MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ff888a459a2476f9e3dfcaf8799f30bc24808d103606512503949b3ab818cc4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ff888a459a2476f9e3dfcaf8799f30bc24808d103606512503949b3ab818cc4
SHA3-384 hash: 48e9cf9ffe29141db7cd80a2099880f8851d8b36c078a658da4e16140820b8ac94023c58bc90f0ffdb81b0177a57cbc0
SHA1 hash: ed8dbcd877b29427a0e65afca87a961b913b2427
MD5 hash: 19877c0de0c846072076447d6e4b539c
humanhash: leopard-black-five-washington
File name:order confirmation reference no. FXEPS6S08102.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:913'120 bytes
First seen:2022-09-13 23:46:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8bbd6f19009894fa1ab803b23f677f9e (3 x ModiLoader, 1 x RemcosRAT)
ssdeep 12288:ZOoNkC1LR7d1g1Iasz4l4yDoCHjsG83q/rhf7fvQBu5F:ZbpRh1i+4ToT3q/lvku/
TLSH T14F15BFE5B2F1CF33C023197ECA6B72445A7EBE611D14740EA7D43958EEB8241243EA5B
TrID 28.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
26.4% (.SCR) Windows screen saver (13101/52/3)
13.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
6.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon 33d0d89696d8d033 (14 x ModiLoader, 9 x DBatLoader, 6 x Formbook)
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
80.85.153.132:2442

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
80.85.153.132:2442 https://threatfox.abuse.ch/ioc/849595/

Intelligence

File Origin
# of uploads :
1
# of downloads :
362
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/309877/
Detection(s):
SecuriteInfo.com.Win64.TrojanX-gen.22964.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Creating a file
Unauthorized injection to a recently created process
Setting a keyboard event handler
Creating a file in the %temp% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/37602/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
keylogger overlay packed
Link:
https://www.filescan.io/uploads/632116bdb564f001cc83cb25/reports/612d904a-8c14-4e49-99dc-1b9216299ac5/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0f569935-4589-40a9-bd3a-262468d37305
Result
Threat name:
DBatLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1069898
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Delayed program exit found
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Uses dynamic DNS services
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 702430 Sample: order confirmation referenc... Startdate: 14/09/2022 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic 2->47 49 Multi AV Scanner detection for domain / URL 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 8 other signatures 2->53 6 Nrebwdfk.exe 14 2->6         started        10 order confirmation reference no. FXEPS6S08102.exe 1 18 2->10         started        13 Nrebwdfk.exe 14 2->13         started        process3 dnsIp4 33 vunb6q.am.files.1drv.com 6->33 43 2 other IPs or domains 6->43 57 Multi AV Scanner detection for dropped file 6->57 59 Machine Learning detection for dropped file 6->59 61 Contains functionality to inject threads in other processes 6->61 65 2 other signatures 6->65 15 Nrebwdfk.exe 6->15         started        35 vunb6q.am.files.1drv.com 10->35 37 onedrive.live.com 10->37 39 am-files.fe.1drv.com 10->39 23 C:\Users\Public\Libraries23rebwdfk.exe, PE32 10->23 dropped 25 C:\Users\...25rebwdfk.exe:Zone.Identifier, ASCII 10->25 dropped 27 C:\Users\Public\Libraries27rebwdfk, data 10->27 dropped 63 Injects a PE file into a foreign processes 10->63 17 order confirmation reference no. FXEPS6S08102.exe 2 17 10->17         started        41 vunb6q.am.files.1drv.com 13->41 45 2 other IPs or domains 13->45 21 Nrebwdfk.exe 13->21         started        file5 signatures6 process7 dnsIp8 29 bestsuccess.ddns.net 80.85.153.132, 2442, 49728 CHELYABINSK-SIGNAL-ASRU Russian Federation 17->29 31 geoplugin.net 178.237.33.50, 49729, 80 ATOM86-ASATOM86NL Netherlands 17->31 55 Installs a global keyboard hook 17->55 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7ff888a459a2476f9e3dfcaf8799f30bc24808d103606512503949b3ab818cc4/
Threat name:
Win32.Trojan.RemcosRAT
Create hunting rule
Status:
Malicious
First seen:
2022-09-13 23:46:10 UTC
File Type:
PE (Exe)
Extracted files:
45
AV detection:
24 of 25 (96.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=p74irjczujdw7hr57sxypgptbpbeqcgranqgkesqhfe3hk4brtca._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:yak persistence rat trojan
Link:
https://tria.ge/reports/220913-3sab8agha7/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
bestsuccess.ddns.net:2442
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/18c8958a-c503-4d82-a1ae-4890a32de531
Unpacked files
SH256 hash:
002d54f655cf8f16866c478261daadd51896310839a7e3da98ace9873323c9fc
MD5 hash:
eb295d7d7804e778f9f5ae4783379ccc
SHA1 hash:
d1b9df6113a548dd362fc0cb611c78eef2124f73
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/ca198e3a-0fbc-463c-8b01-6359787a646d/
Parent samples :
e678b49addfe3e9fa2c9836bf6d0cc3bed0310f87cdcafd0fce458985c5276c8
911c27a105a2e71591d12567053d8024f4c15c95ce4f1d67937ef1a3d723c263
7ff888a459a2476f9e3dfcaf8799f30bc24808d103606512503949b3ab818cc4
61d2d7bcb9665785fd5571a546cbad026f349a138e2a32f2dbeed90f5480a0a3
24b237c6dcd5b3f5cb3e687e4fa169fef7bce3f6fe1eb5a89bafd99656dfd353
4272fd59d96204a2d503f3356fe96fed2c6d3bf019c7ef25aacff0e1c36a758a
f3feaf830444cc6786b6d4e06bd4a2aef79519ebe3e336882d410268db96292c
e7f4fdb02b9f0f43c5325e8b0ea8ce07ee78c5aa63ccfb1892b079bbd2400874
c60e8a14abc81ae3f2ffbe04b32240a92b900107e4acc9eb88e43632aee1266c
44e94b15723fb3ee7cf9d710939d7fda2273622f2284e30cfa67d280a206eb62
SH256 hash:
7ff888a459a2476f9e3dfcaf8799f30bc24808d103606512503949b3ab818cc4
MD5 hash:
19877c0de0c846072076447d6e4b539c
SHA1 hash:
ed8dbcd877b29427a0e65afca87a961b913b2427
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/ca198e3a-0fbc-463c-8b01-6359787a646d/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7ff888a459a2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/7ff888a459a2476f9e3dfcaf8799f30bc24808d103606512503949b3ab818cc4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:RansomwareTest4
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/309877/

Comments