MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f09b8755616e69d30596c61482609b77b102394c7da3cd4b50fa9b8a1c2f117c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f09b8755616e69d30596c61482609b77b102394c7da3cd4b50fa9b8a1c2f117c
SHA3-384 hash: 806b72262ae59b358ea3cc749313bcd3aa34d77aee0ace570acd20452c1d0c770525304aedfa9b18467d29095f59d38d
SHA1 hash: ec9faca46c457ef9d944f352e87f007bbde66f50
MD5 hash: 39038eabfd5bc05a68a382022afd78ce
humanhash: aspen-freddie-north-uncle
File name:Products_Specification.XLs.PIF
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'685'504 bytes
First seen:2024-07-16 19:19:15 UTC
Last seen:2024-07-24 22:54:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c89d3202415aaf9c8f0452bb97146f27 (5 x RemcosRAT, 1 x AveMariaRAT)
ssdeep 24576:tHb5Bli50xv2T4EM9X0cjRjFmhco/ZyFvaZjeCi8DI/fdKFZA56GSbxpSA07YN3t:Fb5W+uWRhKV4FceCxyKFZ
TLSH T1F7757A20F1F01436D27229FD8F12EAEDD71E7A3A1918D6817AECEA495A3B1803457DC7
TrID 36.1% (.SCR) Windows screen saver (13097/50/3)
29.0% (.EXE) Win64 Executable (generic) (10523/12/4)
12.4% (.EXE) Win32 Executable (generic) (4504/4/1)
5.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
5.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon d8dcded6c6a2a2c8 (5 x RemcosRAT, 1 x AveMariaRAT)
Reporter abuse_ch
Tags:exe pif RemcosRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
378
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Products_Specification.XLs.PIF.exe
Verdict:
Malicious activity
Analysis date:
2024-07-16 19:38:00 UTC
Tags:
rat remcos remote
Link:
https://app.any.run/tasks/6dc6108c-672d-43c6-a5d1-39d6f25505d0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.3698.13632.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6696c7e42c29bed579a4824bwin10vpnfull_triage
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Searching for the window
Setting a keyboard event handler
Changing a file
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Launching a service
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Forced system process termination
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun with the shell\open\command registry branches
Launching a tool to kill processes
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
borland_delphi explorer fingerprint keylogger lolbin masquerade
Link:
https://www.filescan.io/uploads/6696c9c27b9add553ed59e1f/reports/59235153-ecd7-432c-b426-a371e6b007b7/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/f09b8755616e69d30596c61482609b77b102394c7da3cd4b50fa9b8a1c2f117c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/42753f3d-ba25-4211-b938-06724d5d4671
Result
Threat name:
Remcos, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1474438
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect sleep reduction / modifications
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens network shares
Powershell is started from unusual location (likely to bypass HIPS)
Reads the Security eventlog
Reads the System eventlog
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Remcos
Sigma detected: TrustedPath UAC Bypass Pattern
UAC bypass detected (Fodhelper)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1474438 Sample: Products_Specification.XLs.... Startdate: 16/07/2024 Architecture: WINDOWS Score: 100 81 bin-cgi.ddns.net 2->81 83 wealthconsultantmanager.com 2->83 85 geoplugin.net 2->85 107 Found malware configuration 2->107 109 Malicious sample detected (through community Yara rule) 2->109 111 Antivirus detection for URL or domain 2->111 115 14 other signatures 2->115 12 Products_Specification.XLs.PIF.exe 4 20 2->12         started        17 Gqmwtaem.PIF 2->17         started        19 Gqmwtaem.PIF 2->19         started        21 SystemSettingsAdminFlows.exe 2->21         started        signatures3 113 Uses dynamic DNS services 81->113 process4 dnsIp5 87 wealthconsultantmanager.com 108.170.55.202, 443, 49706, 49707 SSASN2US United States 12->87 89 bin-cgi.ddns.net 103.186.116.73, 3442, 49708 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe unknown 12->89 91 geoplugin.net 178.237.33.50, 49709, 80 ATOM86-ASATOM86NL Netherlands 12->91 73 C:\Users\Public\Libraries\meatwmqG.pif, PE32 12->73 dropped 75 C:\Users\user\AppData\Roaming\...\logs.dat, data 12->75 dropped 77 C:\Users\Public\Librariesbehaviorgraphqmwtaem, data 12->77 dropped 79 C:\Users\Publicbehaviorgraphqmwtaem.url, MS 12->79 dropped 137 Detected Remcos RAT 12->137 139 Contains functionalty to change the wallpaper 12->139 141 Drops PE files with a suspicious file extension 12->141 149 7 other signatures 12->149 23 meatwmqG.pif 8 12->23         started        27 extrac32.exe 1 12->27         started        143 Antivirus detection for dropped file 17->143 145 Multi AV Scanner detection for dropped file 17->145 147 Contains functionality to bypass UAC (CMSTPLUA) 17->147 151 4 other signatures 17->151 file6 signatures7 process8 file9 69 C:\Users\user\AppData\Local\Temp\...\59AB.bat, ASCII 23->69 dropped 119 Detected unpacking (changes PE section rights) 23->119 29 cmd.exe 1 23->29         started        71 C:\Users\Public\Librariesbehaviorgraphqmwtaem.PIF, PE32 27->71 dropped 121 Drops PE files with a suspicious file extension 27->121 signatures10 process11 signatures12 133 Drops executables to the windows directory (C:\Windows) and starts them 29->133 135 Adds a directory exclusion to Windows Defender 29->135 32 alpha.exe 1 29->32         started        35 alpha.exe 2 29->35         started        37 extrac32.exe 1 29->37         started        40 15 other processes 29->40 process13 file14 95 Adds a directory exclusion to Windows Defender 32->95 42 xkn.exe 8 32->42         started        97 Uses ping.exe to sleep 35->97 99 Uses ping.exe to check the status of other devices and networks 35->99 67 C:\Users\Public\alpha.exe, PE32+ 37->67 dropped 101 Drops PE files to the user root directory 37->101 103 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 37->103 105 Opens network shares 40->105 45 PING.EXE 40->45         started        48 extrac32.exe 1 40->48         started        51 extrac32.exe 1 40->51         started        53 2 other processes 40->53 signatures15 process16 dnsIp17 123 Powershell is started from unusual location (likely to bypass HIPS) 42->123 125 Adds a directory exclusion to Windows Defender 42->125 127 Reads the Security eventlog 42->127 129 Reads the System eventlog 42->129 55 alpha.exe 42->55         started        93 127.0.0.1 unknown unknown 45->93 61 C:\Users\Public\ger.exe, PE32+ 48->61 dropped 63 C:\Users\Public\xkn.exe, PE32+ 51->63 dropped 65 C:\Windows \System32\per.exe, PE32+ 53->65 dropped file18 signatures19 process20 signatures21 117 Adds a directory exclusion to Windows Defender 55->117 58 ger.exe 55->58         started        process22 signatures23 131 UAC bypass detected (Fodhelper) 58->131
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f09b8755616e69d30596c61482609b77b102394c7da3cd4b50fa9b8a1c2f117c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f09b8755616e69d30596c61482609b77b102394c7da3cd4b50fa9b8a1c2f117c/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-07-16 11:11:18 UTC
File Type:
PE (Exe)
Extracted files:
44
AV detection:
16 of 24 (66.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6cnyovlbnzu5gbmwyykieye3o6yqeokmpwr42s2q7knyuhbpcf6a._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/240716-x13qvawdpk/
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9192850d-4cd8-4545-9b2e-c9abfcc61fbb
Unpacked files
SH256 hash:
f09b8755616e69d30596c61482609b77b102394c7da3cd4b50fa9b8a1c2f117c
MD5 hash:
39038eabfd5bc05a68a382022afd78ce
SHA1 hash:
ec9faca46c457ef9d944f352e87f007bbde66f50
Link:
https://www.unpac.me/results/279a249c-b165-41aa-8ddc-f8c41ee583b5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f09b8755616e69d30596c61482609b77b102394c7da3cd4b50fa9b8a1c2f117c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programskernel32.dll::WinExec
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::FindFirstFileA
version.dll::GetFileVersionInfoSizeA
version.dll::GetFileVersionInfoA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::PeekMessageW
user32.dll::CreateWindowExA

Comments