MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd866b4e18b49ef0232eda27280a0d56a9e408792bba4cddded1961fe64e7bf3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd866b4e18b49ef0232eda27280a0d56a9e408792bba4cddded1961fe64e7bf3
SHA3-384 hash: 97f6c4f352f8bc51d140c9476db09c5c892ec97ec238e6a1ff9af71a717c4f6b593f76675592390ca73530566b28747c
SHA1 hash: a3ef9269bc3a1c10ab532a4e45e674b90802d435
MD5 hash: e6ed552b84d437e90031f9fc3d41b62a
humanhash: nineteen-michigan-eighteen-oranges
File name:clip.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:847'360 bytes
First seen:2021-07-30 19:11:38 UTC
Last seen:2021-07-30 19:52:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c54a51ade970b440d47c550557ef97c5 (1 x NetWire, 1 x RemcosRAT)
ssdeep 12288:UW/TXFjs7ss0L1gFV5qNri5CQBznMjFJHQndtXUhF0dh0MgsLmP:UW/DZs7qgPRVVnWwJdhatP
Threatray 342 similar samples on MalwareBazaar
TLSH T145059ED1B1A24833DD135E3CAC6BEB2D95B9BE1019184146BBF4AC0C4F757977E2B08A
dhash icon 89acae93529aaaa2 (1 x NetWire, 1 x RemcosRAT)
Reporter James_inthe_box
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
572
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/175347/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.21546.11806.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d60a4ede-5c77-455c-894a-1e34fd0b216f
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/824655
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 457067 Sample: clip.exe Startdate: 30/07/2021 Architecture: WINDOWS Score: 100 69 Multi AV Scanner detection for domain / URL 2->69 71 Found malware configuration 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 10 other signatures 2->75 8 clip.exe 1 24 2->8         started        13 Xoydyzh.exe 16 2->13         started        15 Xoydyzh.exe 16 2->15         started        process3 dnsIp4 55 sn-files.fe.1drv.com 8->55 57 onedrive.live.com 8->57 59 apwoqw.sn.files.1drv.com 8->59 49 C:\Users\Public\Libraries\...\Xoydyzh.exe, PE32 8->49 dropped 79 Writes to foreign memory regions 8->79 81 Creates a thread in another existing process (thread injection) 8->81 83 Injects a PE file into a foreign processes 8->83 17 ieinstal.exe 2 3 8->17         started        21 cmd.exe 1 8->21         started        23 cmd.exe 1 8->23         started        61 sn-files.fe.1drv.com 13->61 65 2 other IPs or domains 13->65 85 Multi AV Scanner detection for dropped file 13->85 25 DpiScaling.exe 13->25         started        63 sn-files.fe.1drv.com 15->63 67 2 other IPs or domains 15->67 27 ieinstal.exe 15->27         started        file5 signatures6 process7 dnsIp8 53 twistednerd.dvrlists.com 185.189.112.27, 49731, 49732, 49733 M247GB United Kingdom 17->53 77 Injects a PE file into a foreign processes 17->77 29 ieinstal.exe 1 17->29         started        32 ieinstal.exe 13 17->32         started        35 ieinstal.exe 1 17->35         started        37 reg.exe 1 21->37         started        39 conhost.exe 21->39         started        41 cmd.exe 1 23->41         started        43 conhost.exe 23->43         started        signatures9 process10 dnsIp11 87 Tries to steal Instant Messenger accounts or passwords 29->87 89 Tries to steal Mail credentials (via file access) 29->89 51 192.168.2.1 unknown unknown 32->51 91 Tries to harvest and steal browser information (history, passwords, etc) 32->91 45 conhost.exe 37->45         started        47 conhost.exe 41->47         started        signatures12 process13
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fd866b4e18b49ef0232eda27280a0d56a9e408792bba4cddded1961fe64e7bf3/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-07-30 19:11:27 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7wdgwtqywsppaizo3itsqcqnk2u6icdzfo5ezxo62glb7zsoppzq._file
Verdict:
malicious
Similar samples:
10f675a780a5814df0a79b673213a2ed2989816a517797df5656551b0819789c
RemcosRAT
38ba862149962bc5a10825a2b818391624cda439fcb3f6212b75d84eeeb4f70c
RemcosRAT
46a376d25369d059b1c149d8fb4821aa3ddb504bb381a02f3d5e4e019a41ed4d
RemcosRAT
75b6c107ad6001f2588229fbfdb96dc998fe9f3e44f8df69c98096aceea9aa73
RemcosRAT
d8f95b86b00cd4ba851931bc543ea4c20a8629335ea04d85d2dbd4829d53a2d4
RemcosRAT
e805423ef1971ad60f2cf93dd0845f3bc13fb5bce5dc3b3b3e39f56c4f9142e7
RemcosRAT
e8c59da246fccfab27b1e04e4d2bae1f222e845c9573b7b0c5f01d90aa76a3a3
RemcosRAT
fad40e1841789cfbef3c9f09b4e557b928597506cd8b93d8eae51cef2ba3cf3f
RemcosRAT
+ 332 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:jules persistence rat trojan
Link:
https://tria.ge/reports/210730-bfxe1keq6s/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
twistednerd.dvrlists.com:8618
Unpacked files
SH256 hash:
a6dbc14cb792b7eb21fb78abbcfc50ab940717ff8bdebf2f8db47e1ab12b6f9b
MD5 hash:
49995a2953873c7265752d191ae9f40b
SHA1 hash:
2f911fc1c8371812fbe412cf60886cf7554b20c9
Link:
https://www.unpac.me/results/1adf55de-95f1-498f-b278-a8cc25987095/
SH256 hash:
fd866b4e18b49ef0232eda27280a0d56a9e408792bba4cddded1961fe64e7bf3
MD5 hash:
e6ed552b84d437e90031f9fc3d41b62a
SHA1 hash:
a3ef9269bc3a1c10ab532a4e45e674b90802d435
Link:
https://www.unpac.me/results/1adf55de-95f1-498f-b278-a8cc25987095/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fd866b4e18b49ef0232eda27280a0d56a9e408792bba4cddded1961fe64e7bf3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/1493498/
Cape
Cape
https://www.capesandbox.com/analysis/175347/

Comments