MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1fbca7154111316e9d34ac02beb2377d20ca8426cc83669c89313a4a83358503. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1fbca7154111316e9d34ac02beb2377d20ca8426cc83669c89313a4a83358503
SHA3-384 hash: ed728abfec1257edd2cb8da610d1a535cec13265fa9dfc8c649d318bd6aac32ab1950676d6b7a4f715025bf12aa81059
SHA1 hash: 392c403155f80c9d841759885b4c7b97965b5646
MD5 hash: b77d15dd668287b4f3080591cf0847e3
humanhash: california-failed-yellow-wisconsin
File name:BL-INV.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'112'576 bytes
First seen:2021-11-19 15:16:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9932ed6ef0f007ba412ff7a0ba590c83 (2 x BitRAT, 2 x Formbook, 1 x AveMariaRAT)
ssdeep 24576:IAysw0SxuOso3abg4gGJaysrP/mJXgESvLqa:IAySo3vGJaysrP/mJXg6
Threatray 855 similar samples on MalwareBazaar
TLSH T149359F1662919036D8BA1FB4CF8B97B1193ABDC42960444777F47D9C7BBE920343A2CB
File icon (PE):PE icon
dhash icon 616110152b2b5130 (12 x RemcosRAT, 5 x Formbook, 4 x BitRAT)
Reporter Anonymous
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BL-INV.exe
Verdict:
Malicious activity
Analysis date:
2021-11-19 15:52:31 UTC
Tags:
installer rat remcos keylogger
Link:
https://app.any.run/tasks/025e275d-20a1-42f9-b9c0-c028df4859a2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.1844.26067.15138.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger packed
Link:
https://www.filescan.io/uploads/6197bff22695a62af9f3e723/reports/2eb079ad-839f-42d0-9dca-73f1434d1963/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/17c7e36f-3c70-4411-9b5d-2a0ab5b20228
Result
Threat name:
Remcos DBatLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/892740
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1fbca7154111316e9d34ac02beb2377d20ca8426cc83669c89313a4a83358503/
Threat name:
Win32.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2021-11-19 15:17:07 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d66kofkbceyw5hjuvqbl5mrxpuqmvbbgzsbwnhejge5evazvqubq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1a261ffbe76d224c7d9f9136723f1cdf35f661d0e5a38f43a7ee2cb31606f359
RemcosRAT
27ff7f17af5f02ca3fd208d84c6c7c401f20cd615b5bc15f0825c6f406606f6a
RemcosRAT
41d511392fc1e9e37a96d7e0d1e2a947d3de3da299d1a0fab9f522b98e38b659
RemcosRAT
75d58f5b4293ffc19d29586f96508fe473b3688503ab75a9fecf8b280af3b55a
RemcosRAT
b1685b4946df16daf7ee4ecda64cc48bb48e5d0259eb0bddaca95df314de857d
RemcosRAT
ddf8299e0a1e35d69a3a0157d5238d754c60e6d1acc944da7345868a9fac2fa6
RemcosRAT
ed78db064dfb4ae791498b2d08410a69bdad684ff709319d179c2383dd8e2f1c
RemcosRAT
f26f9e3fccab0e855f132f00715cfdbaa9efbbc923fc702961d826987d7c15aa
RemcosRAT
+ 845 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:no starup persistence rat
Link:
https://tria.ge/reports/211119-sn2wkaafhm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Enumerates connected drives
Remcos
Malware Config
C2 Extraction:
79.134.225.20:8760
Unpacked files
SH256 hash:
884d99b457e14d78d737b3ac26748c6a4aa834de2317acbe0fb87fcb5d23f65e
MD5 hash:
422adab412b2bc9eda31361e676cb23a
SHA1 hash:
0f23391f7d7c36b4623f33f4046c009344221b2d
Detections:
win_temple_loader_w0
Create hunting rule
Link:
https://www.unpac.me/results/ed48d7e0-0425-4c3c-897b-f166b9d8b4d0/
Parent samples :
0593cdcb398c7b41a48babc22d84ede200329ced43988cd5695ee43ef806a314
1fc33c4cccbeac1f2a0a7a4145ab2248848d349ec89f0594a564aa6ef7704a89
e6729c12a687adf7245a883c5443a07a3cb01b22eb00484f96a63ccc9c3206e3
907e137a557e977c328f24618862f46dc2c508fad2568d4c171ba4e4cc42e8da
ef2754157037c661f6acf043f9af565be640a4bf7cc569fd38ae605c919e60e3
5e04368cce9500421ade8062e6c27a7ce3c027d2cb8538b7b0d4515823c6e491
74825f8f5dd7d626ff09e1805dc75ecdf92271b8d2148a9bbc8f5cb01b56703a
c8d54eac34afd28839ae109f0813ed54f21ee9d17a8ae54e5b12a11ec9250999
8a25ceb505dd2a4edf42f9be624def15d5f501c0dfebd0f8ed53b7ada0c56df4
d758edb6fa48c621458fd03dfbf78c5ac5df1dc26e749341dbdd588f3bd1ed30
918f98e66f1aae5bebe260cd5ddb4336318dc9a4193f130ac680ce3847bdfa9f
745918c719c623204c2c339cc9c2073260f833c4082d15bcb890a6848d872b71
04c53261b1220a894a02f5ffb39cdfd73f93481c0b5c8106d21c91b20205c62d
045a680f5cff3aa889bd6e366a1445dc6c9f066b6601ba69f973c77cf37a5bd2
284d63bee40558dcdd96057cbc0a07fba210b2de0111da57530ff2083d0d57f9
3ccb4131b2f8cf9a54cf003e6d29e841d83425aaa3b1c2fcc1bd253e855ff106
9a476d9eaca8d1c370dd3b25a1b99fd202321df9ef39e1254ddf6170d29e700c
75d58f5b4293ffc19d29586f96508fe473b3688503ab75a9fecf8b280af3b55a
41d511392fc1e9e37a96d7e0d1e2a947d3de3da299d1a0fab9f522b98e38b659
3f9fd47a1850bb51e06ce78cabb32d839b4d4f68daf028aa0465d7cb85099b1a
f26f9e3fccab0e855f132f00715cfdbaa9efbbc923fc702961d826987d7c15aa
51480df228e943d128557273a4b3f6917ced7ddc84210fafb9054459f5303757
d87618f7840361408c1bd318a1977714dedc8b346684986842e0f32cdc94f758
9f1a46f25ff46ddc69bb64b4bffbf628e41eb6c4820c617bfb06fd287e8cd08a
eaa933474582c1c4544da0f4d1f8e53e4b54937b8fa147ab9f88af2e1371477b
9f87aa938179953b88e6d47d4f2d07f82ec683a90ff0d77d8f50ad67ab55ad89
2ff7e6416c11b63082a3be7e742dff8da9fe4e174103d3034c7dc1e897f58b8c
7e7b60d769a5b99a90bd993f08a8b9175273e35d9447f91da28e61b05a746a99
480f201b5183d8ddf826462569bcf719750368df95907ee93aa3fe3cd8212acf
c9fad97fbc7d306ae0a8b6ba457d295786934e6580b279e40ab2ca7ad5bd818c
d544f115e860d3282bd996d7b12ac92c10097d68d135667cca0f847ca754f8ef
6ca5731b4511041dfe859ec3c1739ae2e1b1485481229e40446c9cdb58fd04e7
387e7195e10a2add7c9dce1051be7520ed0fa188794a710eea6a43845a36ce4a
677890096bad46b0e589094bc7bf25ec5ce8f54161422548da6a253dd387655d
cc387181593d803a367fcf95d0ed8ca7929d0c5b383c4d960f5a44d4cadb2c4f
0c5302d501f9872ff027d1486416daceb8a5b9af7eefb6268fd78d38bb6c8b37
84c89b2859b386f60a109593eeb9068e52b10f435872d2e7abe76bffb4e9d564
d0d6952f4459c50159f7a9142da641df17cae7dc758c9a34bdcd19765bea37bc
b88385613d90ebbd240b11a3847fc2117c0d832fdf7a3c45f1ed68692ed68038
ad4419aaf4f9f6eb21b32e26972b15edffd65e794eccbb85819701894da33a3a
8432944d28cd034b5fa922a2bec2f1b16f9df5de133d51437096d3c321d130af
4b376277cce9c1e365afb51b78046354176a443b45bb6bc123a3ea69710c6c65
955e25e69ec794dcd2a45b79f3eeecf71c734eb675e8a3e14691bbc8fbca5f52
cc2894394da12ab098b78a9ca9fa5c462f294a6c678d584d6d283c6d436d88c4
d9acad219b9fa52e4258fafd8c85b9e473b8f99435f4d9af4dbb953fae94a17d
c0e8dcedbd14b2822b8a673edef16a50fecb54ebbef846532cd6cf78da1127d6
76e7e27f4fcf15610764d121949f84e3b415376bfc5e88c08d85b613013ba87f
48667ddc42d9eadc23dddc65f60f0de6e58afb6857953f282f7b02c115e9eed4
fd74ae5599070fa447bf1f0451a88673f3b0a6285dbc69ecae11d6ec7cedbdf4
92f3596778824929bff1a64b43bc00c97f229de8d136dd6751a4972bba237bf3
2a8e3c217313095f5159adee7d90a5a2e0f1db12cb8977d9e073086ea0b62f21
d89aec551f2358a723b7419c767a401daf6f62fc22f20edacdbf0e6851c99c3f
51cf8bad7a9dfffdab43a17761c29b9d1bd1004675a4e9fa6965e5430a6e371b
8968808899b3e810e675fc87e6ff0f61c82b444183fd7f8febdb276eee05e683
7212dd968ce2504f6835fb5cdcc868f9315ba35ce8f4e1162fc6fe339271a27b
71f1357b11f35eef18854a9a7c33b65ce665b2b150ae5dd79aeaefc2691e9849
2495bc16feccab6c1e1a151993ca42fdb98caa81f11d5933226bf1f72bf7bf70
d888524b5e84e5afdfd32a627b1a5c5b55f04a72440d0260b8e430324c023009
62f36cc4ec3591ca9db78a063f6f215746f453f1181c64c0adda032ea86c53fd
1fbca7154111316e9d34ac02beb2377d20ca8426cc83669c89313a4a83358503
8d94a03c55cbee95ae76109eb888c7d86c02643059eed45234743f5bf30f9874
3da0a121182f06ffdc6e8305f04b89aa2bf57ef24befa9717b0bf3c138918339
2090f5fcafd8bc1938e4ddd869d911e1a89ac529ba984d914cc2f98fadcbc658
SH256 hash:
1fbca7154111316e9d34ac02beb2377d20ca8426cc83669c89313a4a83358503
MD5 hash:
b77d15dd668287b4f3080591cf0847e3
SHA1 hash:
392c403155f80c9d841759885b4c7b97965b5646
Link:
https://www.unpac.me/results/ed48d7e0-0425-4c3c-897b-f166b9d8b4d0/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1fbca7154111/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1fbca7154111316e9d34ac02beb2377d20ca8426cc83669c89313a4a83358503

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/207636/

Comments