MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce7d8dc35f50388ccfdbfed28b7547148e1fdd9e9fcae25782ff74df865e9ede. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce7d8dc35f50388ccfdbfed28b7547148e1fdd9e9fcae25782ff74df865e9ede
SHA3-384 hash: d6c82fa65828d07758061d8f6d001ce8432965b1dc559eb0833078beda66138b620a2a7391d9712447d42cdf60a9e802
SHA1 hash: c127eac31ea240f3c38370c8b5a3697c9d628b71
MD5 hash: f61894b8b34234ba7b12215bc3328ca0
humanhash: fish-muppet-delta-foxtrot
File name:YENI SIPARIŞ - CF0002.bat
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'366'016 bytes
First seen:2023-08-22 07:33:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6d93e702d29a5a3decf1d11adcff6a32 (1 x DBatLoader, 1 x RemcosRAT)
ssdeep 24576:s+RGJCckr7y+lf4MkEYHHMsxIdgi0CDxMKNK7:s+XHQLMUSgifVMKNK7
Threatray 2'480 similar samples on MalwareBazaar
TLSH T17E55E025A2A444B6D25A7D7D8C07F3F8951D7C223975ACC26ED53A8DCF363B2A8180D3
TrID 75.9% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
12.4% (.EXE) InstallShield setup (43053/19/16)
4.1% (.EXE) Win32 Executable Delphi generic (14182/79/4)
3.7% (.SCR) Windows screen saver (13097/50/3)
1.3% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 74f0d4d6c4c4d0c4 (4 x RemcosRAT, 1 x DBatLoader)
Reporter abuse_ch
Tags:bat exe geo RAT RemcosRAT TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
306
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
YENI SIPARIŞ - CF0002.bat
Verdict:
Malicious activity
Analysis date:
2023-08-22 07:44:08 UTC
Tags:
installer dbatloader
Link:
https://app.any.run/tasks/6d20b388-c477-4c62-b470-94ed318eaba6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
ModiLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/444049/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader46.570.17743.26871.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/108265/overview
Behaviour
MalwareBazaar
CheckCmdLine
Gathering data
Verdict:
Malicious
Labled as:
Strictor.Generic
Link:
https://www.hybrid-analysis.com/sample/ce7d8dc35f50388ccfdbfed28b7547148e1fdd9e9fcae25782ff74df865e9ede
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/445b884a-970e-4228-a1f6-048442a32aae
Result
Threat name:
Remcos, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1294913
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Early bird code injection technique detected
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queues an APC in another process (thread injection)
Sigma detected: Remcos
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1294913 Sample: YENI_SIPARI#U015e_-_CF0002.... Startdate: 22/08/2023 Architecture: WINDOWS Score: 100 88 Found malware configuration 2->88 90 Malicious sample detected (through community Yara rule) 2->90 92 Antivirus detection for URL or domain 2->92 94 8 other signatures 2->94 11 YENI_SIPARI#U015e_-_CF0002.bat.exe 1 7 2->11         started        16 Clupmcmz.PIF 2->16         started        18 Clupmcmz.PIF 2->18         started        process3 dnsIp4 74 web.fe.1drv.com 11->74 76 onedrive.live.com 11->76 82 2 other IPs or domains 11->82 62 C:\Users\Public\Libraries\netutils.dll, PE32+ 11->62 dropped 64 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 11->64 dropped 66 C:\Users\Public\Libraries\Clupmcmz.PIF, PE32 11->66 dropped 108 Early bird code injection technique detected 11->108 110 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->110 112 Drops PE files with a suspicious file extension 11->112 114 Queues an APC in another process (thread injection) 11->114 20 cmd.exe 1 11->20         started        23 colorcpl.exe 3 16 11->23         started        78 web.fe.1drv.com 16->78 84 3 other IPs or domains 16->84 116 Multi AV Scanner detection for dropped file 16->116 118 Machine Learning detection for dropped file 16->118 120 Writes to foreign memory regions 16->120 27 SndVol.exe 16->27         started        80 web.fe.1drv.com 18->80 86 3 other IPs or domains 18->86 122 Allocates memory in foreign processes 18->122 124 Injects a PE file into a foreign processes 18->124 29 colorcpl.exe 18->29         started        file5 signatures6 process7 dnsIp8 98 Uses ping.exe to sleep 20->98 100 Drops executables to the windows directory (C:\Windows) and starts them 20->100 102 Uses ping.exe to check the status of other devices and networks 20->102 31 easinvoker.exe 20->31         started        33 PING.EXE 1 20->33         started        36 xcopy.exe 2 20->36         started        39 8 other processes 20->39 70 macudok.ydns.eu 85.209.134.253, 49721, 6991 CMCSUS Germany 23->70 72 geoplugin.net 178.237.33.50, 49722, 80 ATOM86-ASATOM86NL Netherlands 23->72 60 C:\ProgramData\remcos\logs.dat, data 23->60 dropped 104 Installs a global keyboard hook 23->104 file9 signatures10 process11 dnsIp12 41 cmd.exe 1 31->41         started        44 WmiPrvSE.exe 31->44         started        68 127.0.0.1 unknown unknown 33->68 56 C:\Windows \System32\easinvoker.exe, PE32+ 36->56 dropped 58 C:\Windows \System32\netutils.dll, PE32+ 39->58 dropped file13 process14 signatures15 106 Adds a directory exclusion to Windows Defender 41->106 46 cmd.exe 1 41->46         started        49 conhost.exe 41->49         started        process16 signatures17 126 Adds a directory exclusion to Windows Defender 46->126 51 powershell.exe 23 46->51         started        process18 signatures19 96 DLL side loading technique detected 51->96 54 conhost.exe 51->54         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ce7d8dc35f50388ccfdbfed28b7547148e1fdd9e9fcae25782ff74df865e9ede/
Threat name:
Win32.Trojan.Synder
Create hunting rule
Status:
Malicious
First seen:
2023-08-22 07:34:05 UTC
File Type:
PE (Exe)
Extracted files:
104
AV detection:
20 of 23 (86.96%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zz6y3q27ka4izt6373jiw5khcshb7xm6t7foev4c752n7bs6t3pa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
2f1ca9ea9c439cddf83672896fe9810ce3d3aa2218f3718f121e90a19e3a25e6
RemcosRAT
32638aedae80dbb34039811e9957d48bd5d2ea1fab784cd0734b86b7185716b3
RemcosRAT
98a4d17d6dee54f9242c704af627da853d978d6d37738f875d08ea0e7eaca373
RemcosRAT
b0351062f7da26f1a85c0e6ed3edeb701aec500391a62b8f382f97084b395749
RemcosRAT
b04369170c0182553f274c330797459fe60ddcb269d04d71b49994cacedf98c2
RemcosRAT
c1bcaa3723fd87f8a0a537c14ecf7e5852a69d33995333b40a7a475eb2e1696c
RemcosRAT
dc99dacdbd53fe4163b9e32e7ef490b354d8c0c81089614ceae1ecada11263bd
RemcosRAT
ea2f8aca010aba1f0ebb0b5af2de53b2a4106d5feb147f34e0a8e615eccd77c1
RemcosRAT
+ 2'470 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230822-jd367saf63/
Behaviour
Program crash
Unpacked files
SH256 hash:
3dced344e1a58875923800c4aa56215301a512ea3169781b8de1e47f453b43bc
MD5 hash:
582a71eb9ac9a0774008211a9d913386
SHA1 hash:
d462aa50b53da7828d6ea2b655ba5883e469e3d8
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/cc35ce49-3e7f-465e-b015-e0f526db5e1d/
Parent samples :
d7d47b0b0aa55363efdf394d4c3ad4dc6e175edb80e22ae6e7b37cf3bc1d32d1
ce7d8dc35f50388ccfdbfed28b7547148e1fdd9e9fcae25782ff74df865e9ede
SH256 hash:
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
MD5 hash:
c116d3604ceafe7057d77ff27552c215
SHA1 hash:
452b14432fb5758b46f2897aeccd89f7c82a727d
Link:
https://www.unpac.me/results/cc35ce49-3e7f-465e-b015-e0f526db5e1d/
SH256 hash:
ce7d8dc35f50388ccfdbfed28b7547148e1fdd9e9fcae25782ff74df865e9ede
MD5 hash:
f61894b8b34234ba7b12215bc3328ca0
SHA1 hash:
c127eac31ea240f3c38370c8b5a3697c9d628b71
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/cc35ce49-3e7f-465e-b015-e0f526db5e1d/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ce7d8dc35f50/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ce7d8dc35f50388ccfdbfed28b7547148e1fdd9e9fcae25782ff74df865e9ede

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe ce7d8dc35f50388ccfdbfed28b7547148e1fdd9e9fcae25782ff74df865e9ede

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/444049/

Comments