MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21773cea42a57dff11a05f01ea94f48fc457871b110a410e4ccb416a4e346229. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 21773cea42a57dff11a05f01ea94f48fc457871b110a410e4ccb416a4e346229
SHA3-384 hash: 39396d2447e7db87472e36e1fadee4b195b90ccde286b0a18b638e0b35b370974c644ce744e806a12f5a6af4ffaec440
SHA1 hash: d60f44452664f2f82cdd5c023795589611977446
MD5 hash: 051bd135f8be9f0dd2ef45a9918441f8
humanhash: uncle-vegan-hawaii-nitrogen
File name:z43ISFFORMHBLDRAFTTHBL53164US7272Coscoline.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:647'283 bytes
First seen:2024-05-09 15:14:51 UTC
Last seen:2024-05-10 07:55:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (527 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 12288:L2KmM4kx4NDiGYaasscxBh9GvLj8y3u8DehE3S/0kBrs4CGLx4:L2KU5tauxSLj8y3RKhGbkBN9Lm
Threatray 1'495 similar samples on MalwareBazaar
TLSH T1D5D4F1113BEBD87BCAE84FF02E22C16D46955C093844DA5677B02F2F36EF153A999D02
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon bcf4fcbeccd4e47c (1 x RemcosRAT, 1 x GuLoader)
Reporter FXOLabs
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
359
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
I-046-24 Service Plaza Sencor.exe
Verdict:
Malicious activity
Analysis date:
2024-05-09 10:35:12 UTC
Tags:
rat remcos evasion keylogger stealer
Link:
https://app.any.run/tasks/a849f73c-309d-4317-bcb9-8a20599e3fbd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.PowerShell.Siggen.2046.9437.32.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Creating a file in the Windows subdirectories
Searching for the window
Creating a file in the %temp% subdirectories
Launching a process
Running batch commands
Using the Windows Management Instrumentation requests
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/663ce877a2d36d9500f3aeb9/reports/2119ff8b-ac54-4af7-9c32-40b1e5c412dd/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/21773cea42a57dff11a05f01ea94f48fc457871b110a410e4ccb416a4e346229
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5dd466cb-c8dc-40fd-96a6-812ba13ff476
Result
Threat name:
GuLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1439015
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Powershell drops PE file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1439015 Sample: z43ISFFORMHBLDRAFTTHBL53164... Startdate: 09/05/2024 Architecture: WINDOWS Score: 100 48 trgrgfo45fgsozj01.duckdns.org 2->48 50 leirfo45ozj02.duckdns.org 2->50 52 3 other IPs or domains 2->52 60 Snort IDS alert for network traffic 2->60 62 Multi AV Scanner detection for domain / URL 2->62 64 Found malware configuration 2->64 68 11 other signatures 2->68 10 z43ISFFORMHBLDRAFTTHBL53164US7272Coscoline.exe 6 81 2->10         started        signatures3 66 Uses dynamic DNS services 50->66 process4 file5 42 C:\Users\user\AppData\Local\...\Bifilar.For, ASCII 10->42 dropped 44 C:\Users\user\AppData\Local\...\Mullahism.cir, COM 10->44 dropped 74 Suspicious powershell command line found 10->74 14 powershell.exe 20 10->14         started        signatures6 process7 file8 46 z43ISFFORMHBLDRAFT...US7272Coscoline.exe, PE32 14->46 dropped 82 Obfuscated command line found 14->82 84 Writes to foreign memory regions 14->84 86 Found suspicious powershell code related to unpacking or dynamic code loading 14->86 88 Powershell drops PE file 14->88 18 wab.exe 5 15 14->18         started        23 conhost.exe 14->23         started        25 cmd.exe 1 14->25         started        signatures9 process10 dnsIp11 54 leirfo45ozj01.duckdns.org 193.222.96.21, 29871, 49738, 49739 SWISSCOMSwisscomSwitzerlandLtdCH Germany 18->54 56 enelltd.top 172.67.215.46, 443, 49736 CLOUDFLARENETUS United States 18->56 58 geoplugin.net 178.237.33.50, 49740, 80 ATOM86-ASATOM86NL Netherlands 18->58 40 C:\Users\user\AppData\Roaming\klpierms.dat, data 18->40 dropped 70 Maps a DLL or memory area into another process 18->70 72 Installs a global keyboard hook 18->72 27 wab.exe 1 18->27         started        30 wab.exe 1 18->30         started        32 wab.exe 14 18->32         started        34 2 other processes 18->34 file12 signatures13 process14 signatures15 76 Tries to steal Instant Messenger accounts or passwords 27->76 78 Tries to harvest and steal browser information (history, passwords, etc) 27->78 80 Tries to steal Mail credentials (via file / registry access) 30->80 36 conhost.exe 34->36         started        38 reg.exe 1 1 34->38         started        process16
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/21773cea42a57dff11a05f01ea94f48fc457871b110a410e4ccb416a4e346229
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/21773cea42a57dff11a05f01ea94f48fc457871b110a410e4ccb416a4e346229/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2024-05-09 09:23:38 UTC
File Type:
PE (Exe)
Extracted files:
53
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ef3tz2scuv676enal4a6vfhur7cfpby3cefecdsmznawutrumiuq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
2c6881e7cdd40a5dd6013fd96a8c75c67b912c43ea37140bd5cc06ee1cfb67d9
RemcosRAT
39904c5d67aebdeb68b5bc799559dda7fe7bd9db166fd8dc72e7e4c0ce5d6491
RemcosRAT
45ac73d11f8cb8a73d16050ce7e8c0f6f3a531c03b7e3c148be2926175cfc9e9
RemcosRAT
66c25b056feae73374a9cb4db0469c94d0a1d2d91cfe09cad1e890e72d5bfb70
RemcosRAT
71a0db97867945fa69250aa55e3d997aaf11f5e401db8e59c87e7937e36343f0
RemcosRAT
8081e0bda5a4d7cf536969b1a62ec3d550d1f806e189ee4a6eb14524b4eb9c64
RemcosRAT
a731a3484aa2cde6c16d273b0838b664de71e45c498d6412dca328b457873248
RemcosRAT
bd20db8cb3f5922cc0d0463f4183731c765db8ce00c3b5390529ea6a806dd946
RemcosRAT
d5d49fbe4f955416afe5db8c735638cedde326347757e8c57323305480568418
RemcosRAT
e3c50af5dfca67fd9af9530c801ef172bde856241cf6b2c8596421b9a7ae8882
RemcosRAT
+ 1'485 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader execution persistence
Link:
https://tria.ge/reports/240509-smwcdsbc92/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Guloader,Cloudeye
Unpacked files
SH256 hash:
21773cea42a57dff11a05f01ea94f48fc457871b110a410e4ccb416a4e346229
MD5 hash:
051bd135f8be9f0dd2ef45a9918441f8
SHA1 hash:
d60f44452664f2f82cdd5c023795589611977446
Link:
https://www.unpac.me/results/2fdce4b8-7b16-459f-a710-7bdf619b5161/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/21773cea42a5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/21773cea42a57dff11a05f01ea94f48fc457871b110a410e4ccb416a4e346229

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NSIS_April_2024
Create hunting rule
Author:NDA0N
Description:Detects NSIS installers

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 21773cea42a57dff11a05f01ea94f48fc457871b110a410e4ccb416a4e346229

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::SetFileSecurityW
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileExW
KERNEL32.dll::MoveFileW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments