MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da38425cef4712b8fd31378e6576d94f01707bc7e52b6f70d782f7dc9c07e876. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	da38425cef4712b8fd31378e6576d94f01707bc7e52b6f70d782f7dc9c07e876
SHA3-384 hash:	7e1458319b9f6d75c8c165219abcbae3497ed3b590e62c1cae014d3afc19c455ecfee7a88ecdea30cf65d63207e191f7
SHA1 hash:	4bb11dea1d0a37ed395a8422fd6551f7c930fb89
MD5 hash:	022922748c81a0d331f30c24187aa41a
humanhash:	zebra-virginia-burger-lithium
File name:	PaymentConfirmationCopy0010933736483339882836.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	860'672 bytes
First seen:	2023-05-16 08:10:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b994e2b35fac0eca9b95949a165480a1 (5 x ModiLoader, 2 x Formbook, 1 x RemcosRAT)
ssdeep	12288:IEaSIJxsS4ISFSs417nXbaGBazVb8N0K1Wqp:/F0mcSFS77LaG6VIEw
Threatray	2'187 similar samples on MalwareBazaar
TLSH	T1B2057D1AB1D2A933C1A37B385C679B04641CBF29182BF95337DABE4CDB36A423C15D16
TrID	75.3% (.EXE) Win32 Executable Borland Delphi 6 (262638/61) 12.3% (.EXE) InstallShield setup (43053/19/16) 4.0% (.EXE) Win32 Executable Delphi generic (14182/79/4) 3.7% (.SCR) Windows screen saver (13097/50/3) 1.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	d4d4d4c4c4c4e4c8 (5 x ModiLoader, 3 x AveMariaRAT, 2 x Formbook)
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

abuse_ch

RemcosRAT C2:
193.23.3.128:28364

Intelligence

File Origin

# of uploads :

# of downloads :

289

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PaymentConfirmationCopy0010933736483339882836.exe

Verdict:

No threats detected

Analysis date:

2023-05-16 08:12:45 UTC

Tags:

installer

Link:

https://app.any.run/tasks/56b182ee-9c14-4ac9-a4c2-098b34ebc368

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/390325/

Detection(s):

SecuriteInfo.com.Win32.Evo-gen.31518.29447.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Creating a file

Running batch commands

Creating a process with a hidden window

Launching cmd.exe command interpreter

Launching a process

Creating a process from a recently created file

Searching for the window

Using the Windows Management Instrumentation requests

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

fareit formbook greyware keylogger

Link:

https://www.filescan.io/uploads/64633a965d03a85ad80d1fbb/reports/617e7872-f4bf-4d0b-91b8-c2fd69d7899d/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/da38425cef4712b8fd31378e6576d94f01707bc7e52b6f70d782f7dc9c07e876

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4fff6155-48a5-4638-94f5-eeea647aa5a4

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/1234275

Signature

Initial sample is a PE file and has a suspicious name

Multi AV Scanner detection for submitted file

Uses Windows timers to delay execution

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/da38425cef4712b8fd31378e6576d94f01707bc7e52b6f70d782f7dc9c07e876/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-05-16 08:12:26 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

16 of 24 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3i4eexhpi4jlr7jrg6hgk5wzj4axa66h4uvw64gxql35zhah5b3a._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

221784974f49f2b54c90c63ce6cf9550d94b15c3442c29c959300dbbf5b91f61

RemcosRAT

37503c7646071d22653b6be7fdb8ec8d9abbfe8cbfca39650255c131b01f4fd2

RemcosRAT

6ff3c874127b92713c89a07825d7794a47cdff0fbaa8500685ff116bd09ffd09

RemcosRAT

73e786d5242a65d25c8ec6f8b76bc4745b200df7cc5a393529219220df8eb126

RemcosRAT

8158105e4cb87778d3714e6ab22a16251ffa4475124a8269fa6e722e016e3e1a

RemcosRAT

9846c8ffd0aec6ff3c8b8db350032e4d9586ac6aa22b06944672c837d3bbcf28

RemcosRAT

+ 2'177 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:modiloader family:remcos botnet:recovery persistence rat trojan

Link:

https://tria.ge/reports/230516-j29nwsad7t/

Behaviour

Enumerates system info in registry

Runs ping.exe

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Adds Run key to start application

Executes dropped EXE

Loads dropped DLL

ModiLoader Second Stage

ModiLoader, DBatLoader

Remcos

Malware Config

C2 Extraction:

www.nwconstructions.us:28364

Unpacked files

SH256 hash:

da38425cef4712b8fd31378e6576d94f01707bc7e52b6f70d782f7dc9c07e876

MD5 hash:

022922748c81a0d331f30c24187aa41a

SHA1 hash:

4bb11dea1d0a37ed395a8422fd6551f7c930fb89

Detections:

DbatLoaderStage1

win_dbatloader_g1

Link:

https://www.unpac.me/results/d80bab92-209c-43e3-b8fa-9bdbeb6813b1/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CMD_Ping_Localhost Create hunting rule

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/390325/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample