MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28710a59e4df3f979ce3d1cdfad0bfa9271f14f1265240b2b9273fb29d703883. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 28710a59e4df3f979ce3d1cdfad0bfa9271f14f1265240b2b9273fb29d703883
SHA3-384 hash: 7b7c8557b97d81c0b59e84adf6be922e4b88f3fe64ef458abfee2237b9993d99ee9789cb79a48f5ac48f02904ce0183d
SHA1 hash: b81ea9184aa40311e0bb3c2aeeb9f29a14e0ce42
MD5 hash: 74bfd09b9a0b0836314357a380e89af4
humanhash: network-hotel-hawaii-finch
File name:Payment_Advice.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'037'314 bytes
First seen:2022-10-07 17:27:24 UTC
Last seen:2022-10-07 19:14:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 08f8f71412e1d5c82bdf6919c2830f17 (2 x Formbook, 1 x ModiLoader, 1 x RemcosRAT)
ssdeep 12288:qkQHUxA6s8jEg3sQHniC4uSJdWoQE4/2EK73WLr9RZCqsP031kX3r5wuvYe+msnX:PjO8jEg3DHnyuSjxU3XjZpwzGzj
Threatray 1'977 similar samples on MalwareBazaar
TLSH T1B625AE61B7DC0C33E5231A784C1BA7586DEABF02382C798B36E97C1C4E72E40BD55966
TrID 68.5% (.OCX) Windows ActiveX control (116521/4/18)
8.3% (.EXE) Win32 Executable Delphi generic (14182/79/4)
7.7% (.SCR) Windows screen saver (13101/52/3)
6.1% (.EXE) Win64 Executable (generic) (10523/12/4)
2.6% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 14044d4c4e0e0614 (4 x Formbook, 3 x ModiLoader, 1 x RemcosRAT)
Reporter GovCERT_CH
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
322
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/317703/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.55134.7989.2313.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending an HTTP GET request
Creating a file
Launching a process
Creating a process with a hidden window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/41874/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
67%
Tags:
formbook greyware keylogger overlay packed zusy
Link:
https://www.filescan.io/uploads/634061a65c60ccc9fcff6740/reports/8c544c04-49eb-44e8-96be-b2a73e9ab747/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e8bbe9e5-3024-4c04-a8c9-616f431bafaa
Result
Threat name:
DBatLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1085932
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/28710a59e4df3f979ce3d1cdfad0bfa9271f14f1265240b2b9273fb29d703883/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-10-05 13:40:25 UTC
File Type:
PE (Exe)
Extracted files:
47
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fbyquwpe347zphhd2hg7vuf7vetr6fhrezjebmvze473fhlqhcbq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0529c6a403748e2cbf6b6694891b1327d3782f4a41b35c3bd81a176119544456
RemcosRAT
2f53875cb56cc1a1f69655fcfca71ac0f952b8d582bda33e101d8b262e38d0f9
RemcosRAT
31edb5c9a0590d100f941cfcb0c142abf141fba4a90c6bddb6c7fc59b4475f28
RemcosRAT
3ab2ca682019279e28525a8ff1a72e08badba1c0f3012f926bad1528b2b0944a
RemcosRAT
3c21819ed32b31c231e20b51b1f956e4160a7b8dbfe7468b096ce64b4b138007
RemcosRAT
9d724226a2a3c8676d4a58b64b636d9dcc178c1d40fcf321309afa14505cf285
RemcosRAT
fdd7d96b0a21a1cc73dec6865c08f961b1a6bc21bfebd2d89a37c8bc37abde9b
RemcosRAT
fe800049d4ece336205fd83c50c747fc4f7f18e4cb2f2e80f37d0ec1700166d1
RemcosRAT
+ 1'967 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:amara persistence rat trojan
Link:
https://tria.ge/reports/221007-v11v5schh8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
betterdaysahead.duckdns.org:20987
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/eb187b45-9eed-4cdd-acb8-8b1b6d0638ae
Unpacked files
SH256 hash:
409fd946d142ee7af873ca1c943766238930a3b6f94bd8a0233463500f5d1f8f
MD5 hash:
5e63c430ee26d3981412ee2d242e9ede
SHA1 hash:
a942d1700560210ae6ce99b60c0cdf5b36fedf92
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/2753e725-1d93-4473-a9ce-fd78fb0d4f74/
Parent samples :
f2ce7756c2480374eb046877c871235d23b9b7b5e2b3cbf32b2608070399efd1
28710a59e4df3f979ce3d1cdfad0bfa9271f14f1265240b2b9273fb29d703883
SH256 hash:
28710a59e4df3f979ce3d1cdfad0bfa9271f14f1265240b2b9273fb29d703883
MD5 hash:
74bfd09b9a0b0836314357a380e89af4
SHA1 hash:
b81ea9184aa40311e0bb3c2aeeb9f29a14e0ce42
Link:
https://www.unpac.me/results/2753e725-1d93-4473-a9ce-fd78fb0d4f74/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/28710a59e4df3f979ce3d1cdfad0bfa9271f14f1265240b2b9273fb29d703883

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 28710a59e4df3f979ce3d1cdfad0bfa9271f14f1265240b2b9273fb29d703883

(this sample)

  
Dropped by
RemcosRAT
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/317703/

Comments