MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba02bac73b14833463ceaa2380d5b040be444ccd53bd01e33ee4a442f8219ffc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba02bac73b14833463ceaa2380d5b040be444ccd53bd01e33ee4a442f8219ffc
SHA3-384 hash: 26f9b1f86511b529bc5414ccb697cc509d86cc5e12884d50f18f431e8a817271a2e4fa7c13bdcca9244d581d71404e34
SHA1 hash: 1c700726ba2aabf8f0a900bca01a2beecb24834b
MD5 hash: 99ecd80d45d2499b22f8cbcad557779c
humanhash: high-maine-lemon-massachusetts
File name:Bank_NotificationCOPY994633GDTE7464563GDTE.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'014'272 bytes
First seen:2022-07-11 10:51:06 UTC
Last seen:2022-07-12 09:37:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ab36861e060dd44fd8e4618504bc2e1 (8 x RemcosRAT, 1 x AveMariaRAT)
ssdeep 12288:R3XJsk7QHcpqF/p9cPGLcoazHlCwdTrzO9sUvB6ZmKcSwuH:R3XGzgqF/pUDHYfvBQmHy
Threatray 2'182 similar samples on MalwareBazaar
TLSH T1CD259D26A6805533C0EB1A38ADCB57679D777F402A2899461BF13C4C7F39E4136BD2A3
TrID 46.4% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
31.5% (.EXE) Win32 Executable Borland Delphi 5 (451463/56/28)
18.3% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
0.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
0.9% (.SCR) Windows screen saver (13101/52/3)
File icon (PE):PE icon
dhash icon 33f098d2d6d8f033 (12 x RemcosRAT, 7 x DBatLoader, 6 x Formbook)
Reporter lowmal3
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Bank_NotificationCOPY994633GDTE7464563GDTE.exe
Verdict:
Malicious activity
Analysis date:
2022-07-11 19:15:25 UTC
Tags:
remcos
Link:
https://app.any.run/tasks/1ced38a5-df24-4be8-976f-1f0e363d02eb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/286179/
Detection(s):
SecuriteInfo.com.UDS.Backdoor.Win32.Remcos.gen.4317.3965.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Launching a process
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Query of malicious DNS domain
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/25033/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger
Link:
https://www.filescan.io/uploads/62cc00d7bbcf6baf2793556d/reports/3d7c9270-a393-4954-b816-95d4e9e4ee54/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0e9e726a-c4f2-43b9-8076-9467af81ea04
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1028454
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ba02bac73b14833463ceaa2380d5b040be444ccd53bd01e33ee4a442f8219ffc/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-07-06 19:57:50 UTC
File Type:
PE (Exe)
Extracted files:
43
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xiblvrz3csbtiy6ovirybvnqic7eitgnko6qdyz64ssef6bbt76a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0a7baae0933a14082beb95b1c5484dd958e333f7fc499f645c1d550d8ad124a1
RemcosRAT
1015aaf219bd6c756e9e5224d219ed551795585e383fb4a6d2a566e7c8dabad5
RemcosRAT
62671da23d0acb718d487ed7e7ad280f615915d3551e0a65b0ac82966a6610d9
RemcosRAT
7c46360bc0f882b7d7a6603ce5f141914e645b4afb7f4951cc3e29d76908c518
RemcosRAT
81b648fca4135b631044dd68aee71ee704dcc930ae635658b9438585c5dc6b90
RemcosRAT
91dfebe2d0d1f9ac3e495529066a6cd987ad302d33be7fb7fc744f5905daf832
RemcosRAT
bec0e99c27a1be5e7f2ad71f8ebf6153a71ad0026c7a102db8228ad0638c37fe
RemcosRAT
d3b0ff3262302f0478cdc55f8d77d9d7c999255282a3181bd6cc09a252077ee9
RemcosRAT
+ 2'172 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:inovecap-4-payment rat
Link:
https://tria.ge/reports/220711-mydntsagc4/
Behaviour
Suspicious use of WriteProcessMemory
Remcos
Malware Config
C2 Extraction:
www.inovacaptab.com:2404
Unpacked files
SH256 hash:
c520d72c6f53cb9726cc8f191968b567e70572bd148d48916e64cb76fa859952
MD5 hash:
6e321d1a2d17b500497ebc22bc1a4fd2
SHA1 hash:
0984049a4e229f88ff9e913697b47d342ae3eb93
Link:
https://www.unpac.me/results/f312df7c-7608-476b-9e83-a6232e8baa37/
SH256 hash:
0b4b7d7628499c9d0c62562dc64f22baf5390cd32f71e0317c259511ae85b5b6
MD5 hash:
d6e8fb9c9383709a7475144fbc74cb44
SHA1 hash:
3dc32f98eb13d725511b64924730132883ad3591
Link:
https://www.unpac.me/results/f312df7c-7608-476b-9e83-a6232e8baa37/
SH256 hash:
ba02bac73b14833463ceaa2380d5b040be444ccd53bd01e33ee4a442f8219ffc
MD5 hash:
99ecd80d45d2499b22f8cbcad557779c
SHA1 hash:
1c700726ba2aabf8f0a900bca01a2beecb24834b
Link:
https://www.unpac.me/results/f312df7c-7608-476b-9e83-a6232e8baa37/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ba02bac73b14/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/ba02bac73b14833463ceaa2380d5b040be444ccd53bd01e33ee4a442f8219ffc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe ba02bac73b14833463ceaa2380d5b040be444ccd53bd01e33ee4a442f8219ffc

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/286179/

Comments