MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 155ca2a0805d91f0677c262aca5016c88459874cab0ec51c1953499479989f7e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 155ca2a0805d91f0677c262aca5016c88459874cab0ec51c1953499479989f7e
SHA3-384 hash: 90b840c5e66b6b5e7c3a6e2e65c04d4dff452e8c708669dda8d6e656f0f39e442b9c7c812911efe0226867d6d147dadd
SHA1 hash: 05a33eb328e1c34b545c1fe0b11152bb1dcca37e
MD5 hash: bfd9a208c4e94c0b5b46c35ff6121eb5
humanhash: winter-georgia-jig-nebraska
File name:recover.bat
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:370 bytes
First seen:2023-04-05 00:40:26 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 6:hyJHCy1xFdeGgdEWRy8DOckqi23fReGgdEWRy44Ak2clHozLh8CmNIy4hdy5RTOL:UJig4ukDOVqZouAC6vGXNIy4ny5tOVqe
Threatray 1'784 similar samples on MalwareBazaar
TLSH T125E0D817412F07B6C567BC4874E34A9FA5270C59725D0FA421F15C1E21426A6B3EDE15
Reporter Chainskilabs
Tags:bat RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
137
Origin country :
US US
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
recover.bat
Verdict:
Malicious activity
Analysis date:
2023-04-05 00:42:14 UTC
Tags:
loader remcos
Link:
https://app.any.run/tasks/12eaecba-a3dd-476f-82e4-bc2f32098f8c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/380145/
Detection(s):
SecuriteInfo.com.Heur.BZC.ONG.Boxter.928.2B4C1CEA.17184.29563.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Sending an HTTP GET request
Creating a file in the %temp% directory
Running batch commands
Creating a process from a recently created file
Launching cmd.exe command interpreter
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Changing a file
Creating a file
Sending a custom TCP request
DNS request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking the User Account Control
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd explorer.exe greyware keylogger powershell shell32.dll
Link:
https://www.filescan.io/uploads/642cc39e5df5c94ab9b86c4f/reports/d3c241b7-42e6-43c5-9e8f-9213d3a55f0c/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/155ca2a0805d91f0677c262aca5016c88459874cab0ec51c1953499479989f7e
Result
Verdict:
UNKNOWN
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1208492
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Disables UAC (registry)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Powershell drops PE file
Sigma detected: Remcos
Suspicious powershell command line found
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 841408 Sample: recover.bat Startdate: 05/04/2023 Architecture: WINDOWS Score: 100 100 Malicious sample detected (through community Yara rule) 2->100 102 Antivirus detection for URL or domain 2->102 104 Contains functionality to bypass UAC (CMSTPLUA) 2->104 106 8 other signatures 2->106 11 cmd.exe 1 2->11         started        14 Chrome.exe 1 1 2->14         started        16 Chrome.exe 1 1 2->16         started        18 3 other processes 2->18 process3 signatures4 126 Suspicious powershell command line found 11->126 20 powershell.exe 14 21 11->20         started        25 conhost.exe 11->25         started        128 Writes to foreign memory regions 14->128 130 Maps a DLL or memory area into another process 14->130 27 cmd.exe 1 14->27         started        29 iexplore.exe 14->29         started        31 cmd.exe 1 16->31         started        33 iexplore.exe 16->33         started        process5 dnsIp6 82 141.95.16.111, 49698, 8080 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 20->82 84 192.168.2.1 unknown unknown 20->84 80 C:\Users\user\AppData\Local\...\RiotGames.exe, PE32 20->80 dropped 112 Powershell drops PE file 20->112 35 cmd.exe 1 20->35         started        37 Chrome.exe 1 1 20->37         started        114 Uses cmd line tools excessively to alter registry or file data 27->114 40 conhost.exe 27->40         started        42 reg.exe 1 27->42         started        44 conhost.exe 31->44         started        46 reg.exe 1 31->46         started        file7 signatures8 process9 signatures10 48 RiotGames.exe 2 3 35->48         started        108 Writes to foreign memory regions 37->108 110 Maps a DLL or memory area into another process 37->110 52 cmd.exe 1 37->52         started        54 iexplore.exe 37->54         started        process11 file12 78 C:\Users\user\AppData\Roaming\...\Chrome.exe, PE32 48->78 dropped 86 Antivirus detection for dropped file 48->86 88 Multi AV Scanner detection for dropped file 48->88 90 Contains functionality to bypass UAC (CMSTPLUA) 48->90 94 5 other signatures 48->94 56 Chrome.exe 2 1 48->56         started        59 cmd.exe 1 48->59         started        92 Uses cmd line tools excessively to alter registry or file data 52->92 61 conhost.exe 52->61         started        63 reg.exe 1 52->63         started        signatures13 process14 signatures15 116 Antivirus detection for dropped file 56->116 118 Multi AV Scanner detection for dropped file 56->118 120 Machine Learning detection for dropped file 56->120 124 2 other signatures 56->124 65 cmd.exe 56->65         started        68 iexplore.exe 56->68         started        122 Uses cmd line tools excessively to alter registry or file data 59->122 70 reg.exe 1 59->70         started        72 conhost.exe 59->72         started        process16 signatures17 96 Uses cmd line tools excessively to alter registry or file data 65->96 74 conhost.exe 65->74         started        76 reg.exe 1 65->76         started        98 Disables UAC (registry) 70->98 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/155ca2a0805d91f0677c262aca5016c88459874cab0ec51c1953499479989f7e/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cvokfiealwi7az34eyvmuuawzccftb2mvmhmkhazknezi6myt57a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0f8c7d288333c8d1c5d450abeaf869de3d58eb5e8d16138c52b0391cf7a645cc
RemcosRAT
2010a7e1a136a9881ba4db4beb99088ea77ea2997d36e6d1d16fc696b34fda8b
RemcosRAT
52062e748f2857bf6bc3161cdfade85ec042d45093673514ca1787f7216a70f3
RemcosRAT
6c2e005c4bd6e0ec6402f78c2dbf971a3853ac0dc2bbb6017f6a5e27a8e770d6
RemcosRAT
9f9472ff68d38143574eebb20c6c45ad9e1ef8905c8a2fbf6bf5ff8ab30ec2f0
RemcosRAT
c9ec59e23695adca831f06aca398c511cac81f2fd65c7353f14b4725791ab80a
RemcosRAT
de0859dc256e79ebcf1787589be8826e08c775ceb8e40f45e55f86bb3b648725
RemcosRAT
edb9f32cbb6d90b4da858506351a2ca6bd2e5542c92ec5815cd9c18045f008e4
RemcosRAT
+ 1'774 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost evasion persistence rat trojan
Link:
https://tria.ge/reports/230405-a1rx1sah73/
Behaviour
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Blocklisted process makes network request
Downloads MZ/PE file
Remcos
UAC bypass
Malware Config
C2 Extraction:
141.95.16.111:2404
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/155ca2a0805d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/155ca2a0805d91f0677c262aca5016c88459874cab0ec51c1953499479989f7e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Suspicious_Macro_Presence
Create hunting rule
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/380145/

Comments