MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd326d4292d9188d15ee16b1cd913c0d2d4ed9d8f7c991a2a10fad5fdbc3ccc9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd326d4292d9188d15ee16b1cd913c0d2d4ed9d8f7c991a2a10fad5fdbc3ccc9
SHA3-384 hash: 26b8069f467d9013f5e5ea09b9bbdbcd91abb8f7a0257bfb5d87dacf47332150a362bb555db1c698d102a30a0d3bab8e
SHA1 hash: a8ea6a7a0969b63f0ab5f60149ba47972ab022c8
MD5 hash: 56de39b0801ef1a299408f2a90378f61
humanhash: emma-delaware-kansas-failed
File name:SecuriteInfo.com.W32.ModiLoader.WG.tr.28485.12502
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'355'264 bytes
First seen:2023-10-18 05:38:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 943a00a286edd3507b735f866788c4b5 (2 x RemcosRAT, 2 x DBatLoader, 2 x Formbook)
ssdeep 12288:iKl1+wjWARTvUKbV2p11lx8Nimm5cfGNJ3+AJf3tDWwEPbWKiwfat4YJy4IcB2dl:zlxtU9jxR7W+6AJKPdfaLScBWUGoD
Threatray 2'685 similar samples on MalwareBazaar
TLSH T14955D015F693463BC032163ADE77937488297E643A296C56A7F41C788F3768A38376C3
TrID 86.8% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
4.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.3% (.SCR) Windows screen saver (13097/50/3)
1.4% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon c4c4d4dcacccfc34 (2 x RemcosRAT, 2 x DBatLoader, 2 x Formbook)
Reporter SecuriteInfoCom
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
324
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.W32.ModiLoader.WG.tr.28485.12502
Verdict:
Malicious activity
Analysis date:
2023-10-18 06:15:36 UTC
Tags:
dbatloader rat remcos remote
Link:
https://app.any.run/tasks/2c242bd1-ea17-4718-9d8d-e5dc67960f93

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
ModiLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/455577/
Detection(s):
SecuriteInfo.com.W32.ModiLoader.WG.tr.28485.12502.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Searching for the window
Sending an HTTP GET request
Reading critical registry keys
Creating a file in the %temp% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control keylogger lolbin packed remcos replace
Link:
https://www.filescan.io/uploads/652f6f7810dbe5fb92cd55e9/reports/11261c89-f754-4e92-a007-b83a0432206b/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/fd326d4292d9188d15ee16b1cd913c0d2d4ed9d8f7c991a2a10fad5fdbc3ccc9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8de09be5-f498-4376-a7b8-d79ad1bf01d4
Result
Threat name:
Remcos, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
n/a
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1327799
Signature
Adds a directory exclusion to Windows Defender
Allocates many large memory junks
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to inject code into remote processes
Contains functionality to modify clipboard data
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1327799 Sample: SecuriteInfo.com.W32.ModiLo... Startdate: 18/10/2023 Architecture: WINDOWS Score: 100 68 web.fe.1drv.com 2->68 70 onedrive.live.com 2->70 72 3 other IPs or domains 2->72 82 Found malware configuration 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 Antivirus detection for URL or domain 2->86 88 9 other signatures 2->88 12 SecuriteInfo.com.W32.ModiLoader.WG.tr.28485.12502.exe 1 7 2->12         started        16 Isoqkoyx.PIF 2->16         started        signatures3 process4 file5 62 C:\Users\Public\Libraries\netutils.dll, PE32+ 12->62 dropped 64 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 12->64 dropped 66 C:\Users\Public\Libraries\Isoqkoyx.PIF, PE32 12->66 dropped 114 Drops PE files with a suspicious file extension 12->114 116 Writes to foreign memory regions 12->116 118 Allocates memory in foreign processes 12->118 120 Injects a PE file into a foreign processes 12->120 18 SndVol.exe 3 13 12->18         started        22 cmd.exe 1 12->22         started        122 Multi AV Scanner detection for dropped file 16->122 124 Machine Learning detection for dropped file 16->124 126 Allocates many large memory junks 16->126 24 colorcpl.exe 16->24         started        signatures6 process7 dnsIp8 74 163.123.143.32, 42199, 49720, 49721 ILIGHT-NETUS Reserved 18->74 76 geoplugin.net 178.237.33.50, 49722, 80 ATOM86-ASATOM86NL Netherlands 18->76 90 Contains functionality to bypass UAC (CMSTPLUA) 18->90 92 Tries to steal Mail credentials (via file registry) 18->92 94 Contains functionalty to change the wallpaper 18->94 104 7 other signatures 18->104 26 SndVol.exe 18->26         started        29 SndVol.exe 18->29         started        31 SndVol.exe 18->31         started        33 SndVol.exe 18->33         started        96 Uses ping.exe to sleep 22->96 98 Drops executables to the windows directory (C:\Windows) and starts them 22->98 100 Uses ping.exe to check the status of other devices and networks 22->100 35 easinvoker.exe 22->35         started        37 PING.EXE 1 22->37         started        40 xcopy.exe 2 22->40         started        43 8 other processes 22->43 102 DLL side loading technique detected 24->102 signatures9 process10 dnsIp11 108 Tries to steal Instant Messenger accounts or passwords 26->108 110 Tries to steal Mail credentials (via file / registry access) 26->110 112 Tries to harvest and steal browser information (history, passwords, etc) 29->112 45 cmd.exe 1 35->45         started        78 127.0.0.1 unknown unknown 37->78 58 C:\Windows \System32\easinvoker.exe, PE32+ 40->58 dropped 60 C:\Windows \System32\netutils.dll, PE32+ 43->60 dropped file12 signatures13 process14 signatures15 128 Adds a directory exclusion to Windows Defender 45->128 48 cmd.exe 1 45->48         started        51 conhost.exe 45->51         started        process16 signatures17 80 Adds a directory exclusion to Windows Defender 48->80 53 powershell.exe 25 48->53         started        process18 signatures19 106 DLL side loading technique detected 53->106 56 conhost.exe 53->56         started        process20
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fd326d4292d9188d15ee16b1cd913c0d2d4ed9d8f7c991a2a10fad5fdbc3ccc9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fd326d4292d9188d15ee16b1cd913c0d2d4ed9d8f7c991a2a10fad5fdbc3ccc9/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2023-10-18 03:26:35 UTC
File Type:
PE (Exe)
Extracted files:
49
AV detection:
14 of 23 (60.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7uzg2qus3emi2fpoc2y43ej4buwu5woy67ezdivbb6wv7w6dzteq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1ce13b1a107d66487c04da7180452270eebd76b7f0bcd1df37512fd1306d6656
RemcosRAT
2d12bedd8d6cee6c6fbee5ccb9d7dd25fc6693d9d6a7a0207104f94b681b55aa
RemcosRAT
2f6f8d08fcf273fa79b7a13d3b24d4f71bbc9f2fdf6965afd737ccc0d5316429
RemcosRAT
456f09b71ed09cbc590f6a3b8d5aacc7f0fb94521d8b19b80d2a201e5f73b5a0
RemcosRAT
483d7f7379d43c9fb3effb226cb58a443f48105bda3a9a6310a76729d7c1b3bd
RemcosRAT
4f4a8ff83672c8134227742b12e228e512d32e3c3dabb8e96bdc6b28628d3d26
RemcosRAT
887171e762ec83f7c3f9d12c11742c7e05e9382db50a9fe3268d266215708bf4
RemcosRAT
b96df82e2a9e14b2854a68e6645598e494aa818801a18384f2d81a2ff514824e
RemcosRAT
ea9723cd4dfeb319cedc75c0dd4cb5fa326b995580aee939085780092aafcda9
RemcosRAT
+ 2'675 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:remotehost collection persistence rat trojan
Link:
https://tria.ge/reports/231018-gcar6ada36/
Behaviour
Enumerates system info in registry
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
ModiLoader Second Stage
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
127.0.0.1:43991
127.0.0.1:42199
163.123.143.32:42199
163.123.143.32:43991
Unpacked files
SH256 hash:
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
MD5 hash:
c116d3604ceafe7057d77ff27552c215
SHA1 hash:
452b14432fb5758b46f2897aeccd89f7c82a727d
Link:
https://www.unpac.me/results/081bbf89-4872-4521-95a9-afc8e8cb5ae1/
SH256 hash:
369c873ffebdd1fb20049f53233c566d509718efaa7c973fe66b7c236ccae559
MD5 hash:
4a30c85741fff5fcb8dd0eb8fead46bf
SHA1 hash:
06072ffbc7e6af8c70e403782f4c630719d86e15
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/081bbf89-4872-4521-95a9-afc8e8cb5ae1/
SH256 hash:
fd326d4292d9188d15ee16b1cd913c0d2d4ed9d8f7c991a2a10fad5fdbc3ccc9
MD5 hash:
56de39b0801ef1a299408f2a90378f61
SHA1 hash:
a8ea6a7a0969b63f0ab5f60149ba47972ab022c8
Link:
https://www.unpac.me/results/081bbf89-4872-4521-95a9-afc8e8cb5ae1/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fd326d4292d9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fd326d4292d9188d15ee16b1cd913c0d2d4ed9d8f7c991a2a10fad5fdbc3ccc9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/455577/

Comments