MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d88f2b2b699bec2ecb080ade2b4ac4706f39ff90c547d28f09ca3e38e009862. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0d88f2b2b699bec2ecb080ade2b4ac4706f39ff90c547d28f09ca3e38e009862
SHA3-384 hash: a63c07fc290d477490891ae9fd99de5c5c20b17bbe18934a84719bec6a9d81e30682d4f4abdc4b800049171b13042eab
SHA1 hash: 6c2535d6e8c41aefc0843a1d415fef95f44a5d02
MD5 hash: e7439df74daf9b6f206782e355c3cbc6
humanhash: music-social-north-hamper
File name:PO 10252023-pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'705'640 bytes
First seen:2023-10-25 08:50:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e2a592076b17ef8bfb48b7e03965a3fc (388 x GuLoader, 59 x RemcosRAT, 44 x VIPKeylogger)
ssdeep 24576:Kx9vWBlNZ6C02IpMAlzW+0ccJJJ1Bnr1+kZvFF+QsGHRckMMcFabSO56pXG1S:QxkSt+Alq+0caJRPFJmzaOO5yGo
Threatray 3'084 similar samples on MalwareBazaar
TLSH T1E48533B2B880DC62D0E61A701E1B89F59D143E8CF011564FD3BA726DD43A78DCDAFA52
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e8d8a2aaa6a6d4cc (1 x RemcosRAT)
Reporter TeamDreier
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
366
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
guloader
Create hunting rule
ID:
1
File name:
PO 10252023-pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-10-25 08:51:13 UTC
Tags:
guloader loader trojan opendir
Link:
https://app.any.run/tasks/9d88a6b9-eddd-4b41-819f-d4b9ce35ba17

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/456202/
Detection(s):
SecuriteInfo.com.HEUR.Trojan.Win32.Makoob.gen.11231.23649.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Searching for the window
Launching a process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/6538d6fae3768e7905cae7e0/reports/4addfb08-6ba8-405e-abe4-44aec7d05980/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/0d88f2b2b699bec2ecb080ade2b4ac4706f39ff90c547d28f09ca3e38e009862
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3cece645-25f0-4e7b-b3bd-f2b29d0f5551
Result
Threat name:
Remcos, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1331771
Signature
Antivirus detection for URL or domain
Found suspicious powershell code related to unpacking or dynamic code loading
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suspicious powershell command line found
Very long command line found
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0d88f2b2b699bec2ecb080ade2b4ac4706f39ff90c547d28f09ca3e38e009862
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0d88f2b2b699bec2ecb080ade2b4ac4706f39ff90c547d28f09ca3e38e009862/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-10-25 00:05:27 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
17 of 36 (47.22%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bwepfmvwtg7mf3fqqcw6fnfmi4dphh7zbrkh2khqtsr6hdqatbra._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
045b514767dbbe5c411284ea83b2d47b62b1f7a258f866871bfebc14667ef5e6
RemcosRAT
079e819a42c6ded2c872ce15d09763f567230fbe5562f20ea27ec61082f85a4f
RemcosRAT
0c3bffacf3e541cfdd0b5552e048c57d313252709926031f1d4672717f9beae3
RemcosRAT
144750d91bdca21697d15f3dd12845497d62715c6c7251b033d039802795cbda
RemcosRAT
43ad88d4b9b62ac29d1872243f482198d5771dadf38903b63ba51bc344a871a5
RemcosRAT
595f2ae803f01eba157b6deff4687380346e15609e43cc05b541b527bb7292eb
RemcosRAT
7132f9426f3bbadaedd15c39968640ffc5ad207b3c8f450d642174e2942f09d7
RemcosRAT
a9acac2bc60cd65b24257dcd59cba1f79a5d8ebe6b68cffef12968038acd2675
RemcosRAT
d4c96c493952ab9601201dc7875a664148107c06a5481ae53414037fc1edccda
RemcosRAT
e4cc72594a2b6c9d6de1c6b7e67353c98f208a0fe495b5922105728b04ecdbe9
RemcosRAT
+ 3'074 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat
Link:
https://tria.ge/reports/231025-kr6pxsfd85/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
45.95.169.117:2404
Unpacked files
SH256 hash:
0d88f2b2b699bec2ecb080ade2b4ac4706f39ff90c547d28f09ca3e38e009862
MD5 hash:
e7439df74daf9b6f206782e355c3cbc6
SHA1 hash:
6c2535d6e8c41aefc0843a1d415fef95f44a5d02
Link:
https://www.unpac.me/results/1b38583e-29ef-4305-a506-5fe6df413669/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0d88f2b2b699/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0d88f2b2b699bec2ecb080ade2b4ac4706f39ff90c547d28f09ca3e38e009862

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 0d88f2b2b699bec2ecb080ade2b4ac4706f39ff90c547d28f09ca3e38e009862

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/456202/

Comments