MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2983bae21d56a3081e78ebdfe8c91b007a0e7e3b363850fb48ee90eeea953df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2983bae21d56a3081e78ebdfe8c91b007a0e7e3b363850fb48ee90eeea953df
SHA3-384 hash: 1550910511a972b3a85017236827cedf03879c18e841e6d2f8c4437a309790e865b34997c03de656f3cf2b37cb521647
SHA1 hash: 4ca1e8f488e2357148a990f375b0f8b4c21e63fb
MD5 hash: d7fa42ada80342b77afe8fc6d8a3b454
humanhash: fruit-apart-wolfram-black
File name:Document 20240327_1188908_1188909.bat
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:3'500'311 bytes
First seen:2024-03-28 13:56:16 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 49152:rEC7f2ylcohhw5oJVu4nXyxfW+T1nCzm3svMqa7c+7ZpupGKrx5rNfHz73Mm03uH:F
TLSH T1E4F5829B2DAD4B89971E73EB1B0BECCD932BCE111F826DEC81C2098C404676F1555B9E
Reporter cocaman
Tags:bat payment RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f2983bae21d56a3081e78ebdfe8c91b007a0e7e3b363850fb48ee90eeea953df.unknown
Verdict:
No threats detected
Analysis date:
2024-03-28 13:58:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2bad4a68-12c5-405d-b05e-4ecb8d83538d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade
Link:
https://www.filescan.io/uploads/660577351c5277edcec34663/reports/1a8de3bc-19cd-4f76-aec7-6bad44c7173c/overview
Verdict:
Suspicious
Labled as:
BAT/Agent.ASD
Link:
https://www.hybrid-analysis.com/sample/f2983bae21d56a3081e78ebdfe8c91b007a0e7e3b363850fb48ee90eeea953df
Result
Verdict:
MALICIOUS
Result
Threat name:
Remcos, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1417234
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected Remcos RAT
Drops executables to the windows directory (C:\Windows) and starts them
Drops or copies certutil.exe with a different name (likely to bypass HIPS)
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Early bird code injection technique detected
Found large BAT file
Found malware configuration
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Powershell is started from unusual location (likely to bypass HIPS)
Queues an APC in another process (thread injection)
Reads the Security eventlog
Reads the System eventlog
Registers a new ROOT certificate
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: Fodhelper UAC Bypass
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Remcos
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: TrustedPath UAC Bypass Pattern
Snort IDS alert for network traffic
UAC bypass detected (Fodhelper)
Uses dynamic DNS services
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1417234 Sample: Document 20240327_1188908_1... Startdate: 28/03/2024 Architecture: WINDOWS Score: 100 105 jaztc.duckdns.org 2->105 107 dual-spov-0006.spov-msedge.net 2->107 109 6 other IPs or domains 2->109 117 Snort IDS alert for network traffic 2->117 119 Found malware configuration 2->119 121 Malicious sample detected (through community Yara rule) 2->121 125 16 other signatures 2->125 13 cmd.exe 1 2->13         started        16 Dnirlnhx.PIF 2->16         started        18 Dnirlnhx.PIF 2->18         started        20 SystemSettingsAdminFlows.exe 2->20         started        signatures3 123 Uses dynamic DNS services 105->123 process4 signatures5 167 Adds a directory exclusion to Windows Defender 13->167 22 Lewxa.com 13->22         started        27 alpha.exe 1 13->27         started        29 cmd.exe 1 13->29         started        35 11 other processes 13->35 169 Early bird code injection technique detected 16->169 171 Allocates memory in foreign processes 16->171 31 SndVol.exe 16->31         started        33 SndVol.exe 18->33         started        process6 dnsIp7 115 dual-spov-0006.spov-msedge.net 13.107.139.11, 443, 49711, 49712 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->115 99 C:\Windows \System32\netutils.dll, PE32+ 22->99 dropped 101 C:\Windows \System32\551738.exe, PE32+ 22->101 dropped 103 C:\Users\Public\Dnirlnhx.url, MS 22->103 dropped 155 Early bird code injection technique detected 22->155 157 Allocates memory in foreign processes 22->157 159 Queues an APC in another process (thread injection) 22->159 37 SndVol.exe 22->37         started        42 cmd.exe 22->42         started        44 extrac32.exe 22->44         started        54 2 other processes 22->54 161 Adds a directory exclusion to Windows Defender 27->161 46 xkn.exe 13 27->46         started        48 extrac32.exe 1 29->48         started        163 Detected Remcos RAT 31->163 50 kn.exe 3 2 35->50         started        52 kn.exe 35->52         started        56 4 other processes 35->56 file8 signatures9 process10 dnsIp11 111 jaztc.duckdns.org 192.3.216.131, 1808, 49721 AS-COLOCROSSINGUS United States 37->111 113 geoplugin.net 178.237.33.50, 49722, 80 ATOM86-ASATOM86NL Netherlands 37->113 87 C:\ProgramData\sfsfdrgrre\logs.dat, data 37->87 dropped 127 Detected Remcos RAT 37->127 129 Installs a global keyboard hook 37->129 131 Drops executables to the windows directory (C:\Windows) and starts them 42->131 58 551738.exe 42->58         started        60 conhost.exe 42->60         started        89 C:\Users\Public\Libraries\Dnirlnhx.PIF, PE32 44->89 dropped 133 Powershell is started from unusual location (likely to bypass HIPS) 46->133 135 Adds a directory exclusion to Windows Defender 46->135 137 Reads the Security eventlog 46->137 139 Reads the System eventlog 46->139 62 alpha.exe 1 46->62         started        65 fodhelper.exe 12 46->65         started        91 C:\Users\Public\alpha.exe, PE32+ 48->91 dropped 141 Drops PE files to the user root directory 48->141 143 Drops or copies certutil.exe with a different name (likely to bypass HIPS) 48->143 145 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 48->145 147 Registers a new ROOT certificate 50->147 149 Drops PE files with a suspicious file extension 50->149 93 C:\Users\Public\Libraries\Lewxa.com, PE32 52->93 dropped 67 conhost.exe 54->67         started        69 conhost.exe 54->69         started        95 C:\Users\Public\xkn.exe, PE32+ 56->95 dropped 97 C:\Users\Public\kn.exe, PE32+ 56->97 dropped file12 signatures13 process14 signatures15 71 cmd.exe 58->71         started        173 Adds a directory exclusion to Windows Defender 62->173 74 reg.exe 1 1 62->74         started        process16 signatures17 151 Adds a directory exclusion to Windows Defender 71->151 76 cmd.exe 71->76         started        79 conhost.exe 71->79         started        153 UAC bypass detected (Fodhelper) 74->153 process18 signatures19 165 Adds a directory exclusion to Windows Defender 76->165 81 powershell.exe 76->81         started        83 conhost.exe 76->83         started        process20 process21 85 WmiPrvSE.exe 81->85         started       
Score:
16%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/f2983bae21d56a3081e78ebdfe8c91b007a0e7e3b363850fb48ee90eeea953df
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f2983bae21d56a3081e78ebdfe8c91b007a0e7e3b363850fb48ee90eeea953df/
Threat name:
Text.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-03-28 10:05:22 UTC
File Type:
Text
Extracted files:
2
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6kmdxlrb2vvdbaphr2675derwad2bz7dwnrykd5ur3uq53vjkppq._file
Verdict:
malicious
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader persistence trojan
Link:
https://tria.ge/reports/240328-xh15ased95/
Behaviour
Kills process with taskkill
Modifies registry class
Modifies registry key
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
ModiLoader Second Stage
ModiLoader, DBatLoader
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f2983bae21d5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f2983bae21d56a3081e78ebdfe8c91b007a0e7e3b363850fb48ee90eeea953df

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

z 7fc3cc71009fe5cc07ec9991020ed252b2588b69cfebc7ae5181e39c63073da0

RemcosRAT

Batch (bat) bat f2983bae21d56a3081e78ebdfe8c91b007a0e7e3b363850fb48ee90eeea953df

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 7fc3cc71009fe5cc07ec9991020ed252b2588b69cfebc7ae5181e39c63073da0
  
Dropped by
MD5 f8648f41d4459440acbbb0c05eb5a77a

Comments