MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dbf0fff8619800b75efb046b9028d1bfca9e7fa079f65a4b83d18773df15f787. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dbf0fff8619800b75efb046b9028d1bfca9e7fa079f65a4b83d18773df15f787
SHA3-384 hash: 91e58fd7bb40f0f045d6f815056b1a82a9cf27b29f8770cdc38efd3d86d7e176443726c079bff15f0505faca34dd6965
SHA1 hash: caf0989bf05e05c6a1a71e3b4c8ae10603ef5b76
MD5 hash: 09b9b6539a59827caae00b06080ad282
humanhash: illinois-burger-beryllium-burger
File name:Waybill.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:740'352 bytes
First seen:2021-09-23 01:27:39 UTC
Last seen:2021-09-23 02:56:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ceaa652f3ced51b4d37f51c5b68fecf1 (4 x RemcosRAT)
ssdeep 12288:2FOlCoLQAsZX1x4kIkA7aMks4rimoAmQ:2/AsZlx4m4xksK
Threatray 620 similar samples on MalwareBazaar
TLSH T186F44AF0A2C928F3E057367CED4BB8565979F8F65D420D89AEC92A0C3934421B875C6F
dhash icon acacacb6a2968eaa (13 x RemcosRAT, 4 x Formbook, 4 x AveMariaRAT)
Reporter GovCERT_CH
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
185
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Waybill.exe
Verdict:
Malicious activity
Analysis date:
2021-09-23 01:29:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7068449f-045c-42f5-b986-a33d4dfed6c9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/190443/
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.10979.6733.18347.UNOFFICIAL
Create hunting rule

Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4fcb2465-c158-4492-b73a-10bb59e04d91
Result
Threat name:
Remcos DBatLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/856099
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 488527 Sample: Waybill.exe Startdate: 23/09/2021 Architecture: WINDOWS Score: 100 45 Multi AV Scanner detection for domain / URL 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 6 other signatures 2->51 6 Waybill.exe 1 17 2->6         started        11 Furleet.exe 13 2->11         started        13 Furleet.exe 13 2->13         started        process3 dnsIp4 25 cdn.discordapp.com 162.159.129.233, 443, 49739, 49741 CLOUDFLARENETUS United States 6->25 23 C:\Users\Public\Libraries\...\Furleet.exe, PE32 6->23 dropped 53 Writes to foreign memory regions 6->53 55 Allocates memory in foreign processes 6->55 57 Creates a thread in another existing process (thread injection) 6->57 15 dialer.exe 2 3 6->15         started        27 162.159.133.233, 443, 49746 CLOUDFLARENETUS United States 11->27 29 192.168.2.1 unknown unknown 11->29 59 Injects a PE file into a foreign processes 11->59 19 mobsync.exe 11->19         started        31 162.159.130.233, 443, 49745 CLOUDFLARENETUS United States 13->31 61 Multi AV Scanner detection for dropped file 13->61 21 dialer.exe 13->21         started        file5 signatures6 process7 dnsIp8 33 rem1.camdvr.org 37.120.138.222, 2404, 49742 M247GB Romania 15->33 35 Contains functionalty to change the wallpaper 15->35 37 Contains functionality to steal Chrome passwords or cookies 15->37 39 Contains functionality to capture and log keystrokes 15->39 43 2 other signatures 15->43 41 Contains functionality to steal Firefox passwords or cookies 19->41 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dbf0fff8619800b75efb046b9028d1bfca9e7fa079f65a4b83d18773df15f787/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-09-09 07:29:59 UTC
AV detection:
12 of 38 (31.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3pyp76dbtaaloxx3arvzakgrx7fj475aph3fus4d2gdxhxyv66dq._file
Verdict:
malicious
Similar samples:
07915b1a44803fc9bd86d2d9ddad19434440b3d73f5c77f3400c84a935dd0255
RemcosRAT
174d091dcf5a5b2c4af35b5df2e4094ddf31bc589208f7b79ff5fc0db2dde514
RemcosRAT
1a7126ebae2322bac10b972bd00d62687e5f5e5b7f59c6ab63b9310180f3ce4e
RemcosRAT
1b1eb8f42b0b48cf428e19c9c8b21676c41faca886e392c6d6f05de3120297c9
RemcosRAT
6a3aa7d5ab777a2824d7d312dfd49e0b03e30959a9219e7f782860d2d8b9a12c
RemcosRAT
8aa2379084127a3eaa67bf4aadd0ee90c8189cc9696d516256211dbbcc7d39c5
RemcosRAT
8cb9b0ac073c398ffc0147a1a84ffa9c2db217df67c5a89f34f4a5fb12be7cc3
RemcosRAT
b0a0d1d399e98e48cae6a87c280339bc1b0d1c22f84ae589e0c3dca78e76d108
RemcosRAT
+ 610 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:remotehost persistence rat trojan
Link:
https://tria.ge/reports/210923-bvpq5sebd5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
rem1.camdvr.org:2404
rem16.hopto.org:2404
rem1666.hopto.org:2404
rem16.camdvr.org:2404
remmusic.freeddns.org:2404
sunwap1.ddns.net:2404
rem166.hopto.org:2404
Unpacked files
SH256 hash:
cd4b225505e84218ef7418c8e5f41acbb67c51bd43e9ddcfa25341259377d3df
MD5 hash:
b7816cb3535b2f2675804d3052295003
SHA1 hash:
db4588853aa1ec16b1f2d29b1e873a653a1ecb13
Link:
https://www.unpac.me/results/56799bc6-350d-41f7-9dea-db7aba6568c0/
SH256 hash:
dbf0fff8619800b75efb046b9028d1bfca9e7fa079f65a4b83d18773df15f787
MD5 hash:
09b9b6539a59827caae00b06080ad282
SHA1 hash:
caf0989bf05e05c6a1a71e3b4c8ae10603ef5b76
Link:
https://www.unpac.me/results/56799bc6-350d-41f7-9dea-db7aba6568c0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dbf0fff8619800b75efb046b9028d1bfca9e7fa079f65a4b83d18773df15f787

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe dbf0fff8619800b75efb046b9028d1bfca9e7fa079f65a4b83d18773df15f787

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/190443/

Comments