MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0e3043b13b21ab347c7ccd016f92f763a31da997bdf6a617300ebb6c1f32749. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c0e3043b13b21ab347c7ccd016f92f763a31da997bdf6a617300ebb6c1f32749
SHA3-384 hash: 63a476e7bf1182eed16f01ebc25c086ff640b35296c74ca59e653cc7abe292c9309d3a478e7db7fb295d1b6ec28ae73a
SHA1 hash: 97f86d7ca65e1543db28946c38587dc7b09b0f80
MD5 hash: 283d895e944e2b1b80689b95cb99d683
humanhash: berlin-colorado-uniform-king
File name:ANYDESK.PIF.bin
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'625'088 bytes
First seen:2025-03-05 09:43:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1c9c8bb033c87f22be527cac631ebe2c (2 x RemcosRAT, 1 x DBatLoader)
ssdeep 24576:njiUcLz5CApqtlvva62+bis/lT8V9j/VJcJh6QyRZy8//O1jLMftNHvM:ngv2eL/VmJh6QoyIcLMftdvM
TLSH T153758B1FB6904427C016E53F5CDAB39C741AEB2C6A1CBA42F7A51AD4CB272F1F42D216
TrID 26.4% (.EXE) Win64 Executable (generic) (10522/11/4)
25.1% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
16.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
11.3% (.EXE) Win32 Executable (generic) (4504/4/1)
5.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
dhash icon 6c7212f0cc696116 (3 x DBatLoader, 2 x RemcosRAT)
Reporter JAMESWT_WT
Tags:exe RemcosRAT

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.59.31.40:2404 https://threatfox.abuse.ch/ioc/1441390/

Intelligence

File Origin
# of uploads :
1
# of downloads :
518
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
quasar
Create hunting rule
ID:
1
File name:
SPAM.zip
Verdict:
Malicious activity
Analysis date:
2025-03-05 09:33:28 UTC
Tags:
arch-exec evasion rat quasar remote remcos stealer delphi dbatloader loader omani amsi-bypass
Link:
https://app.any.run/tasks/835c71d8-b6b6-41d7-bbfe-38292262ce03

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.Modiloader-10042434-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67c81ec5c8d04e92a4bf0d17
Tags:
delphi remcos emotet cobalt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
Creating a file in the %temp% directory
DNS request
Connection attempt
Changing a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/c0e3043b13b21ab347c7ccd016f92f763a31da997bdf6a617300ebb6c1f32749
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7b393494-da14-469e-bb50-5827a7078289
Result
Threat name:
Remcos, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1629956
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Detected Remcos RAT
Drops PE files with a suspicious file extension
Early bird code injection technique detected
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Remcos
Sigma detected: Suspicious Creation with Colorcpl
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1629956 Sample: ANYDESK.PIF.bin.exe Startdate: 05/03/2025 Architecture: WINDOWS Score: 100 47 unforseen.duckdns.org 2->47 49 conquer25.duckdns.org 2->49 51 3 other IPs or domains 2->51 65 Suricata IDS alerts for network traffic 2->65 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 73 11 other signatures 2->73 8 ANYDESK.PIF.bin.exe 1 6 2->8         started        12 Gorfgqly.PIF 2->12         started        14 Gorfgqly.PIF 2->14         started        signatures3 71 Uses dynamic DNS services 49->71 process4 file5 35 C:\Users\user\Linksbehaviorgraphorfgqly.PIF, PE32 8->35 dropped 37 C:\ProgramData\version.dll, PE32 8->37 dropped 39 C:\ProgramData\Helper.pif, PE32 8->39 dropped 75 Early bird code injection technique detected 8->75 77 Drops PE files with a suspicious file extension 8->77 79 Allocates memory in foreign processes 8->79 85 2 other signatures 8->85 16 colorcpl.exe 4 14 8->16         started        20 cmd.exe 1 8->20         started        22 SndVol.exe 12->22         started        81 Antivirus detection for dropped file 14->81 83 Multi AV Scanner detection for dropped file 14->83 24 colorcpl.exe 14->24         started        signatures6 process7 dnsIp8 41 baddieszn.duckdns.org 193.9.36.1, 2404, 2500, 49733 NETXNetXNetworksasCZ Czech Republic 16->41 43 unforseen.duckdns.org 194.59.31.40, 2404, 49825, 49828 COMBAHTONcombahtonGmbHDE Germany 16->43 45 geoplugin.net 178.237.33.50, 49835, 80 ATOM86-ASATOM86NL Netherlands 16->45 53 Contains functionality to bypass UAC (CMSTPLUA) 16->53 55 Detected Remcos RAT 16->55 57 Contains functionalty to change the wallpaper 16->57 63 5 other signatures 16->63 26 recover.exe 1 16->26         started        29 recover.exe 1 16->29         started        31 recover.exe 2 16->31         started        33 conhost.exe 20->33         started        59 Contains functionality to steal Chrome passwords or cookies 22->59 61 Contains functionality to steal Firefox passwords or cookies 22->61 signatures9 process10 signatures11 87 Tries to steal Instant Messenger accounts or passwords 26->87 89 Tries to harvest and steal browser information (history, passwords, etc) 26->89 91 Tries to steal Mail credentials (via file / registry access) 29->91
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c0e3043b13b21ab347c7ccd016f92f763a31da997bdf6a617300ebb6c1f32749
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c0e3043b13b21ab347c7ccd016f92f763a31da997bdf6a617300ebb6c1f32749/
Threat name:
Win32.Trojan.ModiLoader
Create hunting rule
Status:
Malicious
First seen:
2025-03-03 12:53:19 UTC
File Type:
PE (Exe)
Extracted files:
42
AV detection:
30 of 38 (78.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ydrqioytwinlgr6hztibn6jpoy5ddwuzpppwuyltadv3nqpte5eq._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
remcos
Create hunting rule
Similar samples:
error
RemcosRAT
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader collection discovery persistence trojan
Link:
https://tria.ge/reports/250305-lqkxhawjw9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Verdict:
Malicious
Tags:
Win.Trojan.Modiloader-10042434-0
YARA:
n/a
Link:
https://app.threat.zone/submission/d9f9e3d5-f5ee-4541-971b-c0f89838c703
Unpacked files
SH256 hash:
c0e3043b13b21ab347c7ccd016f92f763a31da997bdf6a617300ebb6c1f32749
MD5 hash:
283d895e944e2b1b80689b95cb99d683
SHA1 hash:
97f86d7ca65e1543db28946c38587dc7b09b0f80
Link:
https://www.unpac.me/results/d51ad852-f4d6-4fca-98cf-41a8956e3105/
SH256 hash:
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
MD5 hash:
c116d3604ceafe7057d77ff27552c215
SHA1 hash:
452b14432fb5758b46f2897aeccd89f7c82a727d
Link:
https://www.unpac.me/results/d51ad852-f4d6-4fca-98cf-41a8956e3105/
SH256 hash:
96011a7fd70f795750b647d17d9bcc0c997873eee28ad4ee749b12f25a5b214c
MD5 hash:
c4013a47783292ede97b4fd191634acb
SHA1 hash:
620d6c114e8b3655974d07765f458175d5ff3c1a
Link:
https://www.unpac.me/results/d51ad852-f4d6-4fca-98cf-41a8956e3105/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c0e3043b13b2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c0e3043b13b21ab347c7ccd016f92f763a31da997bdf6a617300ebb6c1f32749

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Windows_Generic_Threat_d7b57912
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryW
kernel32.dll::LoadLibraryA
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::FindFirstFileA
version.dll::GetFileVersionInfoSizeA
version.dll::GetFileVersionInfoA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::PeekMessageW
user32.dll::CreateWindowExA

Comments