MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dacbcd625ca7774424759d127d5fd0a02acfd39c9e15caab4b76d64caa6357a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dacbcd625ca7774424759d127d5fd0a02acfd39c9e15caab4b76d64caa6357a4
SHA3-384 hash: 1bce1f5c2e5b872894c416182f9980c733e23922772970b0d3d4655bebd8f58b104d26980a55b570eaabd2c17065ec59
SHA1 hash: 72d599441201fdce169e270062c59b64607237ff
MD5 hash: 7f2ba5fd227f1d2fd4c4f79e238d4880
humanhash: lamp-mirror-equal-nitrogen
File name:Faktúra BR248527TT.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'084'928 bytes
First seen:2023-03-27 10:16:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:4nmXI6RRwCGHEdCpGSqgWa+wLEc/VC6o1ujyDr3u3cSVLQBV10QAar7QBMB3Pf6Q:4yGHvGwLEcM6oAcmgBDr7QBMB/fi
Threatray 1'768 similar samples on MalwareBazaar
TLSH T1BC351801BBFACA63E29E1737D4F50D2807F1FC01E662E71F2586629919137A34E49B27
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9c3c74c464485445 (8 x RemcosRAT)
Reporter abuse_ch
Tags:exe geo RAT RemcosRAT SVK

Intelligence

File Origin
# of uploads :
1
# of downloads :
249
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Faktúra BR248527TT.exe
Verdict:
Malicious activity
Analysis date:
2023-03-27 10:18:51 UTC
Tags:
remcos
Link:
https://app.any.run/tasks/e8e3e695-dc2f-4c0d-a573-8603ee88a6fe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/377817/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
DNS request
Launching a process
Creating a process with a hidden window
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/64216d2039ca37cf45d0376d/reports/c9e47e85-1a45-44da-b6ab-a30bd1116c5e/overview
Verdict:
Malicious
Labled as:
MSIL/TrojanDownloader.Agent
Link:
https://www.hybrid-analysis.com/sample/dacbcd625ca7774424759d127d5fd0a02acfd39c9e15caab4b76d64caa6357a4
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3548241c-6924-49b4-8420-4021f2c52305
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1202565
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: Remcos
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 835470 Sample: Fakt#U00fara_BR248527TT.exe Startdate: 27/03/2023 Architecture: WINDOWS Score: 100 76 Malicious sample detected (through community Yara rule) 2->76 78 Antivirus detection for URL or domain 2->78 80 Multi AV Scanner detection for submitted file 2->80 82 7 other signatures 2->82 7 Fakt#U00fara_BR248527TT.exe 16 7 2->7         started        12 Riivcavepny.exe 3 2->12         started        14 Riivcavepny.exe 2->14         started        process3 dnsIp4 50 web.fe.1drv.com 7->50 52 qmms7g.am.files.1drv.com 7->52 58 2 other IPs or domains 7->58 38 C:\Users\user\AppData\...\Riivcavepny.exe, PE32 7->38 dropped 40 C:\Users\...\Riivcavepny.exe:Zone.Identifier, ASCII 7->40 dropped 42 C:\Users\...\Fakt#U00fara_BR248527TT.exe.log, ASCII 7->42 dropped 84 Encrypted powershell cmdline option found 7->84 86 Writes to foreign memory regions 7->86 88 Injects a PE file into a foreign processes 7->88 16 aspnet_compiler.exe 3 14 7->16         started        20 aspnet_compiler.exe 7->20         started        22 powershell.exe 16 7->22         started        24 aspnet_compiler.exe 7->24         started        54 web.fe.1drv.com 12->54 60 3 other IPs or domains 12->60 90 Machine Learning detection for dropped file 12->90 56 web.fe.1drv.com 14->56 62 3 other IPs or domains 14->62 file5 signatures6 process7 dnsIp8 44 obologs.work.gd 185.156.175.35, 34346, 49700, 49701 M247GB Romania 16->44 46 geoplugin.net 178.237.33.50, 49702, 80 ATOM86-ASATOM86NL Netherlands 16->46 64 Maps a DLL or memory area into another process 16->64 66 Sample uses process hollowing technique 16->66 26 aspnet_compiler.exe 1 16->26         started        29 aspnet_compiler.exe 16->29         started        31 aspnet_compiler.exe 16->31         started        35 22 other processes 16->35 68 Contains functionality to bypass UAC (CMSTPLUA) 20->68 70 Contains functionalty to change the wallpaper 20->70 72 Contains functionality to steal Chrome passwords or cookies 20->72 74 3 other signatures 20->74 33 conhost.exe 22->33         started        signatures9 process10 dnsIp11 92 Tries to steal Instant Messenger accounts or passwords 26->92 94 Tries to steal Mail credentials (via file / registry access) 26->94 48 192.168.2.1 unknown unknown 35->48 96 Tries to harvest and steal browser information (history, passwords, etc) 35->96 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dacbcd625ca7774424759d127d5fd0a02acfd39c9e15caab4b76d64caa6357a4/
Threat name:
ByteCode-MSIL.Adware.RedCap
Create hunting rule
Status:
Malicious
First seen:
2023-03-27 10:17:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
17 of 24 (70.83%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3lf42ys4u53uijdvtujh2x6quavm7u44tyk4vk2lo3lezktdk6sa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0f27e5f647e28a535aa0ab9dde5c707150431f10c62d12f1e192ea02d698b3e4
RemcosRAT
0f8c7d288333c8d1c5d450abeaf869de3d58eb5e8d16138c52b0391cf7a645cc
RemcosRAT
2010a7e1a136a9881ba4db4beb99088ea77ea2997d36e6d1d16fc696b34fda8b
RemcosRAT
7e09b162052fa0f01f2d48609446e1cc66fea01afa412d5aee4cca9afa98fe52
RemcosRAT
844d71676420926ac69a998eecb47e4873ba8ed146ae2385770a530a2fffcf36
RemcosRAT
c9ec59e23695adca831f06aca398c511cac81f2fd65c7353f14b4725791ab80a
RemcosRAT
df98e5b50efcf7aedf479030e51ca5b9990fad9f0d20d729bb106198ddee923e
RemcosRAT
f3c280a30bfcb13a09179451fc8a2885ea9a95258ee5b52bfd24a1caf7896e54
RemcosRAT
+ 1'758 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost collection persistence rat
Link:
https://tria.ge/reports/230327-mbcs1sch52/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Checks computer location settings
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
obologs.work.gd:34346
Unpacked files
SH256 hash:
dacbcd625ca7774424759d127d5fd0a02acfd39c9e15caab4b76d64caa6357a4
MD5 hash:
7f2ba5fd227f1d2fd4c4f79e238d4880
SHA1 hash:
72d599441201fdce169e270062c59b64607237ff
Link:
https://www.unpac.me/results/67fffc19-5e10-4a66-b686-3436a353e6f1/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dacbcd625ca7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/dacbcd625ca7774424759d127d5fd0a02acfd39c9e15caab4b76d64caa6357a4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe dacbcd625ca7774424759d127d5fd0a02acfd39c9e15caab4b76d64caa6357a4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/377817/

Comments