MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bad1f425b5d5dd645239c646b01d12175341e887945e26a955f51f9da4427b17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bad1f425b5d5dd645239c646b01d12175341e887945e26a955f51f9da4427b17
SHA3-384 hash: 9b7ee4f4be9f1e2e0e4f738e9c7e9116b8fbbea8597013ff092d20e19107be8ffb9a197ed946d2e9136d3db122d35093
SHA1 hash: acfd8436eefcaa6636bb9c53c3d415b6defca908
MD5 hash: a9489995268ca1b684b8bb8ebd65b892
humanhash: india-fifteen-east-oscar
File name:urgent quote.LNK
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:202'545 bytes
First seen:2025-05-07 09:32:58 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 6144:DRMmQ/3452kkIPfTSpg8LvAt3Wnylhf41g4ZW4n:DU/345lbfT78Ut3WnUAa4ZW4n
Threatray 864 similar samples on MalwareBazaar
TLSH T11714F215D55E0FCDED2A4DBD04AE69094D9C2E323D12D4F6DA5B014FC32898E29D2E3B
Magika lnk
Reporter abuse_ch
Tags:lnk RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28759.LnkHeur.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.LNK.PowerShell.Download-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=681b293791991ead82b5bf06
Tags:
autorun delphi emotet
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/bad1f425b5d5dd645239c646b01d12175341e887945e26a955f51f9da4427b17/results/dashboard
Payload URLs
URL
File name
https://huadongrubbercable.com/NEWCOLOR/r.txt','C:\\ProgramData\\HEW.GIF');
LNK File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Labled as:
PWSH.Downloader.D.Generic
Link:
https://www.hybrid-analysis.com/sample/bad1f425b5d5dd645239c646b01d12175341e887945e26a955f51f9da4427b17
Result
Threat name:
DBatLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1683084
Signature
Allocates many large memory junks
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Encrypted powershell cmdline option found
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sample uses process hollowing technique
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell DownloadFile
Sigma detected: Suspicious PowerShell Download and Execute Pattern
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1683084 Sample: urgent quote.LNK.lnk Startdate: 07/05/2025 Architecture: WINDOWS Score: 100 61 www.ees-ro.com 2->61 63 huadongrubbercable.com 2->63 65 geoplugin.net 2->65 75 Suricata IDS alerts for network traffic 2->75 77 Found malware configuration 2->77 79 Malicious sample detected (through community Yara rule) 2->79 81 18 other signatures 2->81 9 powershell.exe 14 21 2->9         started        14 rundll32.exe 3 2->14         started        16 svchost.exe 1 2->16         started        signatures3 process4 dnsIp5 67 huadongrubbercable.com 198.54.114.164, 443, 49682, 49683 NAMECHEAP-NETUS United States 9->67 57 C:\ProgramData\CHROME.PIF, PE32 9->57 dropped 103 Drops PE files with a suspicious file extension 9->103 105 Found suspicious powershell code related to unpacking or dynamic code loading 9->105 107 Powershell drops PE file 9->107 18 CHROME.PIF 8 9->18         started        22 conhost.exe 1 9->22         started        24 Ovbioqrl.PIF 14->24         started        69 127.0.0.1 unknown unknown 16->69 file6 signatures7 process8 file9 51 C:\Users\user\Links\lrqoibvO.pif, PE32 18->51 dropped 53 C:\Users\user\Links\Ovbioqrl.PIF (copy), PE32 18->53 dropped 83 Windows shortcut file (LNK) starts blacklisted processes 18->83 85 Drops PE files with a suspicious file extension 18->85 87 Writes to foreign memory regions 18->87 89 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 18->89 26 lrqoibvO.pif 4 15 18->26         started        31 cmd.exe 1 18->31         started        33 cmd.exe 1 18->33         started        35 cmd.exe 1 18->35         started        91 Allocates memory in foreign processes 24->91 93 Sample uses process hollowing technique 24->93 95 Allocates many large memory junks 24->95 37 lrqoibvO.pif 24->37         started        signatures10 process11 dnsIp12 71 www.ees-ro.com 196.251.115.153, 3421, 49692 xneeloZA Seychelles 26->71 73 geoplugin.net 178.237.33.50, 49693, 80 ATOM86-ASATOM86NL Netherlands 26->73 59 C:\ProgramData\dhege\logs.dat, data 26->59 dropped 109 Contains functionality to bypass UAC (CMSTPLUA) 26->109 111 Detected unpacking (changes PE section rights) 26->111 113 Detected unpacking (overwrites its own PE header) 26->113 117 5 other signatures 26->117 115 Uses schtasks.exe or at.exe to add and modify task schedules 31->115 39 esentutl.exe 2 31->39         started        43 conhost.exe 31->43         started        45 conhost.exe 33->45         started        47 schtasks.exe 1 33->47         started        49 conhost.exe 35->49         started        file13 signatures14 process15 file16 55 C:\Users\Public\alpha.pif, PE32 39->55 dropped 97 Drops PE files to the user root directory 39->97 99 Drops PE files with a suspicious file extension 39->99 101 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 39->101 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bad1f425b5d5dd645239c646b01d12175341e887945e26a955f51f9da4427b17/
Threat name:
Script-PowerShell.Trojan.Boxter
Create hunting rule
Status:
Malicious
First seen:
2025-05-07 09:33:20 UTC
File Type:
Binary
Extracted files:
1
AV detection:
15 of 37 (40.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xli7ijnv2xowiurzyzdlahisc5jud2ehsrpcnkkv6upz3jccpmlq._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
remcos
Create hunting rule
Similar samples:
1e4e746768b4ca1372508b0e90ba68ce4d496b2d4012c734059e13d965a02163
RemcosRAT
937e801eb514b4f00dd260d699cd69247c1bf9b65f925c164704a16bbf8e5156
RemcosRAT
a483446fced41553da4b8d08570b04e6d1ca031d9f6b36cad07aae139e89d1e7
RemcosRAT
a8e88d14e04f62fe1993a2969e86f2d6a6ba71a738190d189776e2c8dc074ebe
RemcosRAT
c0e3043b13b21ab347c7ccd016f92f763a31da997bdf6a617300ebb6c1f32749
RemcosRAT
c8c42ae2eaf33626062223dbafa0d63db32e52fddaccb86794368761784eac4e
RemcosRAT
d0b0ce80bba6791a850094710f1f240de13d9498096e4072e2cb8ef58f9fd329
RemcosRAT
error
RemcosRAT
+ 854 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader discovery execution trojan
Link:
https://tria.ge/reports/250507-ljag7aar8x/
Behaviour
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Malware Config
Dropper Extraction:
https://huadongrubbercable.com/NEWCOLOR/r.txt
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bad1f425b5d5dd645239c646b01d12175341e887945e26a955f51f9da4427b17

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:Large_filesize_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies shortcut (LNK) file larger than 100KB. Most goodware LNK files are smaller than 100KB.
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_SuspiciousCommands
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects LNK file with suspicious content

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments