MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 414b68bd6651b0db85c3c32c102b06c9540ee320ddc5acf51d473bb1c9299f4e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 414b68bd6651b0db85c3c32c102b06c9540ee320ddc5acf51d473bb1c9299f4e
SHA3-384 hash: 871cc125b5047ed75fcd584c3e8699ad013e559a65c10431a8c644e2d3d09e667ba0fbffbb0869220ba8ecefb1c19c4a
SHA1 hash: 7ffad208e50818abe80c3bd13705af5efb83e66d
MD5 hash: 90f7cdc4433c4f8824f844b63cdbf202
humanhash: march-high-table-triple
File name:SOA_P990T341_JAN_2024.bat
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:2'541'697 bytes
First seen:2024-02-08 06:55:23 UTC
Last seen:2024-02-08 07:32:06 UTC
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 49152:V0Rqhg1OTb9q9haAOxrosriRdATYK+BdfjoceCU:X
TLSH T135C5E13C46476ED9F9489BE9C74C13DF2D69246BC52B137E8DACD26111AF4B4CA3C0A8
TrID 45.4% (.MP3) MP3 audio (ID3 v1.x tag) (2500/1/1)
36.3% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
18.1% (.MP3) MP3 audio (1000/1)
Reporter cocaman
Tags:bat RemcosRAT

Intelligence

File Origin
# of uploads :
4
# of downloads :
102
Origin country :
CH CH
Vendor Threat Intelligence
Detection:
KoadicBAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/475296/
Detection(s):
SecuriteInfo.com.PUA.Base64EXE-1.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  2.5/10
Confidence:
100%
Tags:
masquerade obfuscated
Link:
https://www.filescan.io/uploads/65c47b0904c91578faaff857/reports/44a353c4-bee1-4a2f-bac6-83804182ba19/overview
Verdict:
Suspicious
Labled as:
Trojan.BAT
Link:
https://www.hybrid-analysis.com/sample/414b68bd6651b0db85c3c32c102b06c9540ee320ddc5acf51d473bb1c9299f4e
Result
Verdict:
MALICIOUS
Result
Threat name:
Remcos, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1388856
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Early bird code injection technique detected
Found large BAT file
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Queues an APC in another process (thread injection)
Sample is not signed and drops a device driver
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Remcos
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1388856 Sample: SOA_P990T341_JAN_2024.bat Startdate: 08/02/2024 Architecture: WINDOWS Score: 100 83 ip.1013.filemail.com 2->83 85 geoplugin.net 2->85 87 1013.filemail.com 2->87 107 Found malware configuration 2->107 109 Malicious sample detected (through community Yara rule) 2->109 111 Antivirus detection for URL or domain 2->111 113 14 other signatures 2->113 11 cmd.exe 1 2->11         started        14 Gpwnovgy.PIF 2->14         started        16 Gpwnovgy.PIF 2->16         started        signatures3 process4 signatures5 121 Uses ping.exe to sleep 11->121 123 Uses ping.exe to check the status of other devices and networks 11->123 18 cmd.exe 1 11->18         started        20 certutil.exe 3 2 11->20         started        24 cmd.exe 1 11->24         started        30 3 other processes 11->30 125 Early bird code injection technique detected 14->125 127 Machine Learning detection for dropped file 14->127 129 Allocates memory in foreign processes 14->129 26 colorcpl.exe 14->26         started        28 colorcpl.exe 16->28         started        process6 file7 32 pointer.com 1 8 18->32         started        75 C:\Users\Public\pointer.com, PE32 20->75 dropped 115 Drops PE files to the user root directory 20->115 117 Drops PE files with a suspicious file extension 20->117 37 conhost.exe 20->37         started        119 Uses ping.exe to sleep 24->119 39 PING.EXE 1 24->39         started        signatures8 process9 dnsIp10 79 ip.1013.filemail.com 192.240.97.42, 443, 49709, 49710 COGENT-174US United States 32->79 67 C:\Users\Public\Libraries\truesight.sys, PE32+ 32->67 dropped 69 C:\Users\Public\Libraries\netutils.dll, PE32+ 32->69 dropped 71 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 32->71 dropped 73 3 other malicious files 32->73 dropped 99 Early bird code injection technique detected 32->99 101 Machine Learning detection for dropped file 32->101 103 Drops PE files with a suspicious file extension 32->103 105 3 other signatures 32->105 41 SndVol.exe 3 16 32->41         started        46 cmd.exe 4 32->46         started        81 127.0.0.1 unknown unknown 39->81 file11 signatures12 process13 dnsIp14 89 192.3.101.8, 49713, 49714, 49731 AS-COLOCROSSINGUS United States 41->89 91 geoplugin.net 178.237.33.50, 49716, 80 ATOM86-ASATOM86NL Netherlands 41->91 77 C:\ProgramData\remcos\logs.dat, data 41->77 dropped 131 Tries to steal Mail credentials (via file registry) 41->131 133 Maps a DLL or memory area into another process 41->133 135 Installs a global keyboard hook 41->135 48 SndVol.exe 1 41->48         started        51 SndVol.exe 1 41->51         started        53 SndVol.exe 2 41->53         started        61 3 other processes 41->61 55 cmd.exe 2 46->55         started        57 conhost.exe 46->57         started        59 cmd.exe 1 46->59         started        63 7 other processes 46->63 file15 signatures16 process17 signatures18 93 Tries to steal Instant Messenger accounts or passwords 48->93 95 Tries to steal Mail credentials (via file / registry access) 48->95 97 Tries to harvest and steal browser information (history, passwords, etc) 51->97 65 conhost.exe 55->65         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/414b68bd6651b0db85c3c32c102b06c9540ee320ddc5acf51d473bb1c9299f4e/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iffwrplgkgynxbodymwbakygzfka5yza3xc2z5i5i453dsjjt5ha._file
Verdict:
malicious
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:remotehost collection persistence rat trojan
Link:
https://tria.ge/reports/240208-h29hfsda42/
Behaviour
Enumerates system info in registry
Runs ping.exe
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Launches sc.exe
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Creates new service(s)
ModiLoader Second Stage
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
127.0.0.1:45671
127.0.0.1:55677
192.3.101.8:55677
192.3.101.8:45671
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.41
Link:
https://yomi.yoroi.company/submissions/414b68bd6651b0db85c3c32c102b06c9540ee320ddc5acf51d473bb1c9299f4e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:MALWARE_BAT_KoadicBAT
Create hunting rule
Author:ditekSHen
Description:Koadic post-exploitation framework BAT payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

rar 8f8ceb98b60d548d502c480c051d1aeb2b6b77f0ba90452e8e8f25d4c3d7c95c

RemcosRAT

Batch (bat) bat 414b68bd6651b0db85c3c32c102b06c9540ee320ddc5acf51d473bb1c9299f4e

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 8f8ceb98b60d548d502c480c051d1aeb2b6b77f0ba90452e8e8f25d4c3d7c95c
Cape
Cape
https://www.capesandbox.com/analysis/475296/
  
Dropped by
MD5 10ea775bdb4bf882559e3787cc4c9a49

Comments