MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 07a7e8b55aae7e593602a7dc0e67dbf0debb3ccd4c4d769d7fab0e34a675b4e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 07a7e8b55aae7e593602a7dc0e67dbf0debb3ccd4c4d769d7fab0e34a675b4e7
SHA3-384 hash: 1acb814b4c4c6d0c27aa712d829a3507fd4e0c6a434d5997da87f19e9de11d91d8fa73bc4c22efddef4e14edf4ac4559
SHA1 hash: 7d29308633b6e486dc4f6c64df702886a0bfda5d
MD5 hash: 0cb653b63f1f96cc5b362096cede91e4
humanhash: cup-august-low-jupiter
File name:0cb653b63f1f96cc5b362096cede91e4.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:95'352 bytes
First seen:2021-08-29 15:11:53 UTC
Last seen:2021-08-29 16:00:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 90627e2da294b22ae2833d09baebd2c5 (2 x RemcosRAT)
ssdeep 1536:QY2QC8OoJlCnnynKkM3tsevTzPk2EMpr4aHUl:T2QqoXCyxqsebzIMNv0l
Threatray 6'160 similar samples on MalwareBazaar
TLSH T1DB936948AA5C6BF1DC60853F192F841B6620BA6C33758637F45E6B9BD9F8600F83423D
dhash icon 4418717179f90020 (2 x RemcosRAT)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0cb653b63f1f96cc5b362096cede91e4.exe
Verdict:
No threats detected
Analysis date:
2021-08-29 15:13:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8fe56176-9fac-48de-bd0b-c8576584aad8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/183272/
Detection(s):
SecuriteInfo.com.__vbaHresultCheckObj.11758.30357.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Launching a process
Creating a process with a hidden window
Running batch commands
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4cc40a3a-f423-43f1-b510-10764e2ffab2
Result
Threat name:
GuLoader Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/841076
Signature
Antivirus detection for URL or domain
GuLoader behavior detected
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 473507 Sample: fmPwEX2Lc1.exe Startdate: 29/08/2021 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Antivirus detection for URL or domain 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 5 other signatures 2->53 10 fmPwEX2Lc1.exe 1 2->10         started        13 vlc.exe 1 2->13         started        15 vlc.exe 1 2->15         started        process3 signatures4 63 Tries to detect Any.run 10->63 65 Hides threads from debuggers 10->65 17 fmPwEX2Lc1.exe 4 10 10->17         started        22 vlc.exe 6 13->22         started        24 vlc.exe 6 15->24         started        process5 dnsIp6 43 103.133.111.149, 49724, 49726, 49727 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 17->43 39 C:\Users\user\AppData\Roaming\vlc.exe, PE32 17->39 dropped 41 C:\Users\user\...\vlc.exe:Zone.Identifier, ASCII 17->41 dropped 55 Tries to detect Any.run 17->55 57 Hides threads from debuggers 17->57 26 wscript.exe 1 17->26         started        file7 signatures8 process9 process10 28 cmd.exe 1 26->28         started        process11 30 vlc.exe 1 28->30         started        33 conhost.exe 28->33         started        signatures12 67 Tries to detect Any.run 30->67 69 Hides threads from debuggers 30->69 35 vlc.exe 2 7 30->35         started        process13 dnsIp14 45 swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu 78.129.249.105, 2017, 49728 IOMART-ASGB United Kingdom 35->45 59 Tries to detect Any.run 35->59 61 Hides threads from debuggers 35->61 signatures15
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/07a7e8b55aae7e593602a7dc0e67dbf0debb3ccd4c4d769d7fab0e34a675b4e7/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-08-29 15:12:06 UTC
AV detection:
11 of 28 (39.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a6t6rnk2vz7fsnqcu7oa4z636dplwpgnjrgxnhl7vmhdjjtvwttq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0e79effa0348929c10e8aa39b07b38ba50872d4fe132fd7c131e4ac9892ed046
RemcosRAT
32560ccc4af2d37c587bbc551e1dd8127b8efaafb199f74c18ec111a812a7f30
RemcosRAT
444dbf26e5c9f7309acd880592c76eb0cb588a33f8ed51ee735ab6d623d64256
RemcosRAT
446fdd51f5eb4359191e189e54a209bd96295c5495cabc1b0b07c8f11d1eb748
RemcosRAT
79e6799e2eb9dbe27b29e3707175322014ffdfbb943c791977d592017a46ad9c
RemcosRAT
7afa7c7724abb034d3155e1e1fc1fd3f9961e56fd6119428d975d8aaee3070f9
RemcosRAT
8ef0ab64ef4a050f29808379fa8e9448bca73be60e4944f9d13a9a6880ba33f2
RemcosRAT
8f71fca5621ccb7ba3558cfebc17014d27923d1c73ad97ececb577fd5b937047
RemcosRAT
bd6cf98ff23cdad2f5bb43bb60e61275d8ad1ad7baeb609aa0a812fc048fede0
RemcosRAT
c565ce12f63b1cb897156e0234907a49517439247747cc7df5b69952c1e7ce43
RemcosRAT
+ 6'150 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos botnet:gee_2020 downloader persistence rat suricata
Link:
https://tria.ge/reports/210829-tqj1wwc1ne/
Behaviour
Modifies registry class
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks QEMU agent file
Loads dropped DLL
Executes dropped EXE
Guloader,Cloudeye
Remcos
suricata: ET MALWARE Generic .bin download from Dotted Quad
Malware Config
C2 Extraction:
swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu:2017
Unpacked files
SH256 hash:
49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3
MD5 hash:
1f1b425190b2fb0396ad2d538b1060ba
SHA1 hash:
413f98641d46fdcabfcaf64f29495667de6282ea
Link:
https://www.unpac.me/results/632ee23f-d44f-4b32-951f-50771ced00ea/
SH256 hash:
07a7e8b55aae7e593602a7dc0e67dbf0debb3ccd4c4d769d7fab0e34a675b4e7
MD5 hash:
0cb653b63f1f96cc5b362096cede91e4
SHA1 hash:
7d29308633b6e486dc4f6c64df702886a0bfda5d
Link:
https://www.unpac.me/results/632ee23f-d44f-4b32-951f-50771ced00ea/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/07a7e8b55aae/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/07a7e8b55aae7e593602a7dc0e67dbf0debb3ccd4c4d769d7fab0e34a675b4e7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 07a7e8b55aae7e593602a7dc0e67dbf0debb3ccd4c4d769d7fab0e34a675b4e7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1574035/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/183272/

Comments