MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6717430d3c39f952fe56f2c7cbfdcc4ad5d824eaef6341445459ca94a4a317f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6717430d3c39f952fe56f2c7cbfdcc4ad5d824eaef6341445459ca94a4a317f
SHA3-384 hash: 1c2f5dcaa4600bf032c1fa4408ebe911ebe7668e9a5cd2c05ed0fbe353766f84ffd863a0ab4f8c5ceb9f723483d7b645
SHA1 hash: 93b8bc79baaf9e89a3622c529d95d9f2da30a7ef
MD5 hash: 39500a91be5a8325dd782553db62d36a
humanhash: utah-gee-fillet-lithium
File name:ScannedDocument-RFQ#001930300193939-Doc.LNK
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:202'623 bytes
First seen:2025-04-15 10:34:54 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 6144:FJ3HxvskN193S/glKJC2AZpsnwbqdjZnM/zEJmFT5:Bsa15ivn/djy/z6mF1
Threatray 183 similar samples on MalwareBazaar
TLSH T12114F155DB7A2FCEFD3806B804AE5A494D9DAC333C21C4B5DAEF1147863CA911392D2B
Magika lnk
Reporter abuse_ch
Tags:DBatLoader lnk RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67fe3de81dba888a93d460ee
Tags:
xtreme virus overt
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/c6717430d3c39f952fe56f2c7cbfdcc4ad5d824eaef6341445459ca94a4a317f/results/dashboard
Payload URLs
URL
File name
https://doc-sharepoint.nbcoiling.com/index.php/s/iRa8xZKGecLG8mZ/download/output.dat','C:\\ProgramData\\HEW.GIF');
LNK File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Labled as:
PWSH.Downloader.D.Generic
Link:
https://www.hybrid-analysis.com/sample/c6717430d3c39f952fe56f2c7cbfdcc4ad5d824eaef6341445459ca94a4a317f
Result
Threat name:
Remcos, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1665271
Signature
Allocates many large memory junks
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Drops PE files with a suspicious file extension
Encrypted powershell cmdline option found
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell DownloadFile
Sigma detected: Remcos
Sigma detected: Suspicious PowerShell Download and Execute Pattern
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1665271 Sample: ScannedDocument-RFQ#0019303... Startdate: 15/04/2025 Architecture: WINDOWS Score: 100 68 relentlesswicked.duckdns.org 2->68 70 doc-sharepoint.nbcoiling.com 2->70 72 relentlesswicked.myvnc.com 2->72 82 Suricata IDS alerts for network traffic 2->82 84 Found malware configuration 2->84 86 Malicious sample detected (through community Yara rule) 2->86 90 19 other signatures 2->90 9 powershell.exe 14 22 2->9         started        14 rundll32.exe 2->14         started        16 rundll32.exe 2->16         started        18 3 other processes 2->18 signatures3 88 Uses dynamic DNS services 68->88 process4 dnsIp5 80 doc-sharepoint.nbcoiling.com 104.21.31.240, 443, 49685 CLOUDFLARENETUS United States 9->80 66 C:\ProgramData\CHROME.PIF, PE32 9->66 dropped 120 Drops PE files with a suspicious file extension 9->120 122 Found suspicious powershell code related to unpacking or dynamic code loading 9->122 124 Powershell drops PE file 9->124 20 CHROME.PIF 8 9->20         started        24 conhost.exe 1 9->24         started        26 Rwsdlxzs.PIF 14->26         started        28 Rwsdlxzs.PIF 16->28         started        30 Rwsdlxzs.PIF 18->30         started        32 Rwsdlxzs.PIF 18->32         started        34 Rwsdlxzs.PIF 18->34         started        file6 signatures7 process8 file9 64 C:\Users\user\Links\Rwsdlxzs.PIF, PE32 20->64 dropped 92 Windows shortcut file (LNK) starts blacklisted processes 20->92 94 Multi AV Scanner detection for dropped file 20->94 96 Drops PE files with a suspicious file extension 20->96 98 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 20->98 36 SndVol.exe 4 20->36         started        40 cmd.exe 1 20->40         started        42 cmd.exe 1 20->42         started        44 cmd.exe 1 20->44         started        100 Writes to foreign memory regions 26->100 102 Allocates memory in foreign processes 26->102 104 Allocates many large memory junks 26->104 46 colorcpl.exe 26->46         started        106 Creates a thread in another existing process (thread injection) 28->106 108 Injects a PE file into a foreign processes 28->108 48 colorcpl.exe 28->48         started        50 SndVol.exe 30->50         started        52 SndVol.exe 32->52         started        54 SndVol.exe 34->54         started        signatures10 process11 dnsIp12 74 relentlesswicked.duckdns.org 192.169.69.26, 49694, 49698, 49701 WOWUS United States 36->74 76 62.113.200.214, 49695, 49699, 49702 TTMDE Germany 36->76 78 relentlesswicked.myvnc.com 147.124.214.238, 1223 AC-AS-1US United States 36->78 110 Contains functionality to bypass UAC (CMSTPLUA) 36->110 112 Detected Remcos RAT 36->112 114 Contains functionalty to change the wallpaper 36->114 118 3 other signatures 36->118 116 Uses schtasks.exe or at.exe to add and modify task schedules 40->116 56 conhost.exe 40->56         started        58 conhost.exe 42->58         started        60 schtasks.exe 1 42->60         started        62 conhost.exe 44->62         started        signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c6717430d3c39f952fe56f2c7cbfdcc4ad5d824eaef6341445459ca94a4a317f/
Threat name:
Win32.Trojan.Powdowhlnk
Create hunting rule
Status:
Malicious
First seen:
2025-04-15 10:35:23 UTC
File Type:
Binary
Extracted files:
1
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yzyximgtyopzkl7fn4whzp64yswv3asov33difcfiwokssskgf7q._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
Similar samples:
04a99b035ce8db252d8a4cf8d8f74fb4be7a0f7392776b0c1b27ff2463935647
RemcosRAT
061b716c6ca8262d658b5877cd23d1013e90831193da7e19cd03ca0f22b176bc
RemcosRAT
34c11f6af211f7bc8411e99e4ac10ff5232e9b30d72962852cd2fd20e43c3f01
RemcosRAT
4e83dca9f0fc2e50b3c4b2abd8161e2ee5857286ae7bf9ffa5c789cdf2542052
RemcosRAT
7cbc23bc350f050b9429f3c2b553dd00f04216a80a8103a0607277c106bd7f20
RemcosRAT
a3114edcd192349ce4a5638983bf46a73b279e4bb2962fe263b32e4ea8465b9a
RemcosRAT
b66c4188710385ce8216d9d60df0b0a33b2800379fdf1843f8ddc558eff1b38a
RemcosRAT
ee7490fcb05940962fdcb68469dcbd15e0d4739f0e74e55a161597314552de95
RemcosRAT
error
RemcosRAT
f350851cc9dfeb4619cc5d14444e3849c0c25db429b31d8c50c56579dffa889a
RemcosRAT
+ 173 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader discovery execution trojan
Link:
https://tria.ge/reports/250415-mmv4qssjs7/
Behaviour
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Checks computer location settings
Executes dropped EXE
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Malware Config
Dropper Extraction:
https://doc-sharepoint.nbcoiling.com/index.php/s/iRa8xZKGecLG8mZ/download/output.dat
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c6717430d3c39f952fe56f2c7cbfdcc4ad5d824eaef6341445459ca94a4a317f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Archive_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies archive (compressed) files in shortcut (LNK) files.
Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:Large_filesize_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies shortcut (LNK) file larger than 100KB. Most goodware LNK files are smaller than 100KB.
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_SuspiciousCommands
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects LNK file with suspicious content
Rule name:Warp
Create hunting rule
Author:Seth Hardy
Description:Warp
Rule name:WarpStrings
Create hunting rule
Author:Seth Hardy
Description:Warp Identifying Strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments