefd98e598090174265dc3051ff712838e7214ed009c6fcfede22654
a74ee1dbb1120582708462beadf602396c36e9738b150bbf21bdfce09ecd7538
c4e805cafe001cbf1ede9535183d4101c0c2409a8c0ee7debd74ccda64d827f1
6df588b4ad822707978cdc32b85764c300895f946f6581d529b6b9fe086ae706
f7deee99b91289f666e2f0f0043b7330e2c28e88cb319b44c2d1c4499ff9f45f
ee1c03beade3bc4d590fc2a208b7b4006a8918576f992b348c5488c61e7b3dc5
09e3afe1513862f13cc241700fa5f8e4084fee568bc0b12044c94bc458b6b36c
95eb3c2415875d0898a9a206222d25138e0261b4188be73bc6edd965dbe207a5
a419c37fe7f832d9c6541d699124426071b30de1c0e0c9754d0af85cba0ed021
fe1e5468f98a5abe64a3a98a801078fb61fcf393eb8c63ca153275d4f9c61655
29cfbcef98823aabf25d4bc612e9991ce971d7546f4d4660505eb75bbdc57eb8
9cc8ee5bceb4329db551ab0f1c20ddc51feb6ad3f07f876e911e61b1c632664d
9a831200151eb0fb1191eeb1ec85a0006acaeaeb834e3150c63b2ddfc7eb9fca
1886c8a0b8111446cc2f76dd0394264c14a8ae5f53e3dcbe7399c43e71b1b1f7
791a4219e0a98665d6abe5f0267c03499bd8d842c894daaac554f5e3200bc5fb
ce40e5f365dc4a4af4688ebfc262edbdb129fdab31de51f6e67f7fa52fe9fc2a
99d9b3e49c9eaed0615aaf6289a235ff9f39cb5c3b7382d6f51304a6ec04594a
SH256 hash:
8bbd25c48cdf3855b8005d8a1ff43ea414a52e4c2d8af5b148f94887eb3c7a37
MD5 hash:
121dafb3abfac91bff81d0997a2f3a20
SHA1 hash:
d9fb267feb12390f7e35d6665a4ec3fc5593bd48
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/9d51099e-f1a8-461f-a354-c0f67fb01a94/
Parent samples :
d1937bc0326abde4ce4a9f3cac4fac05de2926bfec9be2ea40200b9682bebe30
ed61a0c490e5b16ba93721a48865fb3312c314d2b42df1c45c997e2347e0fbea
SH256 hash:
ed61a0c490e5b16ba93721a48865fb3312c314d2b42df1c45c997e2347e0fbea
MD5 hash:
b63c3a21783b1641807dc1b35e0c27e3
SHA1 hash:
c046b31552ed57ca77a8290c6c75f61a7a02cdac
Link:
https://www.unpac.me/results/9d51099e-f1a8-461f-a354-c0f67fb01a94/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ed61a0c490e5b16ba93721a48865fb3312c314d2b42df1c45c997e2347e0fbea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:Malware_Floxif_mpsvc_dll
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Malware - Floxif
Reference:Internal Research
Rule name:Malware_Floxif_mpsvc_dll_RID30C4
Create hunting rule
Author:Florian Roth
Description:Malware - Floxif
Reference:Internal Research
Rule name:MALWARE_Win_FloodFix
Create hunting rule
Author:ditekSHen
Description:Detects FloodFix
Rule name:MAL_Floxif_Generic
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Floxif Malware
Reference:Internal Research
Rule name:MAL_Floxif_Generic_RID2DCE
Create hunting rule
Author:Florian Roth
Description:Detects Floxif Malware
Reference:Internal Research
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:SUSP_Microsoft_Copyright_String_Anomaly_2
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Floxif Malware
Reference:Internal Research
Rule name:SUSP_Microsoft_Copyright_String_Anomaly_2_RID3720
Create hunting rule
Author:Florian Roth
Description:Detects Floxif Malware
Reference:Internal Research
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_floxif_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.floxif.
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/389026/

Comments