MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2bf8fe42f591b6bd6090306f9ca6e3d6b02a2cc86255d526619ca53a533006be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2bf8fe42f591b6bd6090306f9ca6e3d6b02a2cc86255d526619ca53a533006be
SHA3-384 hash: b591e478e45ec3be841df41a7477df9cd00376c1c4a029b185946de7bb061d23cd0e55d8c3079a2e6797bca3ae6a3b62
SHA1 hash: 05a5752179ba168918bbb5064a7b8ac4be896bf5
MD5 hash: 5e0d9e53c18650de88b46620369aa7de
humanhash: ack-nuts-robert-river
File name:bcv334d.ru_2___outputC1AB25Fpp.exe.malw
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:579'784 bytes
First seen:2020-03-20 22:02:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 33bd19c9f0277975aadb35ea4599b374 (1 x GuLoader, 1 x GandCrab, 1 x AZORult)
ssdeep 12288:d4p+j5eVmyAw6Ey03PVmhK92j2uiU95+B2lNcAhY8TDYl3C9bJddVlIQYIl+5rkk:NmCsyxXYiAft0L4E8sg2g
Threatray 1'173 similar samples on MalwareBazaar
TLSH 2CC42B9D4EB7CC86C8002AF51F5B50B00EAA4715A8C9D6B32DDB925C5FD4D260F8F26B
Reporter ov3rflow1
Tags:malw RemcosRAT

Code Signing Certificate

Organisation:Karamata cloud safe software
Issuer:Karamata cloud safe software
Algorithm:sha256WithRSAEncryption
Valid from:Mar 2 20:09:33 2019 GMT
Valid to:Mar 1 20:09:33 2022 GMT
Serial number: 01
Intelligence: 367 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 7665D8CE4CC4832FA368F78A2617CA6DC163307822C5A05E3FE7FB8561B3A08F
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Win.Trojan.VBGeneric-6876508-0
Create hunting rule

Win.Malware.Razy-6877732-0
Create hunting rule

Win.Malware.Barys-6954348-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2019-03-03 11:24:56 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
38 of 45 (84.44%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
19456465374c8499aa429b73283338bd7e5c8e162041e8dd7b43ce826d9265e4
RemcosRAT
2b554ef8cede0aaf90b2eba967599dede6795344ae5c7e876e5c3a5776894a16
RemcosRAT
2bce8926e878a8464f8c19ffe1ac202e02331ed4f9983aa0b6e55a24e87da7b6
RemcosRAT
2cabc6f640a674f2b2d3d2aec9a6c159dfde1b6d9c4111532e78b06d89fd8fc6
RemcosRAT
359ac8bb415a9af23c0ff8b6e39a868d32db5ad817cd7e577c85ab665709e634
RemcosRAT
4b5a4437b8b7bab10cfb32c06b5241f92b3a2e2861f56190b8b17a7028ec64c8
RemcosRAT
68d55bb83fc84194699a46de541bb94ff55b7c01aa9816c50bbca8f37930afb8
RemcosRAT
9d389c6cec94ab389a487a450ce3c2773978eda015fcfc09c9bf1d0370b84ff9
RemcosRAT
a93a71cdc90f1ab2f2c80db6f0c55b95f43bad13faff06c89f2c728cab630773
RemcosRAT
cbeec64cdd31f94e46005a27c264248f12a22102d6e8b9f4187e92fedb2db373
RemcosRAT
+ 1'163 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2bf8fe42f591b6bd6090306f9ca6e3d6b02a2cc86255d526619ca53a533006be

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/150198/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::EVENT_SINK_AddRef

Comments