MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27631e88462342b700862d389d3068b166e0b30406cedb7b888d1900b7cc06d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 27631e88462342b700862d389d3068b166e0b30406cedb7b888d1900b7cc06d9
SHA3-384 hash: 406512e4f101f92bd0a08541ca34da733bcc412b46435aa83671c2cc600b75098e8408d59fee67e38fdf1987b575958b
SHA1 hash: f1ad165e124bd16c3c7455a9d655358af85c421e
MD5 hash: 019d27472f0b3877c761c9e9379d3c92
humanhash: fanta-uniform-happy-red
File name:27631e88462342b700862d389d3068b166e0b30406cedb7b888d1900b7cc06d9
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:4'602'615 bytes
First seen:2025-02-20 13:19:40 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 49152:lCIjFcC9xQ3lDQgPJMngfbYFc6vTIGQLmC4BRwhJ9cXfUXS:/
Threatray 411 similar samples on MalwareBazaar
TLSH T11E26E8E72BFE674A2705336F5A4FA9440B1BDC644BC39FD840C70AD8540E65B2A90E9F
Magika batch
Reporter JAMESWT_WT
Tags:bat RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
27631e88462342b700862d389d3068b166e0b30406cedb7b888d1900b7cc06d9
Verdict:
Malicious activity
Analysis date:
2025-02-20 13:23:20 UTC
Tags:
remcos rat remote
Link:
https://app.any.run/tasks/ca79be6a-18d4-410b-9fa9-70480e6e02fe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Other.Malware-gen.26690.21817.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67b76f56a0fd713c335c1710
Tags:
delphi shell sage blic
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
extrac32 lolbin
Link:
https://www.filescan.io/uploads/67b748d0ad0a3c7dbe71b05a/reports/713d2c52-2ac2-4f3c-b9c2-346d9796cf08/overview
Verdict:
Malicious
Labled as:
Trojan[Dropper]/BAT.Agent
Link:
https://www.hybrid-analysis.com/sample/27631e88462342b700862d389d3068b166e0b30406cedb7b888d1900b7cc06d9
Result
Verdict:
SUSPICIOUS
Result
Threat name:
Remcos, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
rans.bank.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1620214
Signature
Allocates many large memory junks
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected Remcos RAT
Drops or copies certutil.exe with a different name (likely to bypass HIPS)
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Early bird code injection technique detected
Found large BAT file
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Registers a new ROOT certificate
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Remcos
Sigma detected: Suspicious Creation with Colorcpl
Suricata IDS alerts for network traffic
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1620214 Sample: dR5Mnysb4I.bat Startdate: 20/02/2025 Architecture: WINDOWS Score: 100 70 plmakeawa.duckdns.org 2->70 72 2025keeptring.gotdns.ch 2->72 74 geoplugin.net 2->74 98 Suricata IDS alerts for network traffic 2->98 100 Found malware configuration 2->100 102 Malicious sample detected (through community Yara rule) 2->102 106 13 other signatures 2->106 10 cmd.exe 1 2->10         started        12 Fgdewtue.PIF 2->12         started        15 Fgdewtue.PIF 2->15         started        signatures3 104 Uses dynamic DNS services 70->104 process4 signatures5 17 rdha.pif 1 10->17         started        19 alpha.pif 1 10->19         started        22 expha.pif 1 10->22         started        29 7 other processes 10->29 130 Antivirus detection for dropped file 12->130 132 Multi AV Scanner detection for dropped file 12->132 134 Early bird code injection technique detected 12->134 25 colorcpl.exe 12->25         started        136 Allocates memory in foreign processes 15->136 138 Allocates many large memory junks 15->138 27 SndVol.exe 15->27         started        process6 file7 31 ANYDESK.PIF 1 7 17->31         started        108 Uses ping.exe to sleep 19->108 110 Uses ping.exe to check the status of other devices and networks 19->110 35 ghf.pif 3 2 19->35         started        54 C:\Users\Public\alpha.pif, PE32+ 22->54 dropped 112 Drops PE files to the user root directory 22->112 114 Drops PE files with a suspicious file extension 22->114 116 Drops or copies certutil.exe with a different name (likely to bypass HIPS) 22->116 118 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 22->118 120 Detected Remcos RAT 25->120 56 C:\Users\Public\rdha.pif, PE32+ 29->56 dropped 58 C:\Users\Public\ghf.pif, PE32+ 29->58 dropped 60 C:\Users\Public\expha.pif, PE32+ 29->60 dropped 37 PING.EXE 1 29->37         started        40 ghf.pif 2 29->40         started        signatures8 process9 dnsIp10 62 C:\Users\Public\Libraries\Fgdewtue.PIF, PE32 31->62 dropped 64 C:\Users\Public\FgdewtueF.cmd, DOS 31->64 dropped 66 C:\Users\Public\Fgdewtue.url, MS 31->66 dropped 84 Antivirus detection for dropped file 31->84 86 Multi AV Scanner detection for dropped file 31->86 88 Early bird code injection technique detected 31->88 96 4 other signatures 31->96 42 colorcpl.exe 4 13 31->42         started        46 cmd.exe 1 31->46         started        48 cmd.exe 1 31->48         started        90 Registers a new ROOT certificate 35->90 92 Drops PE files to the user root directory 35->92 94 Drops PE files with a suspicious file extension 35->94 76 127.0.0.1 unknown unknown 37->76 68 C:\Users\Public\ANYDESK.PIF, PE32 40->68 dropped file11 signatures12 process13 dnsIp14 78 2025keeptring.gotdns.ch 194.59.31.4, 2500, 49705, 49822 COMBAHTONcombahtonGmbHDE Germany 42->78 80 194.59.31.47, 49977, 5200 COMBAHTONcombahtonGmbHDE Germany 42->80 82 geoplugin.net 178.237.33.50, 49978, 80 ATOM86-ASATOM86NL Netherlands 42->82 122 Contains functionality to bypass UAC (CMSTPLUA) 42->122 124 Detected Remcos RAT 42->124 126 Contains functionalty to change the wallpaper 42->126 128 4 other signatures 42->128 50 conhost.exe 46->50         started        52 conhost.exe 48->52         started        signatures15 process16
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/27631e88462342b700862d389d3068b166e0b30406cedb7b888d1900b7cc06d9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/27631e88462342b700862d389d3068b166e0b30406cedb7b888d1900b7cc06d9/
Threat name:
Script-BAT.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-02-18 14:47:18 UTC
File Type:
Text
Extracted files:
1
AV detection:
10 of 24 (41.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e5rr5ccgenbloaegfu4j2mdiwftobmyea3hnw64irumqbn6ma3mq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
dbatloader
Create hunting rule
Similar samples:
27631e88462342b700862d389d3068b166e0b30406cedb7b888d1900b7cc06d9
RemcosRAT
3889efa7a76c39b6e11af683fd172abea02b4a92654ffb3c79cee221d2c8b49e
RemcosRAT
3c20f8f6aa5f1c960bbf6a758112c1cc17ac5a07b769e1e4b3300d685583a7b8
RemcosRAT
4360efc190c8e1b7bc3b2c8b6e469a1b2a23d08b895e69e97e1abdc2057db037
RemcosRAT
a8ad0cb7c6c4d332bc50ca8af649af8877555a79e0d4d1df3cad1ea68acd26fb
RemcosRAT
b53b26656933d4ccf3c6665d5ca45ea9e9db1463bd96aa1c0a372b658db23574
RemcosRAT
eecc7116c5730d44a829ee1e1d91cada1e9deb98122b358503e493aa5e60087a
RemcosRAT
error
RemcosRAT
f72ebfe6f11291393acec156f0f73b1eb5abf74761d5de8dd7b55839542c56af
RemcosRAT
+ 401 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:we go again discovery persistence rat trojan
Link:
https://tria.ge/reports/250220-wlx2datls8/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Remcos
Remcos family
Malware Config
C2 Extraction:
2025keeptring.gotdns.ch:2500
plmakeawa.duckdns.org:5200
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/27631e88462342b700862d389d3068b166e0b30406cedb7b888d1900b7cc06d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAT_DbatLoader
Create hunting rule
Author:NDA0E
Description:Detects base64 and hex encoded MZ header used by DbatLoader
Rule name:dbatloader_bat_v2
Create hunting rule
Author:RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments