MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2000939de840833914250745a3dddd24bb348d6f2e1fe543e5a396141365125c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2000939de840833914250745a3dddd24bb348d6f2e1fe543e5a396141365125c
SHA3-384 hash: 9c05c4e703ca15a3bfd8bcc20b155331fd511e948ef543660d66b65ffb7ecab9777d32cc630205784b6619505088b34c
SHA1 hash: aa76103a1a0be6fb25d2bb603a526d4c1dcf18a3
MD5 hash: eeacb077ecd83d37391efc0658601321
humanhash: eighteen-white-wyoming-yankee
File name:RFQ 10634.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'280'328 bytes
First seen:2023-07-27 12:44:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e2a592076b17ef8bfb48b7e03965a3fc (388 x GuLoader, 59 x RemcosRAT, 44 x VIPKeylogger)
ssdeep 24576:GWsotvzK1X/+QIu02tfbxa1x6Ug49uq/FlhcwoitCx:GWsGK1v+Qw6TxaZ9uq/FlKwRtCx
Threatray 819 similar samples on MalwareBazaar
TLSH T10D4502043D8C188ACE2B9C33305AF2B915975FAE783D5A456E24F38F26F734664A714E
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 70ccbeba969acc71 (3 x RemcosRAT)
Reporter lowmal3
Tags:exe RemcosRAT signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2023-01-19T00:21:22Z
Valid to:2026-01-18T00:21:22Z
Serial number: 3f44ece3f32e5f15ff7633be12acea69cb9d843e
Thumbprint Algorithm:SHA256
Thumbprint: bab5ac4516614246db2714bab60a20f048b183c486efa6a63f8cd074618ac28e
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
286
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ 10634.exe
Verdict:
Suspicious activity
Analysis date:
2023-07-27 12:46:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/03de4c9a-860f-4aad-996b-bda379c3e9c4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/434784/
Detection(s):
SecuriteInfo.com.Trojan.NSIS.Guloader.15233.21332.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% subdirectories
Delayed reading of the file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/64c266cf5154a489a4588d2b/reports/45ab6de3-c508-4b70-9771-927742f8c1b8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/2000939de840833914250745a3dddd24bb348d6f2e1fe543e5a396141365125c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/60524fa8-78e3-4446-a098-73cc5de65217
Result
Threat name:
GuLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1281150
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to modify clipboard data
Detected unpacking (changes PE section rights)
Found malware configuration
Installs a global keyboard hook
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Yara detected GuLoader
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1281150 Sample: RFQ_10634.exe Startdate: 27/07/2023 Architecture: WINDOWS Score: 100 30 geoplugin.net 2->30 44 Snort IDS alert for network traffic 2->44 46 Found malware configuration 2->46 48 Antivirus detection for URL or domain 2->48 50 7 other signatures 2->50 8 RFQ_10634.exe 4 34 2->8         started        signatures3 process4 file5 26 C:\Users\user\AppData\Local\...\System.dll, PE32 8->26 dropped 52 Detected unpacking (changes PE section rights) 8->52 54 Contains functionality to modify clipboard data 8->54 56 Tries to detect Any.run 8->56 12 RFQ_10634.exe 3 15 8->12         started        signatures6 process7 dnsIp8 32 194.59.218.151, 49989, 80 FASTWEBIT Netherlands 12->32 34 155.94.185.15, 2404, 49990, 49991 ASN-QUADRANET-GLOBALUS United States 12->34 36 geoplugin.net 178.237.33.50, 49992, 80 ATOM86-ASATOM86NL Netherlands 12->36 28 C:\ProgramData\remcos\logs.dat, data 12->28 dropped 58 Tries to detect Any.run 12->58 60 Maps a DLL or memory area into another process 12->60 62 Installs a global keyboard hook 12->62 17 RFQ_10634.exe 1 12->17         started        20 RFQ_10634.exe 1 12->20         started        22 RFQ_10634.exe 1 12->22         started        24 28 other processes 12->24 file9 signatures10 process11 signatures12 38 Tries to steal Instant Messenger accounts or passwords 17->38 40 Tries to steal Mail credentials (via file / registry access) 17->40 42 Tries to harvest and steal browser information (history, passwords, etc) 24->42
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2000939de840833914250745a3dddd24bb348d6f2e1fe543e5a396141365125c/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2023-07-27 09:49:00 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eaajhhpiicbtsfbfa5c2hxo5es5tjdlpfyp6kq7fuolbie3fcjoa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1426c1d64ca7c22ccca58c2ccd872e2ed13049c2fe25111192d6de048d9cba80
RemcosRAT
28100101069ebe8b83ff5a91f8ef75b72cb22ac66ac93b00c2f6831359f2763f
RemcosRAT
4db943d3621a557370a3585cd61db3f9835c65f350a2284c9d5f3024adb0ff07
RemcosRAT
5a70453a6b4f6a5dfd956507dcb364fa07bd6517f87ee23ed6d703f7ec1f6599
RemcosRAT
65b9d65a82e6197a80a9214334c81d373440e12f53feb6896399647666c22792
RemcosRAT
723ff97e6559f6558c288ca693898592a21aab28c003883ca13b81667d7e3aef
RemcosRAT
ae7a2eab74a6dbeaa780094a1885f588405f0f8eda83910f14e22759d1f1b7aa
RemcosRAT
b09ed41c3a0e1a98d0035de279a32fa7e08e3eba69190b2cbf5f977301e58100
RemcosRAT
b5490460c53d27ef419898a98959bec49deb3ac3c3a8a23d63ce7dabe00af32e
RemcosRAT
f1efdace5d1171a1599ec3cdae2f3a508360d6e1c21cfb151749135ceeedc779
RemcosRAT
+ 809 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost collection rat spyware stealer
Link:
https://tria.ge/reports/230727-py2rrsee97/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Checks QEMU agent file
Loads dropped DLL
Reads user/profile data of web browsers
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
155.94.185.15:2404
Unpacked files
SH256 hash:
982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b
MD5 hash:
0ff2d70cfdc8095ea99ca2dabbec3cd7
SHA1 hash:
10c51496d37cecd0e8a503a5a9bb2329d9b38116
Link:
https://www.unpac.me/results/a853c635-814d-4230-ada4-4cb262e7133c/
SH256 hash:
2000939de840833914250745a3dddd24bb348d6f2e1fe543e5a396141365125c
MD5 hash:
eeacb077ecd83d37391efc0658601321
SHA1 hash:
aa76103a1a0be6fb25d2bb603a526d4c1dcf18a3
Link:
https://www.unpac.me/results/a853c635-814d-4230-ada4-4cb262e7133c/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2000939de840/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/2000939de840833914250745a3dddd24bb348d6f2e1fe543e5a396141365125c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 2000939de840833914250745a3dddd24bb348d6f2e1fe543e5a396141365125c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/434784/

Comments