MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db818294e50a757b1511cb2ac06b678e829c5328e920c5105ec30985e585b2c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db818294e50a757b1511cb2ac06b678e829c5328e920c5105ec30985e585b2c0
SHA3-384 hash: 8f636298c4e3f7a55fbc61d57b9c22136f45980f945257dbbfb5745bb055cc91466be908e8abf7a6a4b17405be5d6cad
SHA1 hash: a8a85aa437edb8d818ecdf12ee6fd15a171d6cbb
MD5 hash: 6c15884d821a695faf825f2b53fbd159
humanhash: pasta-oregon-lima-alaska
File name:Запит документів.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:115'712 bytes
First seen:2024-01-18 19:22:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2c5f2513605e48f2d8ea5440a870cb9e (60 x Babadeda, 6 x AveMariaRAT, 5 x CoinMiner)
ssdeep 3072:57DhdC6kzWypvaQ0FxyNTBfkFPqakV66B8h:5BlkZvaF4NTBM8T4
TLSH T17AB35A41B2E109F6D9E106310FE67E3E96356E2A47209CCBCF48394E57326D096F92ED
TrID 36.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
19.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.4% (.EXE) Win64 Executable (generic) (10523/12/4)
7.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
dhash icon f4c4aab5a4a6a6b4 (1 x RemcosRAT)
Reporter angel11VR
Tags:dropper exe remcos RemcosRAT


Avatar
angel11VR
#remcos #RAT #RAR #PWD #EXE #PowerShell
email attach .zip > (.rar1 + .rar2) PWD > .exe1 > get bitbucket_org > .exe2 > 185_70_104_90 & 77_105_132_70 > fingerprint & exfil
IOC`s
https://pastebin.com/FL2fX362

Intelligence

File Origin
# of uploads :
1
# of downloads :
374
Origin country :
CZ CZ
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Запит документів.zip
Verdict:
Malicious activity
Analysis date:
2024-01-18 13:15:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/267bd3df-a24a-4176-831c-7505566d8ebb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34587420.17402.2208.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Launching a process
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a file in the %AppData% directory
Using the Windows Management Instrumentation requests
Enabling autorun with the shell\open\command registry branches
Query of malicious DNS domain
Sending a TCP request to an infection source
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Labled as:
BZC.MTN.Boxter.958
Link:
https://www.hybrid-analysis.com/sample/db818294e50a757b1511cb2ac06b678e829c5328e920c5105ec30985e585b2c0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ea42a78e-469a-44f1-b4fe-001cf921e786
Result
Threat name:
Babadeda, Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1376899
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Delayed program exit found
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Powershell drops PE file
Powershell uses Background Intelligent Transfer Service (BITS)
Suspicious powershell command line found
Uses cmd line tools excessively to alter registry or file data
Very long command line found
Yara detected Babadeda
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1376899 Sample: #U0417#U0430#U043f#U0438#U0... Startdate: 18/01/2024 Architecture: WINDOWS Score: 100 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 Antivirus detection for URL or domain 2->73 75 9 other signatures 2->75 11 #U0417#U0430#U043f#U0438#U0442 #U0434#U043e#U043a#U0443#U043c#U0435#U043d#U0442#U0456#U0432.exe 7 2->11         started        13 host.exe 2->13         started        16 host.exe 2->16         started        18 host.exe 2->18         started        process3 signatures4 20 cmd.exe 11->20         started        93 Injects a PE file into a foreign processes 13->93 23 host.exe 13->23         started        25 host.exe 16->25         started        27 host.exe 18->27         started        process5 signatures6 85 Suspicious powershell command line found 20->85 87 Very long command line found 20->87 29 powershell.exe 12 6 20->29         started        process7 dnsIp8 63 bitbucket.org 18.205.93.0, 443, 49161 AMAZON-AESUS United States 29->63 65 s3-w.us-east-1.amazonaws.com 52.216.239.179, 443, 49162 AMAZON-02US United States 29->65 67 2 other IPs or domains 29->67 59 C:\Users\user\AppData\Roaming\hostcr.exe, PE32 29->59 dropped 95 Installs new ROOT certificates 29->95 97 Uses cmd line tools excessively to alter registry or file data 29->97 99 Powershell uses Background Intelligent Transfer Service (BITS) 29->99 101 Powershell drops PE file 29->101 34 hostcr.exe 29->34         started        37 reg.exe 29->37         started        39 reg.exe 1 29->39         started        41 2 other processes 29->41 file9 signatures10 process11 signatures12 77 Contains functionality to bypass UAC (CMSTPLUA) 34->77 79 Machine Learning detection for dropped file 34->79 81 Contains functionality to steal Chrome passwords or cookies 34->81 83 4 other signatures 34->83 43 hostcr.exe 2 3 34->43         started        process13 file14 57 C:\ProgramData\updates\host.exe, PE32 43->57 dropped 91 Creates autostart registry keys with suspicious names 43->91 47 host.exe 43->47         started        signatures15 process16 signatures17 103 Contains functionalty to change the wallpaper 47->103 105 Machine Learning detection for dropped file 47->105 107 Injects a PE file into a foreign processes 47->107 109 Delayed program exit found 47->109 50 host.exe 3 3 47->50         started        process18 dnsIp19 61 185.70.104.90, 2404, 465, 80 NCONNECT-ASRU Russian Federation 50->61 55 C:\ProgramData\updates\logs.dat, data 50->55 dropped 89 Installs a global keyboard hook 50->89 file20 signatures21
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/db818294e50a757b1511cb2ac06b678e829c5328e920c5105ec30985e585b2c0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/db818294e50a757b1511cb2ac06b678e829c5328e920c5105ec30985e585b2c0/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2024-01-18 14:55:41 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3oayffhfbj2xwfirzmvma23hr2bjyuzi5eqmkec6ymeylzmfwlaa._file
Verdict:
unknown
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:host collection persistence rat spyware stealer
Link:
https://tria.ge/reports/240118-x3scwsfgcj/
Behaviour
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
185.70.104.90:2404
185.70.104.90:8080
185.70.104.90:465
Unpacked files
SH256 hash:
db818294e50a757b1511cb2ac06b678e829c5328e920c5105ec30985e585b2c0
MD5 hash:
6c15884d821a695faf825f2b53fbd159
SHA1 hash:
a8a85aa437edb8d818ecdf12ee6fd15a171d6cbb
Detections:
SUSP_Imphash_Mar23_3
Create hunting rule
Link:
https://www.unpac.me/results/31435e1c-9617-48fa-a613-7fb9b1d9aeab/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/db818294e50a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/db818294e50a757b1511cb2ac06b678e829c5328e920c5105ec30985e585b2c0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:PureBasic4xNeilHodgson
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe db818294e50a757b1511cb2ac06b678e829c5328e920c5105ec30985e585b2c0

(this sample)

  
Link
https://pastebin.com/FL2fX362
  
Dropped by
remcos
  
Delivery method
Distributed via e-mail attachment

Comments