MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 589b172cac7eb931e013d04820f31d1e7f6b7d710d1155dbb64ebb6c2fa2826a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 589b172cac7eb931e013d04820f31d1e7f6b7d710d1155dbb64ebb6c2fa2826a
SHA3-384 hash: 2dd6f849f55589b4ef13b3a8528dfb1bb510bc56176543debaf5e0921d4ac5c8941ed3eb386dd19e2f7c87e6e5ae556a
SHA1 hash: bfe077b029a1a6d4beeda154fa706f4ff0cfff82
MD5 hash: 658e8867a46096faafb9939ba1faeb1a
humanhash: ohio-robin-mike-florida
File name:DHL Shipment Document Waybill .exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'731'078 bytes
First seen:2024-07-23 06:39:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 24576:WR3njD6TaOQ5KJh7WXePuq5LktSbm5ktGn:qjD65Q5Kz7WXJq5Lkt6m/n
Threatray 4'293 similar samples on MalwareBazaar
TLSH T14C85001172AB5C8BFD501438D8E935F42AFDAE43B6F9582FEF847E046076A7C1898532
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 00000daeb6900000 (3 x RemcosRAT)
Reporter abuse_ch
Tags:DHL exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
352
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Win.Packed.Powershell-10032150-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=669f5046b302ab76f4485a6f
Tags:
Discovery Encryption Execution Infostealer Network Stealth Remcos
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade overlay remcos
Link:
https://www.filescan.io/uploads/669f5045a59c11b474ea3f38/reports/f2b8c13b-bf7d-4115-abfb-df4e1ea19a37/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/589b172cac7eb931e013d04820f31d1e7f6b7d710d1155dbb64ebb6c2fa2826a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e88127fe-4783-4d61-a5fa-2893ad0c760b
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1478989
Signature
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1478989 Sample: DHL Shipment Document Waybi... Startdate: 23/07/2024 Architecture: WINDOWS Score: 100 33 geoplugin.net 2->33 39 Multi AV Scanner detection for domain / URL 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 9 other signatures 2->45 8 DHL Shipment Document Waybill .exe 3 2->8         started        signatures3 process4 signatures5 53 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->53 55 Writes to foreign memory regions 8->55 57 Allocates memory in foreign processes 8->57 59 Injects a PE file into a foreign processes 8->59 11 aspnet_wp.exe 3 15 8->11         started        16 WerFault.exe 19 16 8->16         started        18 conhost.exe 8->18         started        20 2 other processes 8->20 process6 dnsIp7 35 178.23.190.118, 49704, 49705, 52499 LYNERO-ASDK unknown 11->35 37 geoplugin.net 178.237.33.50, 49707, 80 ATOM86-ASATOM86NL Netherlands 11->37 31 C:\ProgramData\remcos\logs.dat, data 11->31 dropped 61 Contains functionality to bypass UAC (CMSTPLUA) 11->61 63 Detected Remcos RAT 11->63 65 Tries to steal Mail credentials (via file registry) 11->65 67 8 other signatures 11->67 22 aspnet_wp.exe 1 11->22         started        25 aspnet_wp.exe 1 11->25         started        27 aspnet_wp.exe 14 11->27         started        29 aspnet_wp.exe 11->29         started        file8 signatures9 process10 signatures11 47 Tries to steal Instant Messenger accounts or passwords 22->47 49 Tries to steal Mail credentials (via file / registry access) 22->49 51 Tries to harvest and steal browser information (history, passwords, etc) 25->51
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/589b172cac7eb931e013d04820f31d1e7f6b7d710d1155dbb64ebb6c2fa2826a
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/589b172cac7eb931e013d04820f31d1e7f6b7d710d1155dbb64ebb6c2fa2826a/
Threat name:
Win64.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2024-07-23 05:27:01 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
12
AV detection:
21 of 23 (91.30%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lcnrolfmp24tdyat2becb4y5dz7ww7lrbuivlw5wj25wyl5cqjva._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
3e32447ea3b5f07c7f6a180269f5443378acb32c5d0e0bf01a5e39264f691587
RemcosRAT
61fc662a678c75e1f17ee6bb00ef853c6d51bd4ae90616c8ed4995c45e96206d
RemcosRAT
7c81d05dd82233e0278c83ca0b1a3b3ad9f0fa4b8b56bef98bba964752369754
RemcosRAT
ab4c9b244a1604655032a8f69acc4273265fa35337906e05a1dc2b274b3b13a6
RemcosRAT
b6eedb3e8a594bc26e68d34f345e0cb276a247458e326bf71276fa93cab52357
RemcosRAT
cce955a091518aefb9693ba4e103cdc31afc138c9eb9503984bf08f5f70eff46
RemcosRAT
+ 4'283 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:dollar man collection rat
Link:
https://tria.ge/reports/240723-he714sscrh/
Behaviour
Runs regedit.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Remcos
Malware Config
C2 Extraction:
178.23.190.118:52499
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/164f702b-e93b-4d62-85ba-ddc49287b617
Unpacked files
SH256 hash:
589b172cac7eb931e013d04820f31d1e7f6b7d710d1155dbb64ebb6c2fa2826a
MD5 hash:
658e8867a46096faafb9939ba1faeb1a
SHA1 hash:
bfe077b029a1a6d4beeda154fa706f4ff0cfff82
Link:
https://www.unpac.me/results/976d0a70-9fc6-4586-b490-113c0b06106e/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments