MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d03d7ea5956a5d9ca6c1b1af800350b6ef400815b452f69a886f4156ba1a3ec5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d03d7ea5956a5d9ca6c1b1af800350b6ef400815b452f69a886f4156ba1a3ec5
SHA3-384 hash: 0b4bb9b046bca72366982dbcd1270864d0d4bd598920a78557619dd82ac576071c093803ac496a5a3790ba7682f2859e
SHA1 hash: 7f812da89f328e871290be32bdead1fc869377d6
MD5 hash: 8e31046891c36ca794fb01262cd890d9
humanhash: arizona-burger-east-papa
File name:Slf.msi
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:4'502'528 bytes
First seen:2025-01-30 20:03:01 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:uo6S33tZCcSqsOEUalW+TTsKBqVauPWJg9tyEsM2:uQ3DCcOzUaleKB4NcOoH
TLSH T1F7260215A3C3C922C15D027BF459FF5E4434BEA3073481E7BAF9795F49B08C1A2BAA52
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter aachum
Tags:HIjackLoader msi RemcosRAT


Avatar
iamaachum
https://github.com/Kroby5444/Jim/raw/refs/heads/main/Slf.msi

Remcos C2: 185.157.162.126:1995

Intelligence

File Origin
# of uploads :
1
# of downloads :
170
Origin country :
ES ES
Vendor Threat Intelligence
Detection(s):
Win.Trojan.Penguish-10015880-0
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=679bdc1602140668e2cd3801
Tags:
shellcode dropper virus
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
adaptive-context cmd evasive fingerprint lolbin remote wix
Link:
https://www.filescan.io/uploads/679bdafaa2886cdc5ac709ae/reports/b1308ba9-2ff4-41a1-8e9a-a92f4dccff85/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/d03d7ea5956a5d9ca6c1b1af800350b6ef400815b452f69a886f4156ba1a3ec5
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/d03d7ea5956a5d9ca6c1b1af800350b6ef400815b452f69a886f4156ba1a3ec5
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1603337
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1603337 Sample: Slf.msi Startdate: 30/01/2025 Architecture: WINDOWS Score: 100 56 185.157.162.126 OBE-EUROPEObenetworkEuropeSE Sweden 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus detection for dropped file 2->62 64 7 other signatures 2->64 9 msiexec.exe 23 47 2->9         started        12 EHttpSrv.exe 1 2->12         started        15 EHttpSrv.exe 1 2->15         started        17 msiexec.exe 3 2->17         started        signatures3 process4 file5 46 C:\Windows\Installer\MSIEF55.tmp, PE32 9->46 dropped 48 C:\Windows\Installer\MSIEF34.tmp, PE32 9->48 dropped 50 C:\Windows\Installer\MSIEF04.tmp, PE32 9->50 dropped 52 5 other files (3 malicious) 9->52 dropped 19 EHttpSrv.exe 1 9->19         started        22 msiexec.exe 9->22         started        72 Maps a DLL or memory area into another process 12->72 24 cmd.exe 2 12->24         started        27 cmd.exe 1 15->27         started        signatures6 process7 file8 66 Maps a DLL or memory area into another process 19->66 29 cmd.exe 4 19->29         started        44 C:\Users\user\AppData\Local\Temp\owqq, PE32 24->44 dropped 68 Writes to foreign memory regions 24->68 33 EHttpSrv.exe 24->33         started        35 conhost.exe 24->35         started        37 conhost.exe 27->37         started        signatures9 process10 file11 54 C:\Users\user\AppData\Local\Temp\jnkk, PE32 29->54 dropped 74 Writes to foreign memory regions 29->74 76 Found hidden mapped module (file has been removed from disk) 29->76 78 Maps a DLL or memory area into another process 29->78 80 Switches to a custom stack to bypass stack traces 29->80 39 EHttpSrv.exe 29->39         started        42 conhost.exe 29->42         started        82 Found direct / indirect Syscall (likely to bypass EDR) 33->82 signatures12 process13 signatures14 70 Found direct / indirect Syscall (likely to bypass EDR) 39->70
Score:
11%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/d03d7ea5956a5d9ca6c1b1af800350b6ef400815b452f69a886f4156ba1a3ec5
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d03d7ea5956a5d9ca6c1b1af800350b6ef400815b452f69a886f4156ba1a3ec5/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2a6x5jmvnjozzjwbwgxyaa2qw3xuacavwrjpnguin5avnoq2h3cq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
error
RemcosRAT
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader family:remcos botnet:v2 discovery loader persistence privilege_escalation rat
Link:
https://tria.ge/reports/250130-ysnsds1nd1/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates connected drives
Detects HijackLoader (aka IDAT Loader)
HijackLoader
Hijackloader family
Remcos
Remcos family
Malware Config
C2 Extraction:
185.157.162.126:1995
Verdict:
Malicious
Tags:
Win.Trojan.Penguish-10015880-0
YARA:
n/a
Link:
https://app.threat.zone/submission/71692e96-e767-4635-8564-8e034e099797
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d03d7ea5956a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d03d7ea5956a5d9ca6c1b1af800350b6ef400815b452f69a886f4156ba1a3ec5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_LATAM_MSI_Banker
Create hunting rule
Rule name:Suspicious_Latam_MSI_and_ZIP_Files
Create hunting rule
Author:eremit4, P4nd3m1cb0y
Description:Detects suspicious .msi and .zip files used in Latam banking trojan campaigns.
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Microsoft Software Installer (MSI) msi 289266f50512ab914e578d5ce34352d297983fe303edd7b211521e94e4db7ca7

RemcosRAT

Microsoft Software Installer (MSI) msi d03d7ea5956a5d9ca6c1b1af800350b6ef400815b452f69a886f4156ba1a3ec5

(this sample)

  
Link
https://tria.ge/250130-yqk9gs1mht/
  
Dropped by
SHA256 289266f50512ab914e578d5ce34352d297983fe303edd7b211521e94e4db7ca7
  
Delivery method
Distributed via web download
  
Dropped by
SHA256 41590f3a8ba3c910f11fd5fa095856d5bc556f20fa4fd6d269aa1be4e08b4c64
  
Dropped by
MD5 bcc1d6a3c9aeec994cd31f86ada37ae6
  
Dropped by
MD5 5bac811249b2f91a6d769cd4af4154e2

Comments