MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 985dda76570c9efdd692eca4a7bef55c99cbcac5ae7683360c115ea5529ebaa5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 26 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 985dda76570c9efdd692eca4a7bef55c99cbcac5ae7683360c115ea5529ebaa5
SHA3-384 hash: 823b8d823936bd2f5d684e1781246d7c24e5918ea1c6d5a7157cf34115621241df7f2f1d1c222611d1faa9acc57afd58
SHA1 hash: 946845c94b61847bf8cefeff153eaa4f9095f55f
MD5 hash: 9a987344afb7334bd5fceeae97055408
humanhash: fruit-romeo-december-double
File name:PO3488-0337.bat
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:4'077'724 bytes
First seen:2024-04-09 09:25:20 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 49152:XgJ9GvW/Z22bISDp6JXl62tBW7Abb/1XaN+Nkn:i
Threatray 620 similar samples on MalwareBazaar
TLSH T1C316C6D72DEE568597053B9BB74BEC980B2FCD310FC26EDC40D60698860B64F3990D9A
Reporter abuse_ch
Tags:bat RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
192.3.216.142:7232

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
985dda76570c9efdd692eca4a7bef55c99cbcac5ae7683360c115ea5529ebaa5.unknown
Verdict:
No threats detected
Analysis date:
2024-04-09 09:31:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/61c8da19-f31f-4b88-993e-cae1c4386247

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
No Threat
Threat level:
  2.5/10
Confidence:
100%
Tags:
masquerade
Link:
https://www.filescan.io/uploads/661509ab08ebdfcacdff63c6/reports/64b51590-b773-480c-a16e-685735edf57c/overview
Verdict:
Suspicious
Labled as:
BAT/Agent.ASD
Link:
https://www.hybrid-analysis.com/sample/985dda76570c9efdd692eca4a7bef55c99cbcac5ae7683360c115ea5529ebaa5
Result
Verdict:
MALICIOUS
Result
Threat name:
Remcos, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
rans.phis.bank.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1423086
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionalty to change the wallpaper
Delayed program exit found
Detected Remcos RAT
Drops or copies certutil.exe with a different name (likely to bypass HIPS)
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Found large BAT file
Found malware configuration
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Registers a new ROOT certificate
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Remcos
Sigma detected: Suspicious Program Location with Network Connections
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1423086 Sample: PO3488-0337.bat Startdate: 09/04/2024 Architecture: WINDOWS Score: 100 68 dual-spov-0006.spov-msedge.net 2->68 70 web.fe.1drv.com 2->70 72 5 other IPs or domains 2->72 76 Snort IDS alert for network traffic 2->76 78 Found malware configuration 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 14 other signatures 2->82 9 cmd.exe 1 2->9         started        11 Lyjjreuv.PIF 2->11         started        14 Lyjjreuv.PIF 2->14         started        signatures3 process4 dnsIp5 17 Yano.com 4 21 9->17         started        22 extrac32.exe 1 9->22         started        24 alpha.exe 1 9->24         started        26 5 other processes 9->26 98 Multi AV Scanner detection for dropped file 11->98 100 Detected Remcos RAT 11->100 74 13.107.139.11, 443, 49718, 49719 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 14->74 signatures6 process7 dnsIp8 62 dual-spov-0006.spov-msedge.net 13.107.137.11, 443, 49705, 49706 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 17->62 64 192.3.216.142, 49708, 49709, 49710 AS-COLOCROSSINGUS United States 17->64 66 geoplugin.net 178.237.33.50, 49711, 80 ATOM86-ASATOM86NL Netherlands 17->66 52 C:\Users\Public\Libraries\netutils.dll, PE32+ 17->52 dropped 54 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 17->54 dropped 56 C:\Users\Public\Lyjjreuv.url, MS 17->56 dropped 58 C:\ProgramData\remcos\logs.dat, data 17->58 dropped 84 Multi AV Scanner detection for dropped file 17->84 86 Detected Remcos RAT 17->86 88 Tries to steal Mail credentials (via file registry) 17->88 96 7 other signatures 17->96 28 Yano.com 1 17->28         started        31 Yano.com 1 17->31         started        33 extrac32.exe 1 17->33         started        42 3 other processes 17->42 60 C:\Users\Public\alpha.exe, PE32+ 22->60 dropped 90 Drops PE files to the user root directory 22->90 92 Drops or copies certutil.exe with a different name (likely to bypass HIPS) 22->92 94 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 22->94 36 kn.exe 3 2 24->36         started        38 kn.exe 2 26->38         started        40 extrac32.exe 1 26->40         started        file9 signatures10 process11 file12 102 Tries to steal Instant Messenger accounts or passwords 28->102 104 Tries to harvest and steal browser information (history, passwords, etc) 28->104 106 Tries to steal Mail credentials (via file / registry access) 31->106 46 C:\Users\Public\Libraries\Lyjjreuv.PIF, PE32 33->46 dropped 108 Registers a new ROOT certificate 36->108 110 Drops PE files with a suspicious file extension 36->110 48 C:\Users\Public\Libraries\Yano.com, PE32 38->48 dropped 50 C:\Users\Public\kn.exe, PE32+ 40->50 dropped 44 conhost.exe 42->44         started        signatures13 process14
Score:
6%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/985dda76570c9efdd692eca4a7bef55c99cbcac5ae7683360c115ea5529ebaa5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/985dda76570c9efdd692eca4a7bef55c99cbcac5ae7683360c115ea5529ebaa5/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tbo5u5sxbspp3vus5sskppxvlsm4xswfvz3ignqmcfpkkuu6xksq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1aedcb18ce4460c5eecd34016cb42308b2f8ac1ddc51fb265b45200116a19de9
RemcosRAT
4d02ef98d7fec3d3e752706c11c9a57130dba4b03022f85e12e7214fc92622bc
RemcosRAT
a108ae8bd69ac84bc8dd5fa7bdbb6eff9cd65a70c16567e0f36dae1f15d090fd
RemcosRAT
a1f0f4676e135cc88ab8b6a25c70530fa193b1718bd2ba7b6ac1c997c241f6c8
RemcosRAT
a932316f192e4a8d361857aa3555cd6597b96364e9ce1fa379e419b8dd437edc
RemcosRAT
f7f1798e3d66880f2cb35f6764a1c32902abb3ce7ceafe0bc049496ca9161e63
RemcosRAT
fe0cbe46b1c846b98e6e7bc36fc46aac22d50e82aa1aecfebca6769be007a575
RemcosRAT
+ 610 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:remotehost collection persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/240409-rxz8nach8t/
Behaviour
Enumerates system info in registry
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
ModiLoader Second Stage
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
192.3.216.142:7232
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/985dda76570c9efdd692eca4a7bef55c99cbcac5ae7683360c115ea5529ebaa5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:TeslaCryptPackedMalware
Create hunting rule
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.
Rule name:win_remcos_w0
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:yarahub_win_remcos_rat_unpacked_aug_2023
Create hunting rule
Author:Matthew @ Embee_Research
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments