MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dfa64dc7ba3712eec6272c7284549f3f5f7f280eb45f33f2d943e189e7cdd056. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dfa64dc7ba3712eec6272c7284549f3f5f7f280eb45f33f2d943e189e7cdd056
SHA3-384 hash: ff69dfe301e0706b133b1668945a219841da62a9fbcaf6bd014de725ac7632ff2bc410e319732e25df63beb8ef7cd2ac
SHA1 hash: b6cb9298287887ba02b99fe16da4f4956ce29658
MD5 hash: 362f334df96de91f3bc1804514111a11
humanhash: mango-south-connecticut-hot
File name:dfa64dc7ba3712eec6272c7284549f3f5f7f280eb45f33f2d943e189e7cdd056
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'029'641 bytes
First seen:2024-06-04 13:44:18 UTC
Last seen:2024-06-07 19:45:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 24576:Tdnt4t3pfCejOh92+K0n3oFDQMibhNU08FDUvS:T0nj6l73olShSFDUa
Threatray 1'090 similar samples on MalwareBazaar
TLSH T12525F0CAB1CB0DE1C95675BD4CB1782121AF3E8A54E99E2D2F5AB534C4B3582503EE0F
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 70f10c0a0a988160 (17 x AgentTesla, 3 x RemcosRAT, 2 x Formbook)
Reporter adrian__luca
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
373
Origin country :
HU HU
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2856.22943.23944.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=665f43ab9eda705504278994win7simulatehigh_evasion
Tags:
Banker Encryption Execution Generic Network Kryptik Dexter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Searching for synchronization primitives
DNS request
Launching the default Windows debugger (dwwin.exe)
Creating a file
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Searching for the window
Creating a window
Reading critical registry keys
Creating a file in the %temp% directory
Blocking the User Account Control
Stealing user critical data
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/665f1c3e910ce98966f85cdf/reports/012214a3-8b02-48c8-9014-6cf6416c4fe9/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/dfa64dc7ba3712eec6272c7284549f3f5f7f280eb45f33f2d943e189e7cdd056
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/74103cc9-380c-41a0-8b35-d0658c03770f
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1451778
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus detection for URL or domain
Detected Remcos RAT
Disables UAC (registry)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Remcos
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1451778 Sample: Q2LMbecUTM.exe Startdate: 04/06/2024 Architecture: WINDOWS Score: 100 39 chimaasd.duckdns.org 2->39 41 geoplugin.net 2->41 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for URL or domain 2->49 51 Multi AV Scanner detection for submitted file 2->51 55 9 other signatures 2->55 8 Q2LMbecUTM.exe 1 3 2->8         started        signatures3 53 Uses dynamic DNS services 39->53 process4 signatures5 63 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->63 65 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->65 67 Writes to foreign memory regions 8->67 69 3 other signatures 8->69 11 wab.exe 3 15 8->11         started        16 powershell.exe 23 8->16         started        18 WerFault.exe 19 16 8->18         started        20 wab.exe 8->20         started        process6 dnsIp7 43 chimaasd.duckdns.org 172.94.17.193, 1958, 49707, 49717 ASDETUKhttpwwwheficedcomGB United States 11->43 45 geoplugin.net 178.237.33.50, 49719, 80 ATOM86-ASATOM86NL Netherlands 11->45 35 C:\ProgramData\remcos\logs.dat, data 11->35 dropped 71 Detected Remcos RAT 11->71 73 Tries to harvest and steal browser information (history, passwords, etc) 11->73 75 Maps a DLL or memory area into another process 11->75 77 Installs a global keyboard hook 11->77 22 wab.exe 1 11->22         started        25 wab.exe 1 11->25         started        27 wab.exe 2 11->27         started        29 WerFault.exe 11->29         started        79 Loading BitLocker PowerShell Module 16->79 31 WmiPrvSE.exe 16->31         started        33 conhost.exe 16->33         started        37 C:\ProgramData\Microsoft\...\Report.wer, Unicode 18->37 dropped file8 signatures9 process10 signatures11 57 Tries to steal Instant Messenger accounts or passwords 22->57 59 Tries to steal Mail credentials (via file / registry access) 22->59 61 Tries to harvest and steal browser information (history, passwords, etc) 25->61
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/dfa64dc7ba3712eec6272c7284549f3f5f7f280eb45f33f2d943e189e7cdd056
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dfa64dc7ba3712eec6272c7284549f3f5f7f280eb45f33f2d943e189e7cdd056/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2024-05-22 06:28:02 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
4
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=36te3r52g4jo5rrhfrziive7h5px6kaowrpth4wzipqytz6n2bla._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
08f8f68b340189648071307dc98770ddf065c25cffb8be77ede5ef463519fdc8
RemcosRAT
402fb31162f2581de23d4f3cec47dcfd9f4cb56b116050158254ba3d65dca873
RemcosRAT
472a8fbff35cdda49a870d372fa6da50defd8480348438e245f11aad954642d1
RemcosRAT
4c92e0337b78ef707dd9a448bdb2c52b803af673a5628154ea7bc6492e182342
RemcosRAT
5cb7a6a04b1f58c6134f2a3dc0e0dfd6fa2e2ae61b9564b9d821b4c86d21be97
RemcosRAT
5e4ac8eb80f59f5d1b0952665962a8d357ae28d1b62ae6825520864b90b53142
RemcosRAT
91e4bb8408db1e54d407d1859cbdde5c9df1a70c755474b5c7542ad661e30d00
RemcosRAT
f3050a3a335d79e31e55dcc7da2da1a672593433058cbb3e325dde599cc11b1c
RemcosRAT
+ 1'080 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:ezemuo 2024 collection evasion execution rat trojan
Link:
https://tria.ge/reports/240604-q6xnfshf3v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Checks whether UAC is enabled
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Uses the VBS compiler for execution
Windows security modification
Command and Scripting Interpreter: PowerShell
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
chimaasd.duckdns.org:1958
Unpacked files
SH256 hash:
6cce2fcedc80c2d4bfbab1d51c0d5e474b807636c02ffc70ecec8881497aeb46
MD5 hash:
6fd96df7bee5e26d2dc4817401c45004
SHA1 hash:
9a71784907f2dbb5422307ec4f175ba6c0595f51
Link:
https://www.unpac.me/results/2c771ed7-e663-405c-a4a9-800600da07dc/
SH256 hash:
dfa64dc7ba3712eec6272c7284549f3f5f7f280eb45f33f2d943e189e7cdd056
MD5 hash:
362f334df96de91f3bc1804514111a11
SHA1 hash:
b6cb9298287887ba02b99fe16da4f4956ce29658
Link:
https://www.unpac.me/results/2c771ed7-e663-405c-a4a9-800600da07dc/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dfa64dc7ba37/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dfa64dc7ba3712eec6272c7284549f3f5f7f280eb45f33f2d943e189e7cdd056

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.
Rule name:win_remcos_w0
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:yarahub_win_remcos_rat_unpacked_aug_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments