MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c59da5938f667c04ca2ba3639b6cb3d5813fc189d4b2f412613b4bfa36ae0664. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c59da5938f667c04ca2ba3639b6cb3d5813fc189d4b2f412613b4bfa36ae0664
SHA3-384 hash: bf7c280097b293344b8b1f5e0693a483248c6175bf36a97fa6e4ed50d0d115ddbf008bdca271f2cd29b863d45cf86983
SHA1 hash: 84e0e1e9371b52e6682303fc11b02b69a3df782d
MD5 hash: d2d166937422f379e6dd15041d83af21
humanhash: zulu-pizza-lamp-bakerloo
File name:d2d166937422f379e6dd15041d83af21.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'691'648 bytes
First seen:2024-09-22 14:51:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e64daf69e8e4577f3613fe9a6f2b519 (1 x RemcosRAT)
ssdeep 24576:mZGjH3HfO7fC0Nj3+8OioUMxW24Q7Q9p+Lz:mUrwP+8OiSWaOp+Lz
Threatray 30 similar samples on MalwareBazaar
TLSH T19375F4F1DDEB4063D13D153848579E94373F7A2229F4387722A7244EFEB6186A03AC5A
TrID 29.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
22.2% (.EXE) Win64 Executable (generic) (10523/12/4)
21.1% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
9.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.3% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
File icon (PE):PE icon
dhash icon 2c4d0e8e4deab4aa (1 x RemcosRAT)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
418
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
d2d166937422f379e6dd15041d83af21.exe
Verdict:
Malicious activity
Analysis date:
2024-09-22 14:55:09 UTC
Tags:
rat remcos remote evasion
Link:
https://app.any.run/tasks/400aa6c6-113c-4724-80df-9b09eefa9aac

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Starter.8287.19007.21211.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66f02f135346c7b922ace68a
Tags:
Discovery Execution Generic Infostealer Network Static Stealth Monitor Emotet Sage
Result
Verdict:
Malware
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
borland_delphi fingerprint keylogger lolbin shell32
Link:
https://www.filescan.io/uploads/66f02f160883d6a903ed8763/reports/8cc65422-8fa7-4421-b668-4391da46fde1/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/c59da5938f667c04ca2ba3639b6cb3d5813fc189d4b2f412613b4bfa36ae0664
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/42d7f0d4-fb15-446c-a77d-2f3e9679eb18
Result
Threat name:
Remcos, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1515390
Signature
AI detected suspicious sample
Allocates many large memory junks
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected Remcos RAT
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Early bird code injection technique detected
Found malware configuration
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Uses dynamic DNS services
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1515390 Sample: ZPujMIT7Vs.exe Startdate: 22/09/2024 Architecture: WINDOWS Score: 100 56 apostlejob2.duckdns.org 2->56 58 maan2u.com 2->58 60 geoplugin.net 2->60 64 Suricata IDS alerts for network traffic 2->64 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 72 11 other signatures 2->72 8 ZPujMIT7Vs.exe 1 6 2->8         started        13 Tbnansag.PIF 2->13         started        15 Tbnansag.PIF 2->15         started        signatures3 70 Uses dynamic DNS services 56->70 process4 dnsIp5 62 maan2u.com 112.137.173.77, 443, 49730, 49731 TMVADS-APTM-VADSDCHostingMY Malaysia 8->62 44 C:\Users\Public\Tbnansag.url, MS 8->44 dropped 46 C:\Users\Public\Libraries\Tbnansag, data 8->46 dropped 82 Early bird code injection technique detected 8->82 84 Allocates memory in foreign processes 8->84 86 Allocates many large memory junks 8->86 90 2 other signatures 8->90 17 SndVol.exe 3 16 8->17         started        22 cmd.exe 1 8->22         started        24 esentutl.exe 2 8->24         started        88 Multi AV Scanner detection for dropped file 13->88 26 SndVol.exe 13->26         started        28 colorcpl.exe 15->28         started        file6 signatures7 process8 dnsIp9 52 apostlejob2.duckdns.org 192.161.184.44, 2468, 49732 ASN-QUADRANET-GLOBALUS United States 17->52 54 geoplugin.net 178.237.33.50, 49733, 80 ATOM86-ASATOM86NL Netherlands 17->54 40 C:\ProgramData\remcos\logs.dat, data 17->40 dropped 74 Contains functionality to bypass UAC (CMSTPLUA) 17->74 76 Detected Remcos RAT 17->76 78 Contains functionalty to change the wallpaper 17->78 80 5 other signatures 17->80 30 esentutl.exe 2 22->30         started        34 esentutl.exe 2 22->34         started        36 conhost.exe 22->36         started        42 C:\Users\Public\Libraries\Tbnansag.PIF, PE32 24->42 dropped 38 conhost.exe 24->38         started        file10 signatures11 process12 file13 48 C:\Users\Public\alpha.pif, PE32 30->48 dropped 92 Drops PE files to the user root directory 30->92 94 Drops PE files with a suspicious file extension 30->94 96 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 30->96 50 C:\Users\Public\xpha.pif, PE32 34->50 dropped signatures14
Score:
91%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c59da5938f667c04ca2ba3639b6cb3d5813fc189d4b2f412613b4bfa36ae0664
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c59da5938f667c04ca2ba3639b6cb3d5813fc189d4b2f412613b4bfa36ae0664/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2024-09-12 19:43:18 UTC
File Type:
PE (Exe)
Extracted files:
51
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ywo2le4pmz6ajsrlunrzw3ft2wat7qmj2szpietbhnf7unvoazsa._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
Similar samples:
1ef76a2d8261360325fb2881c01e8cb3c1ac8cd4616cddf762e14e89e0a88d7f
RemcosRAT
3db983f5bbefb35bdcda7168bd4c17b5d2766a2997c1e67941a8244bc8399b94
RemcosRAT
4494b0f1eb0a6e2da871e8cb4d37818b0ca0c47a98960374783304d83a94445e
RemcosRAT
568f1a74aef894d9d4bd954f6003dc7331c5f48cb62cb060bbfebdac87993c62
RemcosRAT
8f66087a136da4cc49c15eec3b25f784077bb2fb1f8b583765a6f0236fbe71fc
RemcosRAT
964ed7e43cc6386b44ec0fc938fef97489780e9ca5262084d752a61fdafa5976
RemcosRAT
b7c1f8aa7692d8e2f7a2a186ff3b097a390bd9cc6d8c74abc764be9f5d89a4bf
RemcosRAT
c5e8a4921e0e29532eee2d68c56f6d85205786e10044a5fe3271e1a1c5ea9080
RemcosRAT
cdf4b7a712d127e76cb563adcdc03a65abb78b7b2b7078db9eed046a9120384d
RemcosRAT
d9fa5a32ffadff0527ca655025366ff697118e20647bfd73fe3670934a02c985
RemcosRAT
+ 20 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader discovery trojan
Link:
https://tria.ge/reports/240922-r8p7tsvekr/
Behaviour
Script User-Agent
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
ModiLoader Second Stage
ModiLoader, DBatLoader
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f06c2126-9ac7-492a-8a70-6f38041eb1f1
Unpacked files
SH256 hash:
f97921fe0b68f4ccc83705dc7f15beeb2eef4977da886caf96f4a1a7840c985c
MD5 hash:
677a9f03ffa0f69d16d9ffebecd4588a
SHA1 hash:
e4fef1443f685ac718670bcf66b1e52102d7c52e
Detections:
Typical_Malware_String_Transforms
Create hunting rule
Link:
https://www.unpac.me/results/06c01766-310c-485e-9397-a3f73a01d2f9/
Parent samples :
59640b32fd4e89cd138da35df35473a554da351660e7b654610642433135032c
c59da5938f667c04ca2ba3639b6cb3d5813fc189d4b2f412613b4bfa36ae0664
04ea25c19c4f9bc7788cc78115386f2a8c0647bc23980cd57d8376fc0d1e7820
SH256 hash:
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
MD5 hash:
c116d3604ceafe7057d77ff27552c215
SHA1 hash:
452b14432fb5758b46f2897aeccd89f7c82a727d
Link:
https://www.unpac.me/results/06c01766-310c-485e-9397-a3f73a01d2f9/
SH256 hash:
0db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323
MD5 hash:
869640d0a3f838694ab4dfea9e2f544d
SHA1 hash:
bdc42b280446ba53624ff23f314aadb861566832
Link:
https://www.unpac.me/results/06c01766-310c-485e-9397-a3f73a01d2f9/
SH256 hash:
c59da5938f667c04ca2ba3639b6cb3d5813fc189d4b2f412613b4bfa36ae0664
MD5 hash:
d2d166937422f379e6dd15041d83af21
SHA1 hash:
84e0e1e9371b52e6682303fc11b02b69a3df782d
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/06c01766-310c-485e-9397-a3f73a01d2f9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c59da5938f667c04ca2ba3639b6cb3d5813fc189d4b2f412613b4bfa36ae0664

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe c59da5938f667c04ca2ba3639b6cb3d5813fc189d4b2f412613b4bfa36ae0664

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3184863/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetVolumeInformationA
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::FindFirstFileA
version.dll::GetFileVersionInfoSizeA
version.dll::GetFileVersionInfoA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::PeekMessageW
user32.dll::CreateWindowExA

Comments