MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9f4a7f5f39ac0ea1fc287c5d9521667d3eca8344b2e60fe26f9f795d7f53a8d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e9f4a7f5f39ac0ea1fc287c5d9521667d3eca8344b2e60fe26f9f795d7f53a8d
SHA3-384 hash: ef1caf8362eb3efaac83e921857405a3208211eaa82f849b8c92cfd84575cc18bfdf3772ab47c011db966b1a3d92c091
SHA1 hash: bd691d529fc6e480d02a23b0d645f4bde954e5fd
MD5 hash: b674578af16ba49bdd3166bed4abb6fd
humanhash: aspen-ink-hamper-cola
File name:SecuriteInfo.com.Variant.Zusy.436143.23003.20775
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:943'616 bytes
First seen:2022-08-25 03:28:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2f81b5c9269910375af465608d2f2ff2 (3 x RemcosRAT, 3 x Formbook, 2 x DBatLoader)
ssdeep 12288:AJUHQf66vLY0QWoYa5RsDDVQdDPf+rKU5IT7greRccA/s/rsGvRcZoYto:AsoUQin8uerHqRcv/sHsoIo
TLSH T19B158D16F362CC3FD6771634CC0796AC981D7A106A34A81E36D51D087B7A3A2762F6CB
TrID 61.1% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
24.1% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
10.7% (.OCX) Windows ActiveX control (116521/4/18)
1.3% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.2% (.SCR) Windows screen saver (13101/52/3)
File icon (PE):PE icon
dhash icon ecdce4c48c9ce4c4 (14 x RemcosRAT, 9 x DBatLoader, 5 x Formbook)
Reporter SecuriteInfoCom
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
328
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Variant.Zusy.436143.23003.20775
Verdict:
Malicious activity
Analysis date:
2022-08-25 03:31:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cb0f1860-335b-4d2a-bf88-9c3081dd0863

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/300994/
Detection(s):
SecuriteInfo.com.Variant.Zusy.436143.23003.20775.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
DNS request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Creating a process from a recently created file
Searching for the window
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/30006/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger shell32.dll
Link:
https://www.filescan.io/uploads/6306ec5a3cbb13868a7d73ce/reports/5a7193ee-a9e6-4bb1-a62d-f8d94a37fe73/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/689bd3f1-e139-4ec0-adad-a2577ca3cc3e
Result
Threat name:
Remcos, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1057407
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suspicious powershell command line found
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 689924 Sample: SecuriteInfo.com.Variant.Zu... Startdate: 25/08/2022 Architecture: WINDOWS Score: 100 64 lionsguard.ddns.net 2->64 82 Multi AV Scanner detection for domain / URL 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 Antivirus detection for URL or domain 2->86 88 9 other signatures 2->88 11 SecuriteInfo.com.Variant.Zusy.436143.23003.exe 1 23 2->11         started        16 Aiimpkrwc.exe 15 2->16         started        18 Aiimpkrwc.exe 15 2->18         started        signatures3 process4 dnsIp5 68 onedrive.live.com 11->68 76 2 other IPs or domains 11->76 54 C:\Users\Public\Libraries\netutils.dll, PE32+ 11->54 dropped 56 C:\Users\Public\Libraries\Aiimpkrwc.exe, PE32 11->56 dropped 58 C:\Users\...\Aiimpkrwc.exe:Zone.Identifier, ASCII 11->58 dropped 60 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 11->60 dropped 102 Writes to foreign memory regions 11->102 104 Allocates memory in foreign processes 11->104 106 Creates a thread in another existing process (thread injection) 11->106 108 Injects a PE file into a foreign processes 11->108 20 cmd.exe 3 11->20         started        23 iexpress.exe 11->23         started        70 onedrive.live.com 16->70 78 2 other IPs or domains 16->78 110 Multi AV Scanner detection for dropped file 16->110 112 Machine Learning detection for dropped file 16->112 26 iexpress.exe 16->26         started        72 192.168.2.1 unknown unknown 18->72 74 onedrive.live.com 18->74 80 2 other IPs or domains 18->80 28 iexpress.exe 18->28         started        file6 signatures7 process8 dnsIp9 90 Uses ping.exe to sleep 20->90 92 Drops executables to the windows directory (C:\Windows) and starts them 20->92 94 Uses ping.exe to check the status of other devices and networks 20->94 30 easinvoker.exe 20->30         started        32 PING.EXE 1 20->32         started        35 xcopy.exe 2 20->35         started        38 6 other processes 20->38 66 lionsguard.ddns.net 194.147.140.27, 49729, 49734, 49737 PTPEU unknown 23->66 signatures10 process11 dnsIp12 40 cmd.exe 1 30->40         started        62 127.0.0.1 unknown unknown 32->62 50 C:\Windows \System32\easinvoker.exe, PE32+ 35->50 dropped 52 C:\Windows \System32\netutils.dll, PE32+ 38->52 dropped file13 process14 signatures15 96 Suspicious powershell command line found 40->96 98 Adds a directory exclusion to Windows Defender 40->98 43 powershell.exe 27 40->43         started        46 conhost.exe 40->46         started        process16 signatures17 100 DLL side loading technique detected 43->100 48 conhost.exe 43->48         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e9f4a7f5f39ac0ea1fc287c5d9521667d3eca8344b2e60fe26f9f795d7f53a8d/
Threat name:
Win32.Trojan.RemcosRAT
Create hunting rule
Status:
Malicious
First seen:
2022-08-25 03:29:11 UTC
File Type:
PE (Exe)
Extracted files:
70
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5h2kp5pttlaouh6cq7c5suqwm7j6zkbujmxgb7rg7h3zlv7vhkgq._file
Verdict:
malicious
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:ghosthot persistence rat trojan
Link:
https://tria.ge/reports/220825-d1w4hseham/
Behaviour
Enumerates system info in registry
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
lionsguard.ddns.net:5074
Unpacked files
SH256 hash:
53619866fb7adb9f5dcbed0dce75932a74830dc02351a6b6c819e9701a13ada1
MD5 hash:
38a86eff48873c72ca4d72f191a56f63
SHA1 hash:
25e96f601aa827d3b1ab70b0fdc67d0c15023b73
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/45bbbdc5-ebde-4cbb-b8b2-22ea912b12b7/
Parent samples :
e9f4a7f5f39ac0ea1fc287c5d9521667d3eca8344b2e60fe26f9f795d7f53a8d
2e86f98ee2dc99164970b21058123fda31af9feb290e14646c3a6f49525f2fcc
5968fd5908c38e76d8f57fbfe06bfc87956d15b778eaa637816e1630fb3eb7c4
b725d730c210274c7cc33fa90c06467cf9e3416a9d214e060e14f323d31aa3c7
6620f97090422729f9d69268a68b76cc854f81cd97c25f3463315344ba3d639e
eae13c9aa0b286157c56819381b92a4a6d8e2607f553e7b71539b1959f2cd7a2
efa8f5c281c591960f2a8f508f278b1541de0c308f4039432307de4e0f25627c
aa4a3cf409c65c84e33841c92533d1781a01cd5b1b5ba372e0b3d4c333a8f5fe
d9d5ed4a3733ad8d8edcdd4a4e36f965f3ad5b0b0bb38b54acd9091ee99ff7cf
9e6da348b123ec110ed3d923198f378f6398a6e1f87d3a440340c5ab479e6912
ad2c3ee8225bffd3052bb7d77be8e73b14731a65d420a08bac8cd72f979300b9
22c7ed8874209dd96c59fbc16dd829802729f9fa34c09cce41f6f64704af7578
SH256 hash:
e9f4a7f5f39ac0ea1fc287c5d9521667d3eca8344b2e60fe26f9f795d7f53a8d
MD5 hash:
b674578af16ba49bdd3166bed4abb6fd
SHA1 hash:
bd691d529fc6e480d02a23b0d645f4bde954e5fd
Link:
https://www.unpac.me/results/45bbbdc5-ebde-4cbb-b8b2-22ea912b12b7/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e9f4a7f5f39a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e9f4a7f5f39ac0ea1fc287c5d9521667d3eca8344b2e60fe26f9f795d7f53a8d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:malware_Remcos_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:SUSP_VBS_Wscript_Shell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the definition of 'Wscript.Shell' which is often used by Malware, FPs are possible and commmon
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/300994/

Comments