MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1fc33c19e24de2eeba58617b70f2a383907fe334ecfbf21f3c5b423a31d66170. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1fc33c19e24de2eeba58617b70f2a383907fe334ecfbf21f3c5b423a31d66170
SHA3-384 hash: 904a53d3374a3bc2ce4676f29ef402102242417c75cf7a29a7640ecadf63315f36a6084958b35a5d0a48e2f492f5c6f1
SHA1 hash: b32933c8c66b44e30994e89671b38f8943b85755
MD5 hash: b84ffd21f06c979629dc0fc025187b3e
humanhash: harry-harry-seven-utah
File name:Shipment Document (BL,INV and PL)...exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:241'328 bytes
First seen:2022-03-17 08:16:17 UTC
Last seen:2022-03-17 09:51:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 3072:bbG7N2kDTHUpouY1rtp6MXXvTxIYOe1qRdPKa9cW1JvBq/NaQb1PqDhRBGh4WhWF:bbE/HUA1rt3dOcaa+U1ylG6WhW+BbfOD
Threatray 10'049 similar samples on MalwareBazaar
TLSH T10D3401613720C86BD9B24735CCBC89F79AEAAE21D8E62E0743517F0C7C357A15C0DA26
File icon (PE):PE icon
dhash icon 0088a2f4f0a60d30 (2 x RemcosRAT)
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
194.5.98.213:3737

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.5.98.213:3737 https://threatfox.abuse.ch/ioc/396077/

Intelligence

File Origin
# of uploads :
2
# of downloads :
294
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Shipment Document (BL,INV and PL)...exe
Verdict:
Malicious activity
Analysis date:
2022-03-17 08:19:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1286a97f-f9e6-48b3-8eb9-d7c35d807c95

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/251776/
Detection(s):
PUA.Win.Packer.Mingwin32Gcc-2
Create hunting rule

PUA.Win.Packer.Mingwin32Gcc-1
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/9540/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6232ee81dfdfa8501cae8603/reports/3953a7eb-b477-4373-baef-96eae99fc4c1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e7c1576a-7211-44cb-82a0-b8eb871e1b29
Result
Threat name:
GuLoader Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/958530
Signature
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Multi AV Scanner detection for submitted file
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected GuLoader
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 591012 Sample: Shipment Document (BL,INV a... Startdate: 17/03/2022 Architecture: WINDOWS Score: 100 69 umuoji.hopto.org 2->69 71 rbfoods.us 2->71 73 2 other IPs or domains 2->73 83 Found malware configuration 2->83 85 Multi AV Scanner detection for submitted file 2->85 87 Yara detected GuLoader 2->87 89 7 other signatures 2->89 10 Shipment Document (BL,INV and PL)...exe 1 24 2->10         started        14 wscript.exe 2->14         started        16 wscript.exe 2->16         started        signatures3 process4 file5 61 C:\Users\user\AppData\Local\...\System.dll, PE32 10->61 dropped 63 C:\Users\user\...\gtk-query-immodules-2.0.exe, PE32 10->63 dropped 65 C:\Users\user\AppData\Local\...\7-zip32.dll, PE32 10->65 dropped 109 Creates autostart registry keys with suspicious values (likely registry only malware) 10->109 111 Creates multiple autostart registry keys 10->111 113 Tries to detect Any.run 10->113 115 Hides threads from debuggers 10->115 18 Shipment Document (BL,INV and PL)...exe 12 10->18         started        23 scrunchy.exe 18 14->23         started        25 Irrorate5.exe 16->25         started        signatures6 process7 dnsIp8 75 umuoji.hopto.org 194.5.98.213, 2405, 3737, 49752 DANILENKODE Netherlands 18->75 77 cdn.discordapp.com 162.159.133.233, 443, 49751 CLOUDFLARENETUS United States 18->77 79 rbfoods.us 164.92.77.235, 49750, 80 ASN-DPSDUS United States 18->79 47 C:\Users\user\AppData\Local\Temp\tony.exe, PE32 18->47 dropped 49 C:\Users\user\AppData\Local\...\scrunchy.exe, PE32 18->49 dropped 51 C:\Users\user\AppData\Local\...\scrunchy.vbs, ASCII 18->51 dropped 91 Tries to detect Any.run 18->91 93 Hides threads from debuggers 18->93 27 tony.exe 1 19 18->27         started        53 C:\Users\user\AppData\Local\...\System.dll, PE32 23->53 dropped 31 scrunchy.exe 7 23->31         started        55 C:\Users\user\AppData\Local\...\System.dll, PE32 25->55 dropped 33 Irrorate5.exe 25->33         started        file9 signatures10 process11 file12 67 C:\Users\user\AppData\Local\...\System.dll, PE32 27->67 dropped 117 Detected unpacking (changes PE section rights) 27->117 119 Tries to steal Mail credentials (via file registry) 27->119 121 Creates autostart registry keys with suspicious values (likely registry only malware) 27->121 123 Creates multiple autostart registry keys 27->123 35 tony.exe 2 11 27->35         started        125 Tries to detect Any.run 31->125 127 Hides threads from debuggers 31->127 signatures13 process14 dnsIp15 81 162.159.130.233, 443, 49757, 49770 CLOUDFLARENETUS United States 35->81 57 C:\Users\user\AppData\Local\...\Irrorate5.exe, PE32 35->57 dropped 59 C:\Users\user\AppData\Local\...\Irrorate5.vbs, ASCII 35->59 dropped 95 Tries to detect Any.run 35->95 97 Hides threads from debuggers 35->97 99 Installs a global keyboard hook 35->99 101 Injects a PE file into a foreign processes 35->101 40 tony.exe 35->40         started        43 tony.exe 35->43         started        45 tony.exe 35->45         started        file16 signatures17 process18 signatures19 103 Tries to steal Instant Messenger accounts or passwords 40->103 105 Tries to harvest and steal browser information (history, passwords, etc) 40->105 107 Tries to steal Mail credentials (via file / registry access) 43->107
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1fc33c19e24de2eeba58617b70f2a383907fe334ecfbf21f3c5b423a31d66170/
Threat name:
Win32.Trojan.RemcosRAT
Create hunting rule
Status:
Malicious
First seen:
2022-03-17 09:13:42 UTC
AV detection:
16 of 27 (59.26%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=d7btygpcjxro5osymf5xb4vdqoih7yzu5t57ehz4lnbdumowmfya._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
netwirerc
Create hunting rule
Similar samples:
892ef7a1974f417377e4b50358b42c68248a4f4c1f393328421ad48e73861640
RemcosRAT
99f100122f5280ac44bc01f3bb7df9d3bd69681335e5f50d4ddfeca6e8ac3cb1
RemcosRAT
b57d7de33914f91073e29ac243cc026716b4b4a2ffd3ad9235e407c73fdb4be8
RemcosRAT
becb9cb4828f80a3bfebcd18f9e22d4cc275025d09efeec0ce2013d805acb138
RemcosRAT
cecec27d948d08eca8d94d9393903ce0af037d7375094ad4e988633d27af0415
RemcosRAT
e23540742dd2b2813b852d1e8d6ea5ff3ee10063528563fb89587e61e8f7439f
RemcosRAT
+ 10'039 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos botnet:itenze downloader persistence rat
Link:
https://tria.ge/reports/220317-j6pvaaccd9/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks QEMU agent file
Checks computer location settings
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Guloader,Cloudeye
Remcos
Malware Config
C2 Extraction:
umuoji.hopto.org:2405
Unpacked files
SH256 hash:
1fc33c19e24de2eeba58617b70f2a383907fe334ecfbf21f3c5b423a31d66170
MD5 hash:
b84ffd21f06c979629dc0fc025187b3e
SHA1 hash:
b32933c8c66b44e30994e89671b38f8943b85755
Link:
https://www.unpac.me/results/173465f9-c3cc-4cef-b136-7faa2b2d478f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.03
Link:
https://yomi.yoroi.company/submissions/1fc33c19e24de2eeba58617b70f2a383907fe334ecfbf21f3c5b423a31d66170

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/251776/

Comments