MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b271fd4baccf44412c3a92f97f16b996248c3c1706bfd29694253ba01ab65fae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkTortilla


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b271fd4baccf44412c3a92f97f16b996248c3c1706bfd29694253ba01ab65fae
SHA3-384 hash: dfa76b1bca439bdc2b3dddc28469659dccdfed26fda985c7e8699ba677d83025bb70c505ba4a5d69017f206eafa3386f
SHA1 hash: e5c15cd5b46374f6e5292a83d51e017d4608e891
MD5 hash: f44801cfdef9afc811005e8fa67486a7
humanhash: beer-eight-low-lemon
File name:x.exe
Download: download sample
Signature DarkTortilla
Create hunting rule
File size:1'195'008 bytes
First seen:2024-02-09 13:07:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:X/o41iwtNIZ5p/TvCkV0uf5ZmH1OvrpPICwb/x:g41i0WvCkCua1Opw
Threatray 3'475 similar samples on MalwareBazaar
TLSH T1F945F12B5EC6B995C1998933B3A955DC02F59E2FBCC5E367188C72F4CB3538D22025A3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 4c33d8d4d4d8324c (40 x AgentTesla, 23 x RedLineStealer, 15 x RemcosRAT)
Reporter e24111111111111
Tags:DarkTortilla exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
329
Origin country :
GR GR
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Promac S.A.220172615415415.Tar
Verdict:
Malicious activity
Analysis date:
2024-02-08 12:14:21 UTC
Tags:
rat remcos keylogger remote
Link:
https://app.any.run/tasks/fa1a0f29-f8ee-4f72-a41a-890e51bdc0b6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/475571/
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin obfuscated remcos shell32
Link:
https://www.filescan.io/uploads/65c623b331039a85aad94b94/reports/bf638fb8-35f9-4d31-b23b-df45c7cba0da/overview
Verdict:
Malicious
Labled as:
Trojan.GenericS
Link:
https://www.hybrid-analysis.com/sample/b271fd4baccf44412c3a92f97f16b996248c3c1706bfd29694253ba01ab65fae
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
OutSteel
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/10c13aa6-8ae7-436a-8abf-9f20c19ab59c
Result
Threat name:
Remcos, DarkTortilla
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1389738
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b271fd4baccf44412c3a92f97f16b996248c3c1706bfd29694253ba01ab65fae
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b271fd4baccf44412c3a92f97f16b996248c3c1706bfd29694253ba01ab65fae/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2024-02-08 11:22:52 UTC
File Type:
PE (.Net Exe)
Extracted files:
39
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wjy72s5mz5ceclb2sl4x6fvzsysiypaxa275ffuueu52agvwl6xa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1f46d078bfe514f7aeebf7ac92bd226d10335d74702a81059b9d24f5849437e4
DarkTortilla
3e32447ea3b5f07c7f6a180269f5443378acb32c5d0e0bf01a5e39264f691587
DarkTortilla
4effb7493819e25c61af5e224d8a774652957b99ec1faca19e1c84bd0c9ff840
DarkTortilla
6619b7126840529091b2da2fa1b7238d6b10bc17bbfc8327aad3683ae686b81d
DarkTortilla
9c6493910b2ebd8fc274c1bd93ca54205f124aa1484aa4d17bbe7bee10cd3ff6
DarkTortilla
a7aca87179f51e229aa9a2f13bb8ab76750c8092579cc7b4d0cbc40235cdde27
DarkTortilla
b89f11149cf87734d5e56b24e4b6a604ba3c10a4bcb5ca6567a9f6c595c6a4ab
DarkTortilla
db818294e50a757b1511cb2ac06b678e829c5328e920c5105ec30985e585b2c0
DarkTortilla
ff0a84220d028052a841312cd81baa525d19f7e4b0ce94dbbaf6634a776d3814
DarkTortilla
+ 3'465 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:qhost rat
Link:
https://tria.ge/reports/240209-qc774abd2x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Remcos
Malware Config
C2 Extraction:
172.245.208.5:2060
Unpacked files
SH256 hash:
56aaa2b9e53d69dd75c8d1247220d8ea97b1b7705796b2e2ddff34c7eea8adee
MD5 hash:
50f28d178452b2db4e1f466904e55c78
SHA1 hash:
d9a3246a570715d756a6c653b6818afb99ae39ec
Link:
https://www.unpac.me/results/f661f857-5097-476f-ab64-eb3931e1f59f/
SH256 hash:
0781f74db6c9ff7aa0c1e76dd0ebc4a9575fba6caca9aac9fb0131c5a73c84be
MD5 hash:
2c064163cda2f093cf6d20302481dff7
SHA1 hash:
cf948b10d999c369ef51972f86278a4f536d400d
Link:
https://www.unpac.me/results/f661f857-5097-476f-ab64-eb3931e1f59f/
SH256 hash:
2db82e9b91b1ccb1957b4e06ec49bfb0096e973213fc1786de1bbe3162f5df5a
MD5 hash:
27dea42a70bd7e948f1171ce873878a1
SHA1 hash:
b87051d51479c093cdf3e721acea4fd8b940b1e5
Link:
https://www.unpac.me/results/f661f857-5097-476f-ab64-eb3931e1f59f/
SH256 hash:
57ccc8755380c559d6ff2bf4b27718d6d5131cda204e59a9d0469b8da3b3caee
MD5 hash:
c6faa5267f90429bb605fc5fa26b8866
SHA1 hash:
410197b0d0863bdeced3ce3e4d99ef5caef93c89
Detections:
Remcos
Create hunting rule
win_remcos_w0
Create hunting rule
win_remcos_auto
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Link:
https://www.unpac.me/results/f661f857-5097-476f-ab64-eb3931e1f59f/
SH256 hash:
b271fd4baccf44412c3a92f97f16b996248c3c1706bfd29694253ba01ab65fae
MD5 hash:
f44801cfdef9afc811005e8fa67486a7
SHA1 hash:
e5c15cd5b46374f6e5292a83d51e017d4608e891
Link:
https://www.unpac.me/results/f661f857-5097-476f-ab64-eb3931e1f59f/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b271fd4baccf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b271fd4baccf44412c3a92f97f16b996248c3c1706bfd29694253ba01ab65fae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

rar 82242a1cf275f1c2f798069535e2e1dff5ad11b5a669ca7d5b133c3073223842

RemcosRAT

cab 0fd52ebb37e4e5c41756133e47215547478097f9a6ff170cc442cb21276e3f36

DarkTortilla

Executable exe b271fd4baccf44412c3a92f97f16b996248c3c1706bfd29694253ba01ab65fae

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/475571/
  
Dropped by
SHA256 0fd52ebb37e4e5c41756133e47215547478097f9a6ff170cc442cb21276e3f36
  
Dropped by
MD5 58b04d71e53c817574f1c8b9abd9620f

Comments


Avatar
Kasibe commented on 2024-03-01 11:47:48 UTC

Remcos