MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9803b83ed42e8f63e73719cfffeff30ecfabeca676a3a04a087754e2608a1c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b9803b83ed42e8f63e73719cfffeff30ecfabeca676a3a04a087754e2608a1c5
SHA3-384 hash: 8736775bbcd936801f47fa968e7111cbfdacc81d5ad87c30b6968f09e8869c21ebfaf452fe15ae27d95cf9782d2f1d57
SHA1 hash: af9c826e25d7d9242c5957cf753af46dcb45fd33
MD5 hash: f8cdbdf8318c11c2e3e286195f067042
humanhash: december-jupiter-fruit-green
File name:b9803b83ed42e8f63e73719cfffeff30ecfabeca676a3a04a087754e2608a1c5
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:952'320 bytes
First seen:2024-12-17 18:45:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8e7f521f07f899da88391b86f035a0e3 (1 x RemcosRAT)
ssdeep 24576:R7sP5Kw0G1OAc8msbN0o2IDGHfPMFQJQI/zN:R8o9G1bTcfPMFQJQI/zN
Threatray 45 similar samples on MalwareBazaar
TLSH T199158E32E0606932DD15D5FC4CB2D6E85816BD323F37EC97FAB03D59AA39A446C29183
TrID 38.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
28.2% (.EXE) Win64 Executable (generic) (10522/11/4)
12.0% (.EXE) Win32 Executable (generic) (4504/4/1)
5.5% (.EXE) Win16/32 Executable Delphi generic (2072/23)
5.4% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon fcff7fffffff7fbf (2 x DBatLoader, 1 x RemcosRAT)
Reporter JAMESWT_WT
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
447
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
b9803b83ed42e8f63e73719cfffeff30ecfabeca676a3a04a087754e2608a1c5
Verdict:
Malicious activity
Analysis date:
2024-12-17 18:49:54 UTC
Tags:
fileshare remcos rat remote
Link:
https://app.any.run/tasks/e5188a4b-ecd7-429e-87ac-8bc0bcfc3323

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.363.2593.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6761c7c2653a8698dfda4135
Tags:
delphi emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Searching for the window
Connection attempt to an infection source
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context borland_delphi fingerprint keylogger modiloader
Link:
https://www.filescan.io/uploads/6761c6f3643af1fe3072a26d/reports/8969c296-1ae3-46e1-9731-a63722e7dc7e/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/b9803b83ed42e8f63e73719cfffeff30ecfabeca676a3a04a087754e2608a1c5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Starter
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1277c14d-0eff-43fb-b107-cf92b6445844
Result
Threat name:
Remcos, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1576964
Signature
AI detected suspicious sample
Allocates many large memory junks
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Drops PE files with a suspicious file extension
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1576964 Sample: MeP66xi1AM.exe Startdate: 17/12/2024 Architecture: WINDOWS Score: 100 37 hafiznor3374.duckdns.org 2->37 39 1010.filemail.com 2->39 41 ip.1010.filemail.com 2->41 57 Suricata IDS alerts for network traffic 2->57 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 65 13 other signatures 2->65 8 MeP66xi1AM.exe 1 9 2->8         started        13 Wnbcdrjt.PIF 5 2->13         started        signatures3 63 Uses dynamic DNS services 37->63 process4 dnsIp5 43 ip.1010.filemail.com 23.237.50.106, 443, 49707, 49708 COGENT-174US United States 8->43 29 C:\Users\Public\Libraries\Wnbcdrjt.PIF, PE32 8->29 dropped 31 C:\Users\Public\Wnbcdrjt.url, MS 8->31 dropped 33 C:\Users\Public\Libraries\Wnbcdrjt, data 8->33 dropped 35 C:\Users\Public\Libraries\FX.cmd, DOS 8->35 dropped 67 Drops PE files with a suspicious file extension 8->67 69 Writes to foreign memory regions 8->69 71 Allocates memory in foreign processes 8->71 79 4 other signatures 8->79 15 colorcpl.exe 4 8->15         started        19 cmd.exe 1 8->19         started        73 Multi AV Scanner detection for dropped file 13->73 75 Machine Learning detection for dropped file 13->75 77 Sample is not signed and drops a device driver 13->77 21 cmd.exe 13->21         started        23 colorcpl.exe 13->23         started        file6 signatures7 process8 dnsIp9 45 hafiznor3374.duckdns.org 192.169.69.26, 4610, 49710, 49742 WOWUS United States 15->45 47 127.0.0.1 unknown unknown 15->47 49 Detected Remcos RAT 15->49 51 Contains functionalty to change the wallpaper 15->51 53 Contains functionality to steal Chrome passwords or cookies 15->53 55 3 other signatures 15->55 25 conhost.exe 19->25         started        27 conhost.exe 21->27         started        signatures10 process11
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b9803b83ed42e8f63e73719cfffeff30ecfabeca676a3a04a087754e2608a1c5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b9803b83ed42e8f63e73719cfffeff30ecfabeca676a3a04a087754e2608a1c5/
Threat name:
Win32.Trojan.ModiLoader
Create hunting rule
Status:
Malicious
First seen:
2024-12-16 04:31:53 UTC
File Type:
PE (Exe)
Extracted files:
45
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xgadxa7nilupmpttogop77x7gdwpvpwkm5vdubfaq52u4jqiuhcq._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
Similar samples:
059971ff3a7ed8438ae50f1ae60bc161e93c0b32f8a2b3c5a0e56bbfa05d9cd5
RemcosRAT
0a48088564fd2dc8f1ea13941202da98b65449abf451cd3efff9148711c9b81f
RemcosRAT
1063864a04382cc76452ffd66c096b6128e9b22de44169c7460febb02ed9be5f
RemcosRAT
449b226d9a6c5729a3fbd0da781cd46d039e15e47f85360489fdeda01da0efc9
RemcosRAT
5bc1d99f9a860d9bc9441bec26838018ac5df5f81b76c9cf1a150c67cdfa29d7
RemcosRAT
5f61f5d9eb8566c9da2253351078903b32feca438d591f283adcd4b401b9a4c5
RemcosRAT
600214899079bef4e29e19e3a5872e86ead5c0e3e960b2730a21ae7b9c64ae0e
RemcosRAT
70aa4f39be71336cedba42e099127e7f2b626092a28de0123747a426515eb384
RemcosRAT
d39cdd125be8be319e9e290012f8907fbb6dff000199f23eab95e47c3d8d898c
RemcosRAT
error
RemcosRAT
fe7ea8656ae589525068edd43cf85db43801652e5bdd8f4053778aba6602de95
RemcosRAT
+ 35 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:fm new discovery persistence rat trojan
Link:
https://tria.ge/reports/241217-xelv7svjdw/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Adds Run key to start application
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Remcos
Remcos family
Malware Config
C2 Extraction:
hafiznor3374.duckdns.org:4610
127.0.0.1:4610
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/78ccb726-7037-4c69-8093-fe07624ac1ee
Unpacked files
SH256 hash:
875c4f442b564542317a1e59da938fd4328e1b5e8506aeda9156514e6dc85cbe
MD5 hash:
1b4fa5905697db1ac81c9feb0e20a280
SHA1 hash:
ee5de783b8b6e6d0ac8bd0c93ae24678e992195f
Detections:
Typical_Malware_String_Transforms
Create hunting rule
Link:
https://www.unpac.me/results/ec9c8994-7daa-4543-b81d-2b0dc95188f8/
Parent samples :
b9803b83ed42e8f63e73719cfffeff30ecfabeca676a3a04a087754e2608a1c5
4390ad0a5bd9184058cc6e2fbe64f896f71b0f0e95c27d8769837c6f979b11db
980ca560bfecf5e6e629612390fb3210a9767c64574ef1afd18fc5f310634d29
406044ba7e007830321b3669505774b9e282502ac958f0cd723e5106c33c4180
63c77a3f6cfa94cbc6a4c0c1475f02520592e58d6a03e8553e77a85a3f03c32f
baa12b649fddd77ef62ecd2b3169fab9bb5fbe78404175485f9a7fb48dc4456d
SH256 hash:
b9803b83ed42e8f63e73719cfffeff30ecfabeca676a3a04a087754e2608a1c5
MD5 hash:
f8cdbdf8318c11c2e3e286195f067042
SHA1 hash:
af9c826e25d7d9242c5957cf753af46dcb45fd33
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/ec9c8994-7daa-4543-b81d-2b0dc95188f8/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::FindFirstFileA
version.dll::GetFileVersionInfoSizeA
version.dll::GetFileVersionInfoA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::PeekMessageW
user32.dll::CreateWindowExA

Comments