MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f04d498d0721ea279c798503005f24f8d76d3780914a9fa1dc2874893c313250. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f04d498d0721ea279c798503005f24f8d76d3780914a9fa1dc2874893c313250
SHA3-384 hash: 7ef4b6c4210ca04f8e76fd008f4d2798046ef2797aaf2bed43bc22e6ba9611699bb713a2be6e3700f7c9173aa5387efa
SHA1 hash: 9254f37aab81e99ba88bf5b3aa471b55744946a6
MD5 hash: eedfd5bc311216caabfde7f96d743707
humanhash: montana-timing-uranus-iowa
File name:Standard Charterd Bank Validation Form.lnk
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:2'539 bytes
First seen:2024-05-07 06:14:29 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/octet-stream
ssdeep 48:8aIfLqCDSC30j/KwP6hPHMefMI6S6NfabNT:8Fj3ifPiPHMek06Nfi
TLSH T16D51581517F6532CE7F38A3AACF2E3159272F81ADD128BDE025051988C64624E974F2F
Reporter lowmal3
Tags:lnk RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
174
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28759.LnkHeur.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.HTTPDottedQuadPolicykill.20220908.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/f04d498d0721ea279c798503005f24f8d76d3780914a9fa1dc2874893c313250/results/dashboard
Payload URLs
URL
File name
D:\DocGuard-Api\AppData\7cce5151-48ab-4005-a829-a393fc548e51\Standard
LNK File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Labled as:
BAT.Downloader.N.58F4B0F1;BZC.PZQ.Pantera.115.Generic
Link:
https://www.hybrid-analysis.com/sample/f04d498d0721ea279c798503005f24f8d76d3780914a9fa1dc2874893c313250
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.spre.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1437225
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Found URL in windows shortcut file (LNK)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell download and load assembly
Sigma detected: Powershell download payload from hardcoded c2 list
Sigma detected: Remcos
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected VBS Downloader Generic
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1437225 Sample: Standard Charterd Bank Vali... Startdate: 07/05/2024 Architecture: WINDOWS Score: 100 54 wagonofficeteam.duckdns.org 2->54 56 paste.ee 2->56 58 2 other IPs or domains 2->58 74 Multi AV Scanner detection for domain / URL 2->74 76 Found malware configuration 2->76 78 Malicious sample detected (through community Yara rule) 2->78 84 23 other signatures 2->84 11 powershell.exe 3 15 2->11         started        signatures3 80 Uses dynamic DNS services 54->80 82 Connects to a pastebin service (likely for C&C) 56->82 process4 signatures5 96 Windows shortcut file (LNK) starts blacklisted processes 11->96 98 Suspicious powershell command line found 11->98 100 Found suspicious powershell code related to unpacking or dynamic code loading 11->100 14 wscript.exe 14 11->14         started        18 powershell.exe 14 16 11->18         started        21 conhost.exe 1 11->21         started        process6 dnsIp7 62 paste.ee 172.67.187.200, 443, 49731, 49734 CLOUDFLARENETUS United States 14->62 106 Windows shortcut file (LNK) starts blacklisted processes 14->106 108 System process connects to network (likely due to code injection or exploit) 14->108 110 Suspicious powershell command line found 14->110 112 5 other signatures 14->112 23 powershell.exe 7 14->23         started        64 38.255.42.91, 49730, 80 COGENT-174US United States 18->64 48 C:\Windows\Temp\Debug.vbs, Unicode 18->48 dropped file8 signatures9 process10 signatures11 92 Windows shortcut file (LNK) starts blacklisted processes 23->92 94 Suspicious powershell command line found 23->94 26 powershell.exe 15 23->26         started        30 conhost.exe 23->30         started        process12 dnsIp13 60 uploaddeimagens.com.br 104.21.45.138, 443, 49732, 49733 CLOUDFLARENETUS United States 26->60 102 Writes to foreign memory regions 26->102 104 Injects a PE file into a foreign processes 26->104 32 AddInProcess32.exe 3 15 26->32         started        signatures14 process15 dnsIp16 50 wagonofficeteam.duckdns.org 192.3.64.154, 1965, 49740, 49741 AS-COLOCROSSINGUS United States 32->50 52 geoplugin.net 178.237.33.50, 49742, 80 ATOM86-ASATOM86NL Netherlands 32->52 46 C:\ProgramData\remcos\logs.dat, data 32->46 dropped 66 Contains functionality to bypass UAC (CMSTPLUA) 32->66 68 Detected Remcos RAT 32->68 70 Tries to steal Mail credentials (via file registry) 32->70 72 8 other signatures 32->72 37 AddInProcess32.exe 1 32->37         started        40 AddInProcess32.exe 1 32->40         started        42 AddInProcess32.exe 14 32->42         started        44 AddInProcess32.exe 32->44         started        file17 signatures18 process19 signatures20 86 Tries to steal Instant Messenger accounts or passwords 37->86 88 Tries to harvest and steal browser information (history, passwords, etc) 37->88 90 Tries to steal Mail credentials (via file / registry access) 40->90
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f04d498d0721ea279c798503005f24f8d76d3780914a9fa1dc2874893c313250/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2024-05-07 02:21:03 UTC
File Type:
Binary
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6bgutdihehvcphdzqubqaxze7dlw2n4asffj7io4fb2ispbrgjia._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:wagon1 collection execution rat
Link:
https://tria.ge/reports/240507-gzxkfafe65/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Enumerates connected drives
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
wagonofficeteam.duckdns.org:1965
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f04d498d0721/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:EXE_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies executable artefacts in shortcut (LNK) files.
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:Script_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies scripting artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_PowerShell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to powershell inside an lnk file, which is suspicious

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Shortcut (lnk) lnk f04d498d0721ea279c798503005f24f8d76d3780914a9fa1dc2874893c313250

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments