MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1a77d48d276da51e97ce070b0d4c08c6f2900e8a2d4c15ce0adb4cff27c2669. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a1a77d48d276da51e97ce070b0d4c08c6f2900e8a2d4c15ce0adb4cff27c2669
SHA3-384 hash: 7c1734ccee32e1b91b3a0c3603a5e703a73b361b43c876f994f6e546e953dff1bb61d0375a45df558672b6ebcecb8b22
SHA1 hash: a0d32141b0c3bb39ce4f4e6a8d4fb0699341d4e3
MD5 hash: 0be98dc322d842f3f9952ca41c2fe012
humanhash: burger-crazy-finch-winter
File name:saw.bat
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:2'921'546 bytes
First seen:2024-11-30 20:18:54 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 24576:FYfNclHFdqSgaRDQMErAfBEHuMEIZVx+RCNJXCP+G1dT+pnmSqocVHrO5I8CZ:FqNclHbqS710rAf+uME6AP7xCA
Threatray 115 similar samples on MalwareBazaar
TLSH T11CD55FF738AF17475705639BA78BE96427ABC83747C27EC4C0CAD688400A6DF1960E5E
Magika txt
Reporter JAMESWT_WT
Tags:bat here-industry-wind-greece-trycloudflare-com RemcosRAT WsgiDAV

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan-Dropper.BAT.CertUtil.c.30658.16849.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
98.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=674b7501e64d1c722d7aac55
Tags:
delphi emotet
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
extrac32 lolbin
Link:
https://www.filescan.io/uploads/674b7338c8e92ec40d92ace5/reports/dbc63363-2994-4b0d-9fa3-f91bef0efeaf/overview
Verdict:
Malicious
Labled as:
BAT/Dropper.l
Link:
https://www.hybrid-analysis.com/sample/a1a77d48d276da51e97ce070b0d4c08c6f2900e8a2d4c15ce0adb4cff27c2669
Result
Threat name:
Remcos, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
rans.bank.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1565803
Signature
AI detected suspicious sample
Allocates many large memory junks
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Drops or copies certutil.exe with a different name (likely to bypass HIPS)
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Found large BAT file
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Opens the same file many times (likely Sandbox evasion)
Registers a new ROOT certificate
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Remcos
Sigma detected: Suspicious Creation with Colorcpl
Sigma detected: Suspicious Program Location with Network Connections
Suricata IDS alerts for network traffic
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1565803 Sample: saw.bat Startdate: 30/11/2024 Architecture: WINDOWS Score: 100 83 myumysmeetr.ddns.net 2->83 85 mysweeterbk.ddns.net 2->85 87 6 other IPs or domains 2->87 103 Suricata IDS alerts for network traffic 2->103 105 Found malware configuration 2->105 107 Malicious sample detected (through community Yara rule) 2->107 111 14 other signatures 2->111 10 cmd.exe 1 2->10         started        12 Puyiaiob.PIF 2->12         started        15 Puyiaiob.PIF 2->15         started        signatures3 109 Uses dynamic DNS services 85->109 process4 signatures5 17 AnyDesk.PIF 1 6 10->17         started        22 extrac32.exe 1 10->22         started        24 alpha.exe 1 10->24         started        30 5 other processes 10->30 129 Multi AV Scanner detection for dropped file 12->129 131 Writes to foreign memory regions 12->131 133 Allocates memory in foreign processes 12->133 137 2 other signatures 12->137 26 SndVol.exe 12->26         started        135 Allocates many large memory junks 15->135 28 colorcpl.exe 15->28         started        process6 dnsIp7 79 drive.usercontent.google.com 142.250.181.33, 443, 49732 GOOGLEUS United States 17->79 81 drive.google.com 172.217.19.238, 443, 49730, 49731 GOOGLEUS United States 17->81 69 C:\Users\Public\Puyiaiob.url, MS 17->69 dropped 71 C:\Users\Public\Libraries\Puyiaiob, data 17->71 dropped 113 Multi AV Scanner detection for dropped file 17->113 115 Writes to foreign memory regions 17->115 117 Allocates memory in foreign processes 17->117 127 4 other signatures 17->127 32 colorcpl.exe 5 3 17->32         started        36 cmd.exe 1 17->36         started        38 esentutl.exe 2 17->38         started        73 C:\Users\Public\alpha.exe, PE32+ 22->73 dropped 119 Drops PE files to the user root directory 22->119 121 Drops or copies certutil.exe with a different name (likely to bypass HIPS) 22->121 123 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 22->123 40 kn.exe 3 2 24->40         started        125 Detected Remcos RAT 26->125 42 kn.exe 2 30->42         started        44 extrac32.exe 1 30->44         started        file8 signatures9 process10 file11 61 C:\ProgramData\ANYDESKS\logs.dat, data 32->61 dropped 91 Contains functionality to bypass UAC (CMSTPLUA) 32->91 93 Detected Remcos RAT 32->93 95 Contains functionalty to change the wallpaper 32->95 101 5 other signatures 32->101 46 esentutl.exe 2 36->46         started        50 alpha.pif 36->50         started        52 esentutl.exe 2 36->52         started        56 6 other processes 36->56 63 C:\Users\Public\Libraries\Puyiaiob.PIF, PE32 38->63 dropped 54 conhost.exe 38->54         started        97 Registers a new ROOT certificate 40->97 99 Drops PE files with a suspicious file extension 40->99 65 C:\Users\Public\Libraries\AnyDesk.PIF, PE32 42->65 dropped 67 C:\Users\Public\kn.exe, PE32+ 44->67 dropped signatures12 process13 file14 75 C:\Users\Public\alpha.pif, PE32 46->75 dropped 139 Drops PE files to the user root directory 46->139 141 Drops PE files with a suspicious file extension 46->141 143 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 46->143 58 xpha.pif 50->58         started        77 C:\Users\Public\xpha.pif, PE32 52->77 dropped signatures15 process16 dnsIp17 89 127.0.0.1 unknown unknown 58->89
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/a1a77d48d276da51e97ce070b0d4c08c6f2900e8a2d4c15ce0adb4cff27c2669
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a1a77d48d276da51e97ce070b0d4c08c6f2900e8a2d4c15ce0adb4cff27c2669/
Threat name:
Win32.Trojan.Acll
Create hunting rule
Status:
Malicious
First seen:
2024-11-30 18:35:41 UTC
File Type:
Text
Extracted files:
1
AV detection:
7 of 23 (30.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ugtx2sgso3nfd2l44bylbvgarrxssahiulkmcxhavw2m74t4ezuq._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
Similar samples:
0161d30defee14b9bdac49068c63a344320c11330acdfc10952c025637684adb
RemcosRAT
02eec111ba55308c1d91c49ee08cb2d6c00d50893596ceef03f7664403175617
RemcosRAT
096394b733ca53e65afa06302776c52330f2567d665a42e0c5463fe23c523e62
RemcosRAT
57a211664560494ee01af527f281a3fcc9727c15c322122d283e5213a11ab3d3
RemcosRAT
58348cc94b984ca026fa0a319b93ac988a394ed3d5ec39c01c47a8e762ebdb16
RemcosRAT
93674e207f913c1e8fa39a6e75807c6865c73feee39e38e7a9747003c8bd22b1
RemcosRAT
d61aad06edbdd7500c507a9df016cfbdc6a21731bd707c51d97abebf687c76b6
RemcosRAT
error
RemcosRAT
f711703c8ba66dcedb8e4b83f21a0425c528e278242c852fd5cf54bb43e30454
RemcosRAT
ffa11ee3e862bc4209ae9803fed72fb38b9599e1aba8e39077a1261a71ca8559
RemcosRAT
+ 105 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader discovery persistence trojan
Link:
https://tria.ge/reports/241130-y3s5vstpct/
Behaviour
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Executes dropped EXE
Loads dropped DLL
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a1a77d48d276da51e97ce070b0d4c08c6f2900e8a2d4c15ce0adb4cff27c2669

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAT_DbatLoader
Create hunting rule
Author:NDA0E
Description:Detects base64 and hex encoded MZ header used by DbatLoader
Rule name:dbatloader_bat_v2
Create hunting rule
Author:RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments