MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0dde47d0905eb44af2fe7b3604c88ceb170b977312730dabd17a96de610a33b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0dde47d0905eb44af2fe7b3604c88ceb170b977312730dabd17a96de610a33b6
SHA3-384 hash: 99e4a0e40a5115caee1e203dc4bf53b0a8d98883ec538a8b2c25e4c2d80165ff8520f4284159acfeb020689731216447
SHA1 hash: 4d828d9c4769120ac27c731c45108d08a0d16ac0
MD5 hash: 50f531fe31615d5d747c21aa22f4d210
humanhash: lactose-vegan-enemy-august
File name:Контракт № OX-SOC_150923_FOB.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:894'930 bytes
First seen:2023-09-21 09:46:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (527 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 24576:eq7JcjVu4BjZQOwqR259WgEKqZpdmlKq99NDpKGN/VcUNG:V7ubWG+9VLqZvqWGNNNG
Threatray 2'954 similar samples on MalwareBazaar
TLSH T1AA15238862E1D516D8503333D6D68BF986199DC3FA2B6B4B3391BE2A3CF34525E1C325
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter lowmal3
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
291
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
guloader
Create hunting rule
ID:
1
File name:
Контракт № OX-SOC_150923_FOB.exe
Verdict:
Malicious activity
Analysis date:
2023-09-21 09:47:14 UTC
Tags:
guloader
Link:
https://app.any.run/tasks/3dd912b4-0b5e-4537-8978-42d69c7cb138

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/450313/
Detection(s):
SecuriteInfo.com.Trojan.Multi.Generic.4c.11520.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Creating a file
Delayed reading of the file
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/650c111833582f234efe43c7/reports/651a2dd9-2d1d-453a-8d87-e842c02eacf8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/0dde47d0905eb44af2fe7b3604c88ceb170b977312730dabd17a96de610a33b6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3431f43a-0df6-4756-8015-6b0af95ea386
Result
Threat name:
GuLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1312158
Signature
Contains functionality to modify clipboard data
Installs a global keyboard hook
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1312158 Sample: #U041a#U043e#U043d#U0442#U0... Startdate: 21/09/2023 Architecture: WINDOWS Score: 100 36 whirlwindprojects.com 2->36 38 ourt2949aslumes9.duckdns.org 2->38 40 geoplugin.net 2->40 54 Snort IDS alert for network traffic 2->54 56 Multi AV Scanner detection for domain / URL 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 6 other signatures 2->60 8 #U041a#U043e#U043d#U0442#U0440#U0430#U043a#U0442_#U2116_OX-SOC_150923_FOB.exe 2 36 2->8         started        signatures3 process4 file5 26 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 8->26 dropped 28 C:\Users\user\AppData\Local\...\System.dll, PE32 8->28 dropped 30 C:\Users\user\AppData\Local\...\BgImage.dll, PE32 8->30 dropped 62 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->62 64 Writes to foreign memory regions 8->64 66 Tries to detect Any.run 8->66 68 Maps a DLL or memory area into another process 8->68 12 wab.exe 4 17 8->12         started        signatures6 process7 dnsIp8 42 whirlwindprojects.com 146.88.26.238, 50021, 80 NETMAGIC-APNetmagicDatacenterMumbaiIN India 12->42 44 94.156.6.253, 2402, 50022, 50023 NET1-ASBG Bulgaria 12->44 46 geoplugin.net 178.237.33.50, 50024, 80 ATOM86-ASATOM86NL Netherlands 12->46 32 C:\Users\user\AppData\Roaming\paqlgkfs.dat, data 12->32 dropped 34 C:\Users\user\AppData\Local\...\Sigmation.exe, PE32 12->34 dropped 70 Tries to detect Any.run 12->70 72 Maps a DLL or memory area into another process 12->72 74 Installs a global keyboard hook 12->74 17 wab.exe 1 12->17         started        20 wab.exe 1 12->20         started        22 wab.exe 2 12->22         started        24 3 other processes 12->24 file9 signatures10 process11 signatures12 48 Tries to steal Instant Messenger accounts or passwords 17->48 50 Tries to harvest and steal browser information (history, passwords, etc) 17->50 52 Tries to steal Mail credentials (via file / registry access) 20->52
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0dde47d0905eb44af2fe7b3604c88ceb170b977312730dabd17a96de610a33b6/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-09-21 08:28:45 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
21 of 35 (60.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bxpepueql22ev4x6pm3ajsem5mlqxf3tcjzq3k6rpkln4yikgo3a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
cloudeye
Create hunting rule
Similar samples:
456f09b71ed09cbc590f6a3b8d5aacc7f0fb94521d8b19b80d2a201e5f73b5a0
RemcosRAT
4a30f84c5fc555603a11244bf58e1a01bacfc09047068f942d48d674a1375c6d
RemcosRAT
67334009d5d6fb492333a8d6a850b2c464654aaaf96ddeef125129af29ea3d66
RemcosRAT
75b6aa1e75a213e7d4184249f86f3b8c4770ea2443ae77e7e6c4f499636b6f71
RemcosRAT
a7fb5c3347daf214fbdbec78aeb30ca90c09726b6aa7cfb929a563ada0d49d7f
RemcosRAT
b2823172397c389e1ff948bd03473193ed8527eb19edff06cbb16e2b43ebc19f
RemcosRAT
b2d5e15268cb130c995118e17afa1198ca19604a20b91f1907a7ef18210db30f
RemcosRAT
bad6dc695ec91155fbf548d43e3039c1b694db28c1a713b81ecc2d59674635cb
RemcosRAT
f34af4e240968da5243075917a094299d81806908f1eccec9ef7aeb6ebbbb21a
RemcosRAT
fc38656ef9f0487f431fc7e32fd39213ebeefc9ca0728fe04d160cce657d5af4
RemcosRAT
+ 2'944 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos botnet:crypted downloader persistence rat
Link:
https://tria.ge/reports/230921-lr7gwsfb9t/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks QEMU agent file
Loads dropped DLL
Guloader,Cloudeye
Remcos
Malware Config
C2 Extraction:
ourt2949aslumes9.duckdns.org:2401
Unpacked files
SH256 hash:
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
MD5 hash:
0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 hash:
48df0911f0484cbe2a8cdd5362140b63c41ee457
Link:
https://www.unpac.me/results/2a6d1402-59c5-4324-baef-1670f95a9c20/
SH256 hash:
e27efa5dfde875bd6b826fafb4c7698db6b6e30e68715a1c03eb018e3170fc04
MD5 hash:
487368e6fce9ab9c5ea053af0990c5ef
SHA1 hash:
b538e37c87d4b9a7645dcbbd9e93025a31849702
Link:
https://www.unpac.me/results/2a6d1402-59c5-4324-baef-1670f95a9c20/
SH256 hash:
1e40211af65923c2f4fd02ce021458a7745d28e2f383835e3015e96575632172
MD5 hash:
466179e1c8ee8a1ff5e4427dbb6c4a01
SHA1 hash:
eb607467009074278e4bd50c7eab400e95ae48f7
Link:
https://www.unpac.me/results/2a6d1402-59c5-4324-baef-1670f95a9c20/
SH256 hash:
0dde47d0905eb44af2fe7b3604c88ceb170b977312730dabd17a96de610a33b6
MD5 hash:
50f531fe31615d5d747c21aa22f4d210
SHA1 hash:
4d828d9c4769120ac27c731c45108d08a0d16ac0
Link:
https://www.unpac.me/results/2a6d1402-59c5-4324-baef-1670f95a9c20/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0dde47d0905e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0dde47d0905eb44af2fe7b3604c88ceb170b977312730dabd17a96de610a33b6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 0dde47d0905eb44af2fe7b3604c88ceb170b977312730dabd17a96de610a33b6

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/450313/

Comments