MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0dc21b62ca8b3140169ed54ed05f7324709f92266a83a60556a65e9833ba353c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0dc21b62ca8b3140169ed54ed05f7324709f92266a83a60556a65e9833ba353c
SHA3-384 hash: 962504e95bd93baad0db77a4d30b77823fbc0f9e73193e2a5c7a352fed82c701d5c7559c8c34b13b67a39928be2d22e4
SHA1 hash: 6122f5fffddc117ac0752c8a17bd0b9ea719896f
MD5 hash: a505050bc75cf9d86c154176a6b16df4
humanhash: massachusetts-snake-bakerloo-queen
File name:docx.com
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:77'824 bytes
First seen:2021-09-02 02:16:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 321182e3fe2937818b2cc8676e868078 (1 x RemcosRAT)
ssdeep 1536:tBy7DdGX6wQOdThiZbQ57eo6miyAYHeWgjig:tkxI7Jae7riCG
Threatray 4'887 similar samples on MalwareBazaar
TLSH T144738D3664DC867DE7CCE6390C5EB968C25A7D5D04010E13A09FAD6FB9F12C92CA27E4
dhash icon a60cac8c9c8ceca0 (1 x RemcosRAT)
Reporter GovCERT_CH
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
167
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
docx.com
Verdict:
No threats detected
Analysis date:
2021-09-02 02:20:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/24e1f7cd-dbca-42e6-9601-7bee91d1aced

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/184631/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a UDP request
Unauthorized injection to a recently created process
Setting a single autorun event
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/19cfc223-5a63-4fa4-a462-1c8af8122ff1
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/843745
Signature
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Found malware configuration
GuLoader behavior detected
Hides threads from debuggers
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 476176 Sample: docx.com Startdate: 02/09/2021 Architecture: WINDOWS Score: 100 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 6 other signatures 2->63 10 docx.exe 1 2 2->10         started        13 Dguiter.exe 2 2->13         started        15 Dguiter.exe 2 2->15         started        process3 signatures4 77 Creates autostart registry keys with suspicious values (likely registry only malware) 10->77 79 Creates multiple autostart registry keys 10->79 81 Tries to detect Any.run 10->81 83 Tries to detect virtualization through RDTSC time measurements 10->83 17 docx.exe 4 14 10->17         started        85 Hides threads from debuggers 13->85 22 Dguiter.exe 7 13->22         started        24 Dguiter.exe 7 15->24         started        process5 dnsIp6 49 samyangfoodx.com 89.45.67.50, 49707, 49723, 49724 BELCLOUDBG Netherlands 17->49 39 C:\Users\user\AppData\Roaming\...\Dguiter.exe, PE32 17->39 dropped 41 C:\Users\user\...\Dguiter.exe:Zone.Identifier, ASCII 17->41 dropped 43 C:\Users\user\AppData\Local\...\install.vbs, data 17->43 dropped 65 Creates multiple autostart registry keys 17->65 67 Tries to detect Any.run 17->67 69 Hides threads from debuggers 17->69 26 wscript.exe 1 17->26         started        45 C:\Users\user\AppData\Local\...\Mirjanas3.vbs, ASCII 22->45 dropped 47 C:\Users\user\AppData\Local\...\Mirjanas3.exe, PE32 22->47 dropped file7 signatures8 process9 process10 28 cmd.exe 1 26->28         started        process11 30 Dguiter.exe 2 28->30         started        33 conhost.exe 28->33         started        signatures12 87 Tries to detect Any.run 30->87 89 Tries to detect virtualization through RDTSC time measurements 30->89 91 Hides threads from debuggers 30->91 35 Dguiter.exe 2 10 30->35         started        process13 dnsIp14 51 samyangfoodx.com 35->51 53 185.215.113.102, 2404, 49725, 49729 WHOLESALECONNECTIONSNL Portugal 35->53 55 192.168.2.1 unknown unknown 35->55 71 Tries to detect Any.run 35->71 73 Hides threads from debuggers 35->73 75 Installs a global keyboard hook 35->75 signatures15
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0dc21b62ca8b3140169ed54ed05f7324709f92266a83a60556a65e9833ba353c/
Threat name:
Win32.Trojan.Mucc
Create hunting rule
Status:
Malicious
First seen:
2021-09-02 02:17:07 UTC
AV detection:
4 of 44 (9.09%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bxbbwywkrmyuafu62vhnax3teryj7ergnkb2mbkwuzpjqm52gu6a._file
Verdict:
suspicious
Similar samples:
07a7e8b55aae7e593602a7dc0e67dbf0debb3ccd4c4d769d7fab0e34a675b4e7
RemcosRAT
250d4d5045162c39e3c1b9d637e0188089299a04106202afdf1f4826d24e27f4
RemcosRAT
37fba5e93049ee78ac1fdf1fafe945636680193ddcb1dc9533f2c9ac80d3744c
RemcosRAT
3cbf0aeafec688023948cad7bf7475270ba9cb1acb0078cf1a9d6288f2751a20
RemcosRAT
49de4524bd749523e1a8239eb6edecc62605ef2ed40852306795b839dec39270
RemcosRAT
522735989689a96d0e10e926aae941e58a695062254573c5796bb129e4c7703e
RemcosRAT
548aefb935e11a84133bd8b3d367d988b9ad2e3bde7f4c0fffcf6a94b529be72
RemcosRAT
a9c312936a88ac3629aa8fb5c4d6b5fe5fcad17319b825bf4b383fd807cb3f51
RemcosRAT
c6e5156c311412210237810450648947699d1c4862536a4e86b778e899627292
RemcosRAT
+ 4'877 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos downloader persistence rat
Link:
https://tria.ge/reports/210902-59bscnqctx/
Behaviour
Modifies registry class
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks QEMU agent file
Loads dropped DLL
Executes dropped EXE
Guloader,Cloudeye
Remcos
Unpacked files
SH256 hash:
49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3
MD5 hash:
1f1b425190b2fb0396ad2d538b1060ba
SHA1 hash:
413f98641d46fdcabfcaf64f29495667de6282ea
Link:
https://www.unpac.me/results/b23a38d0-749e-4eee-b96e-543fbf1cbac0/
SH256 hash:
0dc21b62ca8b3140169ed54ed05f7324709f92266a83a60556a65e9833ba353c
MD5 hash:
a505050bc75cf9d86c154176a6b16df4
SHA1 hash:
6122f5fffddc117ac0752c8a17bd0b9ea719896f
Link:
https://www.unpac.me/results/b23a38d0-749e-4eee-b96e-543fbf1cbac0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0dc21b62ca8b3140169ed54ed05f7324709f92266a83a60556a65e9833ba353c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 0dc21b62ca8b3140169ed54ed05f7324709f92266a83a60556a65e9833ba353c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/184631/

Comments