MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 28b6bbc6b1d6ee21ccdc25c5eefccad5e21556954542cd19a0a87f7dde91df78. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
RemcosRAT
Vendor detections: 4
| SHA256 hash: | 28b6bbc6b1d6ee21ccdc25c5eefccad5e21556954542cd19a0a87f7dde91df78 |
|---|---|
| SHA3-384 hash: | 83b0db34b96efe43c07e0601230abc8e3c7c13f34df6de73c007ce1590dc26dc61733fc69389330f46ea74e364ce68e4 |
| SHA1 hash: | 18a703514e47e1c3b59cf12de95f1ea5c7475083 |
| MD5 hash: | 260bf0106c006d4e988a2685df71a758 |
| humanhash: | football-yellow-uniform-twelve |
| File name: | 2ba6a5c3758409c9f9f78e31046d07b0.exe |
| Download: | download sample |
| Signature | RemcosRAT |
| File size: | 126'976 bytes |
| First seen: | 2020-03-26 14:48:26 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 5f0c90c109d16124e83cb7a25caef54f (28 x RemcosRAT, 1 x FormBook, 1 x NetWire) |
| ssdeep | 3072:mFh1qaSs6IF9OK4b80S2Van4Va1cpcQjed5OzqhUYa:yh1qn3IF9Obbj/a1cpcQjeHOzqhUY |
| Threatray | 753 similar samples on MalwareBazaar |
| TLSH | A0C3E867F20B80A3D863027156507B72EEBCBC321A5D5157E7E8D8811DF588E9026AFF |
| Reporter |  abuse_ch |
| Tags: | exe GuLoader RemcosRAT |
abuse_ch
Payload dropped by GuLoader from the following URL:https://onedrive.live.com/download?cid=A32AEA2B4355716B&resid=A32AEA2B4355716B%214983&authkey=ADSe6p65gYFe4Q4
Intelligence
File Origin
# of uploads :
1
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Gathering data
Threat name:
Win32.Trojan.Rescoms
Status:
Malicious
First seen:
2020-03-26 15:36:11 UTC
AV detection:
29 of 31 (93.55%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
remcos
Similar samples:
+ 743 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
ad0f3bae4f5c4772ee9feee61ad45b5558bf0f58dc3a7fb4c65c8d847d5311ef
Dropped by
MD5 2ba6a5c3758409c9f9f78e31046d07b0
Dropped by
MD5 aff560244df2b268a1561c4cdbdef3c4
Dropped by
GuLoader
Dropped by
SHA256 ad0f3bae4f5c4772ee9feee61ad45b5558bf0f58dc3a7fb4c65c8d847d5311ef
Dropped by
SHA256 446d7a3b74f689c6e515934b73f8ab0f6caf6a0730f96ddc8c71efa23b913b6e
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_NX | Missing Non-Executable Memory Protection | critical |
| CHECK_PIE | Missing Position-Independent Executable (PIE) Protection | high |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| GDI_PLUS_API | Interfaces with Graphics | gdiplus.dll::GdiplusStartup gdiplus.dll::GdipGetImageEncoders gdiplus.dll::GdipGetImageEncodersSize gdiplus.dll::GdipAlloc |
| MULTIMEDIA_API | Can Play Multimedia | WINMM.dll::mciSendStringA WINMM.dll::mciSendStringW WINMM.dll::PlaySoundW WINMM.dll::waveInAddBuffer WINMM.dll::waveInClose WINMM.dll::waveInOpen |
| SECURITY_BASE_API | Uses Security Base API | ADVAPI32.dll::AdjustTokenPrivileges |
| SHELL_API | Manipulates System Shell | SHELL32.dll::ShellExecuteExA SHELL32.dll::ShellExecuteW |
| URL_MONIKERS_API | Can Download & Execute components | urlmon.dll::URLDownloadToFileW urlmon.dll::URLOpenBlockingStreamW |
| WIN32_PROCESS_API | Can Create Process and Threads | KERNEL32.dll::CreateProcessW KERNEL32.dll::CreateProcessA KERNEL32.dll::OpenProcess ADVAPI32.dll::OpenProcessToken KERNEL32.dll::VirtualAllocEx KERNEL32.dll::WriteProcessMemory |
| WIN_BASE_API | Uses Win Base API | KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetDriveTypeA KERNEL32.dll::GetStartupInfoA |
| WIN_BASE_EXEC_API | Can Execute other programs | KERNEL32.dll::AllocConsole |
| WIN_BASE_IO_API | Can Create Files | KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileMappingA KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileA KERNEL32.dll::DeleteFileW |
| WIN_BASE_USER_API | Retrieves Account Information | ADVAPI32.dll::GetUserNameW ADVAPI32.dll::LookupPrivilegeValueA |
| WIN_REG_API | Can Manipulate Windows Registry | ADVAPI32.dll::RegCreateKeyA ADVAPI32.dll::RegCreateKeyW ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyA ADVAPI32.dll::RegOpenKeyExA ADVAPI32.dll::RegOpenKeyExW |
| WIN_SVC_API | Can Manipulate Windows Services | ADVAPI32.dll::ChangeServiceConfigW ADVAPI32.dll::ControlService ADVAPI32.dll::OpenSCManagerW ADVAPI32.dll::OpenSCManagerA ADVAPI32.dll::OpenServiceW ADVAPI32.dll::QueryServiceConfigW |
| WIN_USER_API | Performs GUI Actions | USER32.dll::AppendMenuA USER32.dll::EmptyClipboard USER32.dll::OpenClipboard USER32.dll::CreateWindowExA |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.