MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e570134f747cfd85ee052084f5a0dbc26b8a6ea12a262c8e67382235da072a63. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e570134f747cfd85ee052084f5a0dbc26b8a6ea12a262c8e67382235da072a63
SHA3-384 hash: 8464bfab151573e753a08423b245e80f1d5f182ad9f5d9083bb6f3871406d177feb0406c78b76a58f59a8f468ba9d00f
SHA1 hash: 25c07148dbaf18956e48f1ed24d8c48da2e41a95
MD5 hash: 24218abb129edecc8014e03acfd6c154
humanhash: river-alaska-magnesium-tennis
File name:rBslc_Pymt-Hs.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'172'992 bytes
First seen:2024-08-29 19:34:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ed7f1711edbd8ca21408281fa7ee3152 (1 x Formbook, 1 x RemcosRAT, 1 x DBatLoader)
ssdeep 12288:0jE7sMsnDeNqqfqS9AYXJZ4WmjSxcarQ6ntn1X6JTiZvZozJc27jDORmYD:0OXeeNqpS9p747cW6nt9Zmi2jDOR
Threatray 4'280 similar samples on MalwareBazaar
TLSH T14D453991E620C033D63A1DF89B857BC4E23C7FAD9A5EA541B2BE39594A31FC52405CCB
TrID 65.0% (.EXE) InstallShield setup (43053/19/16)
15.8% (.EXE) Win64 Executable (generic) (10523/12/4)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
3.1% (.EXE) Win16/32 Executable Delphi generic (2072/23)
3.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon d89838989adce474 (4 x DBatLoader, 2 x Formbook, 1 x RemcosRAT)
Reporter FXOLabs
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
445
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
rBslc_Pymt-Hs.exe
Verdict:
Malicious activity
Analysis date:
2024-08-29 19:44:49 UTC
Tags:
rat remcos remote evasion stealer keylogger mpress
Link:
https://app.any.run/tasks/c6ee5823-83a5-47b1-a6b9-68bc242167b6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.31844.3178.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66d0cd81fe69a9e56049e83b
Tags:
Discovery Execution Generic Network Static Stealth Nekark
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
Reading critical registry keys
Creating a file in the %temp% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
borland_delphi fingerprint keylogger
Link:
https://www.filescan.io/uploads/66d0cd74eb26ed7f73c5b57d/reports/e49bca77-74b0-4d83-be45-ebc3f61e79ca/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/e570134f747cfd85ee052084f5a0dbc26b8a6ea12a262c8e67382235da072a63
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/28b17408-bbf2-4ac1-8949-73e0b95e8148
Result
Threat name:
Remcos, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1501407
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected Remcos RAT
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Early bird code injection technique detected
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Remcos
Sigma detected: Suspicious Creation with Colorcpl
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1501407 Sample: rBslc_Pymt-Hs.exe Startdate: 29/08/2024 Architecture: WINDOWS Score: 100 68 exire.com.sv 2->68 70 86.23.85.13.in-addr.arpa 2->70 72 2 other IPs or domains 2->72 80 Suricata IDS alerts for network traffic 2->80 82 Found malware configuration 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 13 other signatures 2->86 9 rBslc_Pymt-Hs.exe 1 6 2->9         started        14 Elhsijql.PIF 2->14         started        16 Elhsijql.PIF 2->16         started        signatures3 process4 dnsIp5 78 exire.com.sv 51.79.72.49, 443, 49704, 49705 OVHFR Canada 9->78 60 C:\Users\Public\Libraries\lqjishlE.cmd, DOS 9->60 dropped 62 C:\Users\Public\Librarieslhsijql, data 9->62 dropped 64 C:\Users\Publiclhsijql.url, MS 9->64 dropped 96 Early bird code injection technique detected 9->96 98 Allocates memory in foreign processes 9->98 100 Queues an APC in another process (thread injection) 9->100 102 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 9->102 18 colorcpl.exe 2 16 9->18         started        23 cmd.exe 1 9->23         started        25 esentutl.exe 2 9->25         started        104 Antivirus detection for dropped file 14->104 106 Multi AV Scanner detection for dropped file 14->106 108 Machine Learning detection for dropped file 14->108 27 colorcpl.exe 14->27         started        29 SndVol.exe 16->29         started        file6 signatures7 process8 dnsIp9 74 154.216.18.45, 49706, 49707, 7095 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 18->74 76 geoplugin.net 178.237.33.50, 49708, 80 ATOM86-ASATOM86NL Netherlands 18->76 52 C:\ProgramData\remcos\logs.dat, data 18->52 dropped 88 Detected Remcos RAT 18->88 90 Tries to steal Mail credentials (via file registry) 18->90 92 Contains functionalty to change the wallpaper 18->92 94 7 other signatures 18->94 31 colorcpl.exe 1 18->31         started        34 colorcpl.exe 1 18->34         started        36 colorcpl.exe 2 18->36         started        38 esentutl.exe 2 23->38         started        41 alpha.pif 1 23->41         started        43 esentutl.exe 2 23->43         started        47 6 other processes 23->47 54 C:\Users\Public\Librarieslhsijql.PIF, PE32 25->54 dropped 45 conhost.exe 25->45         started        file10 signatures11 process12 file13 110 Tries to steal Instant Messenger accounts or passwords 31->110 112 Tries to harvest and steal browser information (history, passwords, etc) 31->112 114 Tries to steal Mail credentials (via file / registry access) 34->114 56 C:\Users\Public\alpha.pif, PE32 38->56 dropped 116 Drops PE files to the user root directory 38->116 118 Drops PE files with a suspicious file extension 38->118 120 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 38->120 49 xpha.pif 1 41->49         started        58 C:\Users\Public\xpha.pif, PE32 43->58 dropped signatures14 process15 dnsIp16 66 127.0.0.1 unknown unknown 49->66
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e570134f747cfd85ee052084f5a0dbc26b8a6ea12a262c8e67382235da072a63
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e570134f747cfd85ee052084f5a0dbc26b8a6ea12a262c8e67382235da072a63/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-08-29 13:34:01 UTC
File Type:
PE (Exe)
Extracted files:
124
AV detection:
12 of 38 (31.58%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4vybgt3upt6yl3qfeccplig3yjvyu3vbfitczdthhardlwqhfjrq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
28a42f4606cc7e3f5acb4c516a5728f1d29ccf0a75d619e5e77279d8a4738cae
RemcosRAT
31a7e70deb8af07d7b76b5dea8cbf90ec63bea24bffdd5ebac6f223c02f55753
RemcosRAT
3ab2ca682019279e28525a8ff1a72e08badba1c0f3012f926bad1528b2b0944a
RemcosRAT
7a8f0e1c47f8e29ca3f8741e8dc40796f0f4ac3745b620c6165fb80f3446b2a8
RemcosRAT
9a045c9c991d1d135687931fd936236135a9d812a9b1029284114a661f44a2a7
RemcosRAT
9b7289ad08319ae1f731f988d955b06206b64cc7864f9af457a9fa0049a9021c
RemcosRAT
ae6134942672653a0652d8b74100de3c7bccd094ee66bbc0314e75b276cfb1c8
RemcosRAT
c4cd277e81aec420cdf23a0d5ebff50b0d64dd9c6b3b1942567c263032f64deb
RemcosRAT
d3b62483fbf63ecc9b1813d77f80591d6cf00892eb030486475b6634c6c2ab0b
RemcosRAT
+ 4'270 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader discovery persistence trojan
Link:
https://tria.ge/reports/240829-yanpnszaqp/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
ModiLoader Second Stage
ModiLoader, DBatLoader
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/97d693c5-7759-42a5-8ff9-1b3737bbfd6d
Unpacked files
SH256 hash:
fc629f653a3eecbb6abb3ce11bee3f985eaf0872f6755b75892dbc3d8034cac8
MD5 hash:
5acb915cf3e19fb9ffd49627271e57c6
SHA1 hash:
6fa6978a4ea616bae7f87d17240978990b6950bd
Detections:
Typical_Malware_String_Transforms
Create hunting rule
Link:
https://www.unpac.me/results/2055df1b-af2b-4849-8680-7e4abe7facff/
SH256 hash:
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
MD5 hash:
c116d3604ceafe7057d77ff27552c215
SHA1 hash:
452b14432fb5758b46f2897aeccd89f7c82a727d
Link:
https://www.unpac.me/results/2055df1b-af2b-4849-8680-7e4abe7facff/
SH256 hash:
e570134f747cfd85ee052084f5a0dbc26b8a6ea12a262c8e67382235da072a63
MD5 hash:
24218abb129edecc8014e03acfd6c154
SHA1 hash:
25c07148dbaf18956e48f1ed24d8c48da2e41a95
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/2055df1b-af2b-4849-8680-7e4abe7facff/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e570134f747c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e570134f747cfd85ee052084f5a0dbc26b8a6ea12a262c8e67382235da072a63

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe e570134f747cfd85ee052084f5a0dbc26b8a6ea12a262c8e67382235da072a63

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::FindFirstFileA
version.dll::GetFileVersionInfoSizeA
version.dll::GetFileVersionInfoA
WIN_BASE_USER_APIRetrieves Account Informationkernel32.dll::GetComputerNameA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::PeekMessageW
user32.dll::CreateWindowExA

Comments