MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c60e8a14abc81ae3f2ffbe04b32240a92b900107e4acc9eb88e43632aee1266c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DBatLoader

Vendor detections: 16

Intelligence 16 IOCs 1 YARA 2 File information Comments

SHA256 hash:	c60e8a14abc81ae3f2ffbe04b32240a92b900107e4acc9eb88e43632aee1266c
SHA3-384 hash:	f421dde5842dfe6b97caa2dc41278d8f1288851b0d11077235d7f74eb8e70586290597240b741c8e527d483fabb931cf
SHA1 hash:	e1411689c7eb12dc132db9496f25736fba5e9f0d
MD5 hash:	e9d007ac53470351186a5b53bc180ed3
humanhash:	social-south-sweet-july
File name:	DWG spare parts 455RTMGF Model.exe
Download:	download sample
Signature	DBatLoader Create hunting rule
File size:	932'352 bytes
First seen:	2022-09-16 15:05:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	382d9c538727c04c8c0ffa65db10afc6 (3 x ModiLoader, 1 x DBatLoader, 1 x Formbook)
ssdeep	12288:WZ3m2ifTnKeXXOeh0jbXGrapowu0ZCWNDoCHjsG83q/rhf7fvQBc:A9irKeXXOehw2rapowuCCsoT3q/lvkc
Threatray	1'922 similar samples on MalwareBazaar
TLSH	T172159FF7F2F08B33D0131A7DCA7732999A7D7E602820744B67E53A48DFB8541242A967
TrID	28.1% (.EXE) Win32 Executable Delphi generic (14182/79/4) 25.9% (.SCR) Windows screen saver (13101/52/3) 20.8% (.EXE) Win64 Executable (generic) (10523/12/4) 8.9% (.EXE) Win32 Executable (generic) (4505/5/1) 4.1% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	33d0d89696d8d033 (14 x ModiLoader, 9 x DBatLoader, 6 x Formbook)
Reporter	abuse_ch
Tags:	DBatLoader exe RAT RemcosRAT

abuse_ch

RemcosRAT C2:
79.134.225.115:2442

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
79.134.225.115:2442	https://threatfox.abuse.ch/ioc/850050/

Intelligence

File Origin

# of uploads :

# of downloads :

341

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

DWG spare parts 455RTMGF Model.exe

Verdict:

Malicious activity

Analysis date:

2022-09-16 15:06:58 UTC

Tags:

trojan rat remcos

Link:

https://app.any.run/tasks/e8f19301-6cd1-4d79-8761-86fe8e263694

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/310585/

Detection(s):

SecuriteInfo.com.Variant.Jaik.95298.15189.21808.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Sending a custom TCP request

DNS request

Connecting to a non-recommended domain

Sending an HTTP GET request

Creating a file

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Query of malicious DNS domain

Sending a TCP request to an infection source

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/37900/overview

Behaviour

MalwareBazaar

CheckScreenResolution

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

formbook greyware keylogger remcos

Link:

https://www.filescan.io/uploads/632491691594be804f896d90/reports/8eccc4b8-ca50-46b7-b134-359ad2a591a8/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a69bda6e-c580-4ded-b6c8-4306c330ae0e

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1071707

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Delayed program exit found

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Uses dynamic DNS services

Yara detected Remcos RAT

Yara detected UAC Bypass using ComputerDefaults

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/c60e8a14abc81ae3f2ffbe04b32240a92b900107e4acc9eb88e43632aee1266c/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2022-09-16 01:02:04 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=yyhiufflzanoh4x7xyclgisavevzaaih4swmt24i4q3dflxbezwa._file

Verdict:

malicious

Label(s):

remcos

DBatLoader

2a6cd5b04a1f823de82896e8d2758ce91498ee9231032ae946363477ccc7701a

DBatLoader

2c16d0478165d6d71ce57fedc1fa23bb93ac73df68b71e8875901d7f55d54f70

DBatLoader

4bd1f385e71c2b0c8bb27ce271cfd26c696e3049e3e92cd150ba62666bc6221f

DBatLoader

592f15fec50eda79baadcb6bc5c4cb79de60e5bb285f20fb8e8927477495f065

DBatLoader

808b1f23a0d9457d31d5abd083b2b81cc68b0a0d3a87e59e9e6d56d773dbde39

DBatLoader

c1a4991ae17887dc70504cf13daafef24a394e39dc5e19177ea8d8139432e8b6

DBatLoader

eaea558cf05de77f2b72fe6ccafbcd63198dd067627d801a40b1b7d95251666f

DBatLoader

+ 1'912 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:modiloader family:remcos botnet:bestbaby persistence rat trojan

Link:

https://tria.ge/reports/220916-sgqjysgad7/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

ModiLoader Second Stage

ModiLoader, DBatLoader

Remcos

Malware Config

C2 Extraction:

bestsuccess.ddns.net:2442

Verdict:

Unknown

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/404276ce-2695-41c5-84ca-8a8d87871589

Unpacked files

SH256 hash:

002d54f655cf8f16866c478261daadd51896310839a7e3da98ace9873323c9fc

MD5 hash:

eb295d7d7804e778f9f5ae4783379ccc

SHA1 hash:

d1b9df6113a548dd362fc0cb611c78eef2124f73

Detections:

win_dbatloader_g1

Link:

https://www.unpac.me/results/038f4cae-a1f1-4ac6-9a56-dd9e8b40ec2a/

Parent samples :

e678b49addfe3e9fa2c9836bf6d0cc3bed0310f87cdcafd0fce458985c5276c8
911c27a105a2e71591d12567053d8024f4c15c95ce4f1d67937ef1a3d723c263
7ff888a459a2476f9e3dfcaf8799f30bc24808d103606512503949b3ab818cc4
61d2d7bcb9665785fd5571a546cbad026f349a138e2a32f2dbeed90f5480a0a3
24b237c6dcd5b3f5cb3e687e4fa169fef7bce3f6fe1eb5a89bafd99656dfd353
4272fd59d96204a2d503f3356fe96fed2c6d3bf019c7ef25aacff0e1c36a758a
f3feaf830444cc6786b6d4e06bd4a2aef79519ebe3e336882d410268db96292c
e7f4fdb02b9f0f43c5325e8b0ea8ce07ee78c5aa63ccfb1892b079bbd2400874
c60e8a14abc81ae3f2ffbe04b32240a92b900107e4acc9eb88e43632aee1266c
44e94b15723fb3ee7cf9d710939d7fda2273622f2284e30cfa67d280a206eb62

SH256 hash:

c60e8a14abc81ae3f2ffbe04b32240a92b900107e4acc9eb88e43632aee1266c

MD5 hash:

e9d007ac53470351186a5b53bc180ed3

SHA1 hash:

e1411689c7eb12dc132db9496f25736fba5e9f0d

Link:

https://www.unpac.me/results/038f4cae-a1f1-4ac6-9a56-dd9e8b40ec2a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Remcos

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/c60e8a14abc81ae3f2ffbe04b32240a92b900107e4acc9eb88e43632aee1266c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	RansomwareTest4 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	RansomwareTest5 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/310585/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample