MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f65252925f0545a157e29ecc1115fb8ba1b55c5e777fcf8ef6a52cfdd5b0fb25. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f65252925f0545a157e29ecc1115fb8ba1b55c5e777fcf8ef6a52cfdd5b0fb25
SHA3-384 hash: 975bdc5d1dfa3e67c35c26eecad978deea732fe8dff295830d7e8bee2b797b8e5534d1955fbfee5b4ad8e97c20201bde
SHA1 hash: 705e634e3c6e92957276444c453f6aa573bb78d0
MD5 hash: 9fba17c37d37585a3e5f87924371fc1e
humanhash: ten-moon-hotel-echo
File name:AWB774933084407_994348862659707_PDF.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:2'332'672 bytes
First seen:2023-11-27 09:19:54 UTC
Last seen:2023-12-05 07:16:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f97d61d6ce4c5700eac63f0c72bb3211 (1 x RemcosRAT, 1 x DBatLoader, 1 x Formbook)
ssdeep 49152:JWPpH8yc0/wU2lpe63ZrxKrVEbRIqiPt41FFehg1mQmPoE:JCpcyV/wjpdZrxEVEtI141qnLPoE
TLSH T153B50113D9A0C833D0B72F7A8C47765859373D91AD68A485B6D93C847A7C28A38361FF
TrID 86.8% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
4.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.3% (.SCR) Windows screen saver (13097/50/3)
1.4% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon e4e4884953c88c9c (1 x RemcosRAT, 1 x DBatLoader, 1 x Formbook)
Reporter adrian__luca
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
302
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Annex 1 Requirement Specification_ sample products_eng.docx
Verdict:
Malicious activity
Analysis date:
2023-11-27 10:05:42 UTC
Tags:
opendir exploit cve-2017-11882 loader dbatloader
Link:
https://app.any.run/tasks/61d43550-6e81-4d09-a6fe-935a2ca5f572

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/460560/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.7216.22082.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control hook keylogger lolbin masquerade packed
Link:
https://www.filescan.io/uploads/65645f4cd1277c463a20fe98/reports/8a8d6fa4-10d8-4d49-8076-a7d344bf5ec6/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/f65252925f0545a157e29ecc1115fb8ba1b55c5e777fcf8ef6a52cfdd5b0fb25
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/765efa10-5dea-4946-92be-c537193c3bc2
Result
Threat name:
DBatLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1348358
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1348358 Sample: AWB774933084407_99434886265... Startdate: 27/11/2023 Architecture: WINDOWS Score: 100 63 geoplugin.net 2->63 65 ateraliza.sa.com 2->65 75 Found malware configuration 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 Antivirus detection for URL or domain 2->79 81 7 other signatures 2->81 12 AWB774933084407_994348862659707_PDF.exe 1 7 2->12         started        17 Jptrnwyw.PIF 2->17         started        signatures3 process4 dnsIp5 71 ateraliza.sa.com 172.232.132.75, 443, 49702, 49703 AKAMAI-ASN1EU United States 12->71 57 C:\Users\Public\Libraries\netutils.dll, PE32+ 12->57 dropped 59 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 12->59 dropped 61 C:\Users\Public\Libraries\Jptrnwyw.PIF, PE32 12->61 dropped 101 Drops PE files with a suspicious file extension 12->101 103 Writes to foreign memory regions 12->103 105 Allocates memory in foreign processes 12->105 107 Injects a PE file into a foreign processes 12->107 19 SndVol.exe 3 14 12->19         started        24 cmd.exe 1 12->24         started        109 Multi AV Scanner detection for dropped file 17->109 111 Machine Learning detection for dropped file 17->111 26 SndVol.exe 17->26         started        file6 signatures7 process8 dnsIp9 67 172.174.245.21, 49710, 5400 ATT-INTERNET4US United States 19->67 69 geoplugin.net 178.237.33.50, 49711, 80 ATOM86-ASATOM86NL Netherlands 19->69 55 C:\Users\user\noer.dat, data 19->55 dropped 83 Contains functionality to bypass UAC (CMSTPLUA) 19->83 85 Contains functionalty to change the wallpaper 19->85 87 Contains functionality to steal Chrome passwords or cookies 19->87 95 5 other signatures 19->95 89 Uses ping.exe to sleep 24->89 91 Drops executables to the windows directory (C:\Windows) and starts them 24->91 93 Uses ping.exe to check the status of other devices and networks 24->93 28 easinvoker.exe 24->28         started        30 PING.EXE 1 24->30         started        33 xcopy.exe 2 24->33         started        36 8 other processes 24->36 file10 signatures11 process12 dnsIp13 38 cmd.exe 1 28->38         started        73 127.0.0.1 unknown unknown 30->73 51 C:\Windows \System32\easinvoker.exe, PE32+ 33->51 dropped 53 C:\Windows \System32\netutils.dll, PE32+ 36->53 dropped file14 process15 signatures16 97 Adds a directory exclusion to Windows Defender 38->97 41 cmd.exe 1 38->41         started        44 conhost.exe 38->44         started        process17 signatures18 99 Adds a directory exclusion to Windows Defender 41->99 46 powershell.exe 26 41->46         started        process19 signatures20 113 DLL side loading technique detected 46->113 49 conhost.exe 46->49         started        process21
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f65252925f0545a157e29ecc1115fb8ba1b55c5e777fcf8ef6a52cfdd5b0fb25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f65252925f0545a157e29ecc1115fb8ba1b55c5e777fcf8ef6a52cfdd5b0fb25/
Threat name:
Win32.Trojan.ModiLoader
Create hunting rule
Status:
Malicious
First seen:
2023-11-27 06:55:44 UTC
File Type:
PE (Exe)
Extracted files:
50
AV detection:
21 of 23 (91.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6zjffes7avc2cv7ct3gbcfp3roq3kxc6o5747dxwuuwp3vnq7msq._file
Verdict:
unknown
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:crypted persistence rat trojan
Link:
https://tria.ge/reports/231127-larp4sfe7y/
Behaviour
Enumerates system info in registry
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
172.174.245.21:5400
Unpacked files
SH256 hash:
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
MD5 hash:
c116d3604ceafe7057d77ff27552c215
SHA1 hash:
452b14432fb5758b46f2897aeccd89f7c82a727d
Link:
https://www.unpac.me/results/c9f7dd66-8cae-4130-b4e4-fc2ad4833699/
SH256 hash:
1199d98b4f4b90cc13447514de9a62ab14351ef77b7b8202ce37349695ac1d50
MD5 hash:
5777ebb5adb78a9ef85984c29f8f530e
SHA1 hash:
0501d17c424e581dfdc1ca490f815fdd3fc6d23a
Detections:
win_dbatloader_g1
Create hunting rule
MALWARE_Win_ModiLoader
Create hunting rule
Link:
https://www.unpac.me/results/c9f7dd66-8cae-4130-b4e4-fc2ad4833699/
SH256 hash:
f65252925f0545a157e29ecc1115fb8ba1b55c5e777fcf8ef6a52cfdd5b0fb25
MD5 hash:
9fba17c37d37585a3e5f87924371fc1e
SHA1 hash:
705e634e3c6e92957276444c453f6aa573bb78d0
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/c9f7dd66-8cae-4130-b4e4-fc2ad4833699/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f65252925f0545a157e29ecc1115fb8ba1b55c5e777fcf8ef6a52cfdd5b0fb25

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe f65252925f0545a157e29ecc1115fb8ba1b55c5e777fcf8ef6a52cfdd5b0fb25

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/460560/

Comments