MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88c7adf284249c1faec8614b563c2e31fc4fffdbc63bf81a1c0eda8446642178. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 15 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88c7adf284249c1faec8614b563c2e31fc4fffdbc63bf81a1c0eda8446642178
SHA3-384 hash: cc26e28515bdd489c8e7d4e7f479c293e9b915b555faae4ae9bcd677edfa7f304cf6374dc4b5742b7d30983bcefc2731
SHA1 hash: 2323b8cad178103a32ebf24af8ad9ad8e7f29f6e
MD5 hash: 0cf1f1b440c30083d0c9c32e446a0680
humanhash: diet-echo-mexico-earth
File name:0cf1f1b440c30083d0c9c32e446a0680
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'263'104 bytes
First seen:2023-08-29 14:04:20 UTC
Last seen:2023-08-29 14:40:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d0dfcbc350384b57e57b16f197fa626 (3 x DBatLoader, 2 x RemcosRAT, 1 x Formbook)
ssdeep 24576:swGq5fTk3ROmX7zJDlAuqezXlu+VkGdKitox:swLfTcLzE38Vu+3EitK
Threatray 9 similar samples on MalwareBazaar
TLSH T1DF45E016E3B14532F1635839C9DBA7749C2D7D627A087E4B6BF8090D9E3A341782839F
TrID 74.5% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
12.2% (.EXE) InstallShield setup (43053/19/16)
4.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
3.7% (.SCR) Windows screen saver (13097/50/3)
1.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon 00c292d2d2d2d200 (3 x DBatLoader, 2 x RemcosRAT, 1 x NetWire)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
343
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Factura con IVA.doc
Verdict:
Malicious activity
Analysis date:
2023-08-29 12:42:46 UTC
Tags:
exploit cve-2017-11882 loader dbatloader rat remcos remote keylogger
Link:
https://app.any.run/tasks/49b743c9-bd3a-410a-a3b6-42b4631bfebc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
ModiLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/445117/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.23278.27361.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Searching for synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control keylogger lolbin packed
Link:
https://www.filescan.io/uploads/64edfb121d3a8c6c1217c605/reports/818e7066-b059-400c-ab7a-0ed47a4e03d9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/88c7adf284249c1faec8614b563c2e31fc4fffdbc63bf81a1c0eda8446642178
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fb387daa-700b-4494-a512-ccc37d2bfeec
Result
Threat name:
Remcos, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1299565
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1299565 Sample: DxqQQ2WfeF.exe Startdate: 29/08/2023 Architecture: WINDOWS Score: 100 72 Found malware configuration 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 Antivirus detection for URL or domain 2->76 78 9 other signatures 2->78 11 DxqQQ2WfeF.exe 1 7 2->11         started        16 Bhmohqam.PIF 2->16         started        process3 dnsIp4 66 wsvdyhrgebwhevawe.ydns.eu 141.98.10.71, 49721, 49741, 80 HOSTBALTICLT Lithuania 11->66 56 C:\Users\Public\Libraries\netutils.dll, PE32+ 11->56 dropped 58 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 11->58 dropped 60 C:\Users\Public\Libraries\Bhmohqam.PIF, PE32 11->60 dropped 90 Drops PE files with a suspicious file extension 11->90 92 Writes to foreign memory regions 11->92 94 Allocates memory in foreign processes 11->94 96 Injects a PE file into a foreign processes 11->96 18 cmd.exe 1 11->18         started        21 SndVol.exe 3 16 11->21         started        98 Multi AV Scanner detection for dropped file 16->98 100 Machine Learning detection for dropped file 16->100 25 SndVol.exe 16->25         started        file5 signatures6 process7 dnsIp8 80 Uses ping.exe to sleep 18->80 82 Drops executables to the windows directory (C:\Windows) and starts them 18->82 84 Uses ping.exe to check the status of other devices and networks 18->84 27 easinvoker.exe 18->27         started        29 PING.EXE 1 18->29         started        32 xcopy.exe 2 18->32         started        35 8 other processes 18->35 62 tornado.ydns.eu 85.209.134.253, 1972, 49722 CMCSUS Germany 21->62 64 geoplugin.net 178.237.33.50, 49723, 80 ATOM86-ASATOM86NL Netherlands 21->64 54 C:\ProgramData\remcos\logs.dat, data 21->54 dropped file9 signatures10 process11 dnsIp12 37 cmd.exe 1 27->37         started        68 127.0.0.1 unknown unknown 29->68 70 192.168.2.1 unknown unknown 29->70 50 C:\Windows \System32\easinvoker.exe, PE32+ 32->50 dropped 52 C:\Windows \System32\netutils.dll, PE32+ 35->52 dropped file13 process14 signatures15 86 Adds a directory exclusion to Windows Defender 37->86 40 cmd.exe 1 37->40         started        43 conhost.exe 37->43         started        process16 signatures17 88 Adds a directory exclusion to Windows Defender 40->88 45 powershell.exe 23 40->45         started        process18 signatures19 102 DLL side loading technique detected 45->102 48 conhost.exe 45->48         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/88c7adf284249c1faec8614b563c2e31fc4fffdbc63bf81a1c0eda8446642178/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2023-08-29 13:22:22 UTC
File Type:
PE (Exe)
Extracted files:
74
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rdd234ueesob7lwimffvmpbogh6e7763yy57qgq4b3niirteef4a._file
Verdict:
malicious
Similar samples:
0a1d374fc74a19fafd920caee9a08e1a999e633d098b8ed02aebf7ad9a66281a
RemcosRAT
53e4ef9bed0e669de506d72e339fa3f36534aef9d10519491d0f0acea27b8841
RemcosRAT
61a3e788d1ae18d12df0bf7198a922c14e998c195b520a5543b43814b8bcbfa0
RemcosRAT
781ffcd3281973496019906d76fc8c52786e7ab953292d8bab44865c8d6c9207
RemcosRAT
893c5f1c39d9fc4e2922b4b3f0d14e8d7e60ebcb8c64a32a7aa711c8a13cf37f
RemcosRAT
8bf8b980381fd607ec9065bfbcd572973770ee77c815354a35455c10651516d5
RemcosRAT
d7d47b0b0aa55363efdf394d4c3ad4dc6e175edb80e22ae6e7b37cf3bc1d32d1
RemcosRAT
e4688b491eef2134a09a6c4061071f2de9d71df4c07f0aef23aef84f51688d38
RemcosRAT
e9352253e3211314faee670cf457e3f6732d7d93eb52f46aebf4f79cb22cbf7e
RemcosRAT
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:es persistence rat trojan
Link:
https://tria.ge/reports/230829-rdtxjach53/
Behaviour
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
tornado.ydns.eu:1972
orifak.ydns.eu:1972
Unpacked files
SH256 hash:
88c7adf284249c1faec8614b563c2e31fc4fffdbc63bf81a1c0eda8446642178
MD5 hash:
0cf1f1b440c30083d0c9c32e446a0680
SHA1 hash:
2323b8cad178103a32ebf24af8ad9ad8e7f29f6e
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/fd6759c9-ab98-412e-9282-9305b68407fe/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/88c7adf28424/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/88c7adf284249c1faec8614b563c2e31fc4fffdbc63bf81a1c0eda8446642178

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 88c7adf284249c1faec8614b563c2e31fc4fffdbc63bf81a1c0eda8446642178

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/445117/
  
URLhaus
https://urlhaus.abuse.ch/url/2708098/

Comments


Avatar
zbet commented on 2023-08-29 14:04:21 UTC

url : hxxp://wsvdyhrgebwhevawe.ydns.eu/hurripushkin/calculator.exe