MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8be97a9c113f3bb0e739c7a0eada8c929df2c750a5f68acf9bb8a2e48bf2acee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8be97a9c113f3bb0e739c7a0eada8c929df2c750a5f68acf9bb8a2e48bf2acee
SHA3-384 hash: 95142c1a9d5483ae8da720042b15871a1172909393fb30f2c7dc52f4a027eaaf8de8b35e2158808197e5de947157f8aa
SHA1 hash: dcf6a14a80144f7df0b0343855b13cdd219d522c
MD5 hash: 760a719d5ef1ba9c35a2eb7a7289cc1f
humanhash: carolina-nebraska-video-hot
File name:INVOICE_FEB19-888201-2024.bat
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:3'113'659 bytes
First seen:2024-02-19 15:34:53 UTC
Last seen:2024-02-19 15:35:24 UTC
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 24576:SioVUfcbb7VQb1J968fbH/Qa6ZteTNVHeeThBQOpiFI1vsAXtDXLUSy0ygHUuO4S:bLIwJIYoyJpK4anoc
TLSH T194E53896BB8307CB210688BFD2AE18495EB7DF3EE1A060DD4753741F25BED84AC25478
TrID 45.4% (.MP3) MP3 audio (ID3 v1.x tag) (2500/1/1)
36.3% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
18.1% (.MP3) MP3 audio (1000/1)
Reporter cocaman
Tags:bat INVOICE RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
108
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INVOICE_FEB19-888201-2024.Tar
Verdict:
Malicious activity
Analysis date:
2024-02-19 09:53:06 UTC
Tags:
dbatloader
Link:
https://app.any.run/tasks/f80d2636-b0aa-430c-87e0-96e29e8b35db

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
KoadicBAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/476831/
Detection(s):
SecuriteInfo.com.Other.Malware-gen.6770.29749.UNOFFICIAL
Create hunting rule

Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
masquerade obfuscated
Link:
https://www.filescan.io/uploads/65d3752d781f5716463daff3/reports/6837725c-2962-4c95-98bb-43de23f9033f/overview
Verdict:
Suspicious
Labled as:
Trojan.BAT
Link:
https://www.hybrid-analysis.com/sample/8be97a9c113f3bb0e739c7a0eada8c929df2c750a5f68acf9bb8a2e48bf2acee
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
Remcos, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1394689
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files with a suspicious file extension
Found large BAT file
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Remcos
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1394689 Sample: INVOICE_FEB19-888201-2024.bat Startdate: 19/02/2024 Architecture: WINDOWS Score: 100 83 ip.1021.filemail.com 2->83 85 geoplugin.net 2->85 87 1021.filemail.com 2->87 107 Found malware configuration 2->107 109 Malicious sample detected (through community Yara rule) 2->109 111 Antivirus detection for URL or domain 2->111 113 13 other signatures 2->113 11 cmd.exe 3 2 2->11         started        14 Xiogtxbp.PIF 2->14         started        16 Xiogtxbp.PIF 2->16         started        signatures3 process4 signatures5 119 Uses ping.exe to sleep 11->119 121 Uses ping.exe to check the status of other devices and networks 11->121 18 mshta.exe 2 11->18         started        22 cmd.exe 1 11->22         started        24 certutil.exe 3 2 11->24         started        30 2 other processes 11->30 123 Machine Learning detection for dropped file 14->123 125 Writes to foreign memory regions 14->125 127 Allocates memory in foreign processes 14->127 26 pbxtgoiX.pif 14->26         started        129 Sample uses process hollowing technique 16->129 28 pbxtgoiX.pif 16->28         started        process6 file7 73 C:\Users\user\AppData\Local\Temp\Calcex.com, PE32 18->73 dropped 115 Drops PE files with a suspicious file extension 18->115 32 Calcex.com 1 9 18->32         started        117 Uses ping.exe to sleep 22->117 37 PING.EXE 1 22->37         started        75 C:\Users\Public\pointer.hta, HTML 24->75 dropped 39 conhost.exe 24->39         started        signatures8 process9 dnsIp10 79 ip.1021.filemail.com 23.237.82.74, 443, 49707, 49708 COGENT-174US United States 32->79 65 C:\Users\Public\Libraries\truesight.sys, PE32+ 32->65 dropped 67 C:\Users\Public\Libraries\pbxtgoiX.pif, PE32 32->67 dropped 69 C:\Users\Public\Libraries\netutils.dll, PE32+ 32->69 dropped 71 3 other malicious files 32->71 dropped 99 Machine Learning detection for dropped file 32->99 101 Drops PE files with a suspicious file extension 32->101 103 Writes to foreign memory regions 32->103 105 3 other signatures 32->105 41 pbxtgoiX.pif 3 16 32->41         started        46 cmd.exe 4 32->46         started        81 127.0.0.1 unknown unknown 37->81 file11 signatures12 process13 dnsIp14 89 192.3.101.8, 49714, 49715, 55677 AS-COLOCROSSINGUS United States 41->89 91 geoplugin.net 178.237.33.50, 49716, 80 ATOM86-ASATOM86NL Netherlands 41->91 77 C:\ProgramData\remcos\logs.dat, data 41->77 dropped 131 Contains functionality to bypass UAC (CMSTPLUA) 41->131 133 Detected unpacking (changes PE section rights) 41->133 135 Detected unpacking (overwrites its own PE header) 41->135 137 10 other signatures 41->137 48 pbxtgoiX.pif 1 41->48         started        51 pbxtgoiX.pif 41->51         started        53 pbxtgoiX.pif 2 41->53         started        55 cmd.exe 2 46->55         started        57 conhost.exe 46->57         started        59 cmd.exe 1 46->59         started        61 7 other processes 46->61 file15 signatures16 process17 signatures18 93 Tries to steal Instant Messenger accounts or passwords 48->93 95 Tries to steal Mail credentials (via file / registry access) 48->95 97 Tries to harvest and steal browser information (history, passwords, etc) 51->97 63 conhost.exe 55->63         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8be97a9c113f3bb0e739c7a0eada8c929df2c750a5f68acf9bb8a2e48bf2acee/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2024-02-19 15:34:57 UTC
File Type:
Text
AV detection:
5 of 24 (20.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rpuxvharh453bzzzy6qovwumsko7fr2qux3ivt43xcrojc7svtxa._file
Verdict:
malicious
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:remotehost collection persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/240219-twcr3sfh7y/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Runs ping.exe
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Launches sc.exe
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Creates new service(s)
ModiLoader Second Stage
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
127.0.0.1:45671
127.0.0.1:55677
192.3.101.8:55677
192.3.101.8:45671
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8be97a9c113f3bb0e739c7a0eada8c929df2c750a5f68acf9bb8a2e48bf2acee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_BAT_KoadicBAT
Create hunting rule
Author:ditekSHen
Description:Koadic post-exploitation framework BAT payload
Rule name:SUSP_Double_Base64_Encoded_Executable
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an executable that has been encoded with base64 twice
Reference:https://twitter.com/TweeterCyber/status/1189073238803877889
Rule name:SUSP_Double_Base64_Encoded_Executable_RID34CC
Create hunting rule
Author:Florian Roth
Description:Detects an executable that has been encoded with base64 twice
Reference:https://twitter.com/TweeterCyber/status/1189073238803877889

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

rar aaf10709d314a4b8d1c56871e6f83fc52c913384bc5c4c236398e9ceacaa61ae

RemcosRAT

Batch (bat) bat 8be97a9c113f3bb0e739c7a0eada8c929df2c750a5f68acf9bb8a2e48bf2acee

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 aaf10709d314a4b8d1c56871e6f83fc52c913384bc5c4c236398e9ceacaa61ae
Cape
Cape
https://www.capesandbox.com/analysis/476831/
  
Dropped by
MD5 e4d6224c10d76c31030e679936bf4b46

Comments