MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 17

Intelligence 17 IOCs YARA 14 File information Comments

SHA256 hash:	d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230
SHA3-384 hash:	7c6299bd18399198a04126d820fe1cf2806de8eae95fc80b060d72dcdb5b91c539def062d0c698b30188316e3d19ed2a
SHA1 hash:	0c80fb17f84d478941ab4d51fddcccaf274da31d
MD5 hash:	2a65843b474feff5256bd673b4ff88ae
humanhash:	cola-muppet-wyoming-carbon
File name:	DHL Shipment Document Waybill NO # 1363232194.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	2'408'960 bytes
First seen:	2024-07-22 13:08:29 UTC
Last seen:	2024-07-22 14:16:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	bdd12e28ad568dc64eacd7cb42d8e2d5 (2 x RedLineStealer, 2 x Formbook, 1 x Smoke Loader)
ssdeep	49152:E2u/BMdg532rpsjCMqigjns2+a95PlpiH9MzMrcgt4hzNriBldyQJ/MqmG:DrpEZI0BnlJNh
Threatray	934 similar samples on MalwareBazaar
TLSH	T1F0B5CF05E3E801A8D577DA34CA659333D6707C560730E58F0698EA592EB3EA1AF7F312
TrID	72.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 13.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 2.5% (.EXE) OS/2 Executable (generic) (2029/13) 2.5% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	00000daeb6900000 (3 x RemcosRAT)
Reporter	Anonymous
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

354

Origin country :

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

DHL Shipment Document Waybill NO.doc # 1363232194.rar

Verdict:

Malicious activity

Analysis date:

2024-07-22 12:11:08 UTC

Tags:

rat remcos keylogger stealer mpress evasion

Link:

https://app.any.run/tasks/4492caca-a4ce-426e-8ecc-bdfcabe4582e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Malware.Dacic-10033090-0

Verdict:

Malicious

Score:

90.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=669e59ef2f6eaff4b90f2d85

Tags:

Execution Network Static Remcos

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Сreating synchronization primitives

Connection attempt

Sending a custom TCP request

DNS request

Sending an HTTP GET request

Reading critical registry keys

Creating a file

Creating a file in the %temp% directory

Forced shutdown of a system process

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

fingerprint hacktool lolbin masquerade microsoft_visual_cc packed regedit remcos remote shell32

Link:

https://www.filescan.io/uploads/669e59f13d7227f937955a2d/reports/172f0e6a-cd38-4dc6-ad0c-5d8bf4dda515/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/361cbf3f-e761-4bb7-a2a9-27e4ff16d99c

Result

Threat name:

Remcos

Detection:

malicious

Classification:

rans.phis.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1478359

Signature

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to bypass UAC (CMSTPLUA)

Contains functionality to inject code into remote processes

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Detected Remcos RAT

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Writes to foreign memory regions

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Yara detected WebBrowserPassView password recovery tool

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230/

Threat name:

Win64.Backdoor.Remcos

Status:

Malicious

First seen:

2024-07-22 02:40:02 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

25 of 38 (65.79%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2b6pv3hnj2f3uhe73saanxeacbopmvdvtrgxjvgs2kleud3osiya._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

5cb7a6a04b1f58c6134f2a3dc0e0dfd6fa2e2ae61b9564b9d821b4c86d21be97

RemcosRAT

5e4ac8eb80f59f5d1b0952665962a8d357ae28d1b62ae6825520864b90b53142

RemcosRAT

91e4bb8408db1e54d407d1859cbdde5c9df1a70c755474b5c7542ad661e30d00

RemcosRAT

a9b71bd91eac64c98a1519e907789fc4aec0bd6de47f643acf462cd4aff8aa8f

RemcosRAT

d1836e6e0661938656d0d8883daa624f59b4a0885cd663be712bfa88a5ccea19

RemcosRAT

de8a9c273adc8bd2c615a7e09c87cb8b9cfc38ef6317bfa435b4a3474f1b670f

RemcosRAT

f90e79ce4d5d11db542e5b30fdc7fe992f9e38fe400a67dbd7845d493107e1d4

RemcosRAT

f97691d405f1255b2d966ef6f581f160c6a708e5581a7d79e97b9bd70260d0b6

RemcosRAT

+ 924 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos botnet:dollar man collection rat spyware stealer

Link:

https://tria.ge/reports/240722-qdr79szcmr/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook accounts

Reads user/profile data of web browsers

Detected Nirsoft tools

NirSoft MailPassView

NirSoft WebBrowserPassView

Remcos

Malware Config

C2 Extraction:

178.23.190.118:52499

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/fd95b616-3eaf-47b3-acf6-529390b7a904

Unpacked files

SH256 hash:

d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230

MD5 hash:

2a65843b474feff5256bd673b4ff88ae

SHA1 hash:

0c80fb17f84d478941ab4d51fddcccaf274da31d

Link:

https://www.unpac.me/results/5240a7c8-d9fc-4ff9-93ea-61772bcac0f0/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Remcos

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/d07cfaeced4e8bba1c9fdc8006dc80105cf654759c4d74d4d2d2964a0f6e9230

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	adonunix2 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	AD on UNIX

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__MemoryWorkingSet Create hunting rule
Author:	Fernando Mercês
Description:	Anti-debug process memory working set size check
Reference:	http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	Jupyter_infostealer Create hunting rule
Author:	CD_R0M_
Description:	Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::CreateWellKnownSid ADVAPI32.dll::RevertToSelf ADVAPI32.dll::GetSecurityDescriptorLength
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::DuplicateTokenEx ADVAPI32.dll::GetWindowsAccountDomainSid
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessA ADVAPI32.dll::OpenProcessToken ADVAPI32.dll::OpenThreadToken ADVAPI32.dll::SetThreadToken KERNEL32.dll::VirtualAllocExNuma KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::DeleteVolumeMountPointW KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetVolumeInformationW KERNEL32.dll::GetSystemInfo
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::AllocConsole KERNEL32.dll::FreeConsole KERNEL32.dll::GetConsoleOutputCP KERNEL32.dll::GetConsoleWindow
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileExW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW KERNEL32.dll::MoveFileExW KERNEL32.dll::ReplaceFileW
WIN_BASE_USER_API	Retrieves Account Information	ADVAPI32.dll::LookupPrivilegeValueW
WIN_BCRYPT_API	Can Encrypt Files	bcrypt.dll::BCryptDecrypt bcrypt.dll::BCryptDestroyKey bcrypt.dll::BCryptEncrypt bcrypt.dll::BCryptGenRandom bcrypt.dll::BCryptImportKey bcrypt.dll::BCryptOpenAlgorithmProvider
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyExW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryInfoKeyW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExA ADVAPI32.dll::RegSetValueExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample