MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 009bdad48405a11c887a397ea42fc93fc730ec39e63e5c61f3f8df31ff34c1f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 009bdad48405a11c887a397ea42fc93fc730ec39e63e5c61f3f8df31ff34c1f1
SHA3-384 hash: c597e68fdff6f1926e98f8b73d898f4bf74de412f3ba725c203a56343d7303be4873ecb17daccd3a038345d133932576
SHA1 hash: bca8a81371a0eeace4f95ba9335ff6a5f9f953c9
MD5 hash: 15782be2ac476a9e215e62638cea0863
humanhash: oven-six-sink-california
File name:IMAGESCANDOCUMENTFILES000010100112HHUEYDH.bat.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:808'448 bytes
First seen:2023-07-20 07:57:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash da21ccc93f3893853ed8366aca50ca61 (3 x Formbook, 1 x RemcosRAT, 1 x ModiLoader)
ssdeep 24576:rk/A25GoqxIJs7ks3XJrPz6cDCnvMXqv9:rKAKGj7ks35rPmaCnvMav9
TLSH T16E059E21B2B284B3E1262E359C27977954B4BE60293810177BD23D9DEF7B3D278281D7
TrID 84.9% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
4.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.2% (.SCR) Windows screen saver (13097/50/3)
2.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 80ace0c4e4d09000 (5 x Formbook, 4 x ModiLoader, 3 x RemcosRAT)
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
91.192.100.49:32676

Intelligence

File Origin
# of uploads :
1
# of downloads :
294
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
IMAGESCANDOCUMENTFILES000010100112HHUEYDH.bat.exe
Verdict:
Malicious activity
Analysis date:
2023-07-20 08:25:34 UTC
Tags:
dbatloader keylogger remcos
Link:
https://app.any.run/tasks/c8b4f9ee-c6c6-4c36-9bb9-ef16779960c5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/425893/
Detection(s):
SecuriteInfo.com.Variant.Jaik.156859.6886.5498.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control keylogger lolbin masquerade packed shell32
Link:
https://www.filescan.io/uploads/64b8e90bfd9e198dc11669c6/reports/a515b5ea-b4b8-4065-af2f-c3c1f24ef197/overview
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/009bdad48405a11c887a397ea42fc93fc730ec39e63e5c61f3f8df31ff34c1f1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8ade8155-fdf3-48c3-b116-9f73d850bd25
Result
Threat name:
Remcos, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1276543
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Drops PE files with a suspicious file extension
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1276543 Sample: IMAGESCANDOCUMENTFILES00001... Startdate: 20/07/2023 Architecture: WINDOWS Score: 100 25 www.akbeyaztckstil.com 2->25 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 7 other signatures 2->49 7 Zhqtktga.PIF 2->7         started        11 IMAGESCANDOCUMENTFILES000010100112HHUEYDH.bat.exe 1 2 2->11         started        14 Zhqtktga.PIF 2->14         started        signatures3 process4 dnsIp5 29 web.fe.1drv.com 7->29 37 3 other IPs or domains 7->37 51 Multi AV Scanner detection for dropped file 7->51 53 Machine Learning detection for dropped file 7->53 55 Writes to foreign memory regions 7->55 57 Injects a PE file into a foreign processes 7->57 16 logagent.exe 7->16         started        31 web.fe.1drv.com 11->31 33 onedrive.live.com 11->33 39 2 other IPs or domains 11->39 23 C:\Users\Public\Libraries\Zhqtktga.PIF, PE32 11->23 dropped 59 Drops PE files with a suspicious file extension 11->59 61 Allocates memory in foreign processes 11->61 63 Creates a thread in another existing process (thread injection) 11->63 18 colorcpl.exe 5 3 11->18         started        35 web.fe.1drv.com 14->35 41 3 other IPs or domains 14->41 21 colorcpl.exe 14->21         started        file6 signatures7 process8 dnsIp9 27 www.akbeyaztckstil.com 91.192.100.49, 32676, 49721, 49722 AS-SOFTPLUSCH Switzerland 18->27
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/009bdad48405a11c887a397ea42fc93fc730ec39e63e5c61f3f8df31ff34c1f1/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-07-20 07:58:06 UTC
File Type:
PE (Exe)
Extracted files:
30
AV detection:
22 of 25 (88.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=acn5vveeawqrzcd2hf7kil6jh7dtb3bz4y7fyypt7dptd7zuyhyq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:trukeynewlogs persistence rat trojan
Link:
https://tria.ge/reports/230720-jttygaeb6s/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Suspicious use of NtCreateProcessOtherParentProcess
Malware Config
C2 Extraction:
www.akbeyaztckstil.com:32676
Unpacked files
SH256 hash:
37cf6c9b34752dbe6a758f876ad58d196993df6a98cf7a873e484897280700f6
MD5 hash:
3889cdfac954d07278eae955d5e13b27
SHA1 hash:
33a2bdea8e076738d219541736615a2a2177c922
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/7e10c82c-4398-4255-8b37-b697ae39147b/
Parent samples :
009bdad48405a11c887a397ea42fc93fc730ec39e63e5c61f3f8df31ff34c1f1
b77daf934032129b309e2cb8b32fb54cffba2691768520d5c6190cb9ba15a059
1dd8111ab9a5ff0da09762bb7f51bb0cd275ce9158bb195229bfff8af26f00c4
SH256 hash:
009bdad48405a11c887a397ea42fc93fc730ec39e63e5c61f3f8df31ff34c1f1
MD5 hash:
15782be2ac476a9e215e62638cea0863
SHA1 hash:
bca8a81371a0eeace4f95ba9335ff6a5f9f953c9
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/7e10c82c-4398-4255-8b37-b697ae39147b/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/009bdad48405/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/009bdad48405a11c887a397ea42fc93fc730ec39e63e5c61f3f8df31ff34c1f1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/425893/

Comments