MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32dcdbac829f1b6607c1581488a6cf95541fba686f5f81c23b9e1e79761a971b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 32dcdbac829f1b6607c1581488a6cf95541fba686f5f81c23b9e1e79761a971b
SHA3-384 hash: d5a9ae9f53e7dd378e5d82cb9ea6ddf9559de65d4c30d90078d6fea0967b31cb5b8b0c79bb31f0b7c37d42b92fd19d46
SHA1 hash: c1a1601ce429cf7cb2d4c255325bf408fe69b1d5
MD5 hash: 6aa873ee68b60704e3d00f5c885a90f7
humanhash: wolfram-zebra-vegan-carpet
File name:SecuriteInfo.com.__vbaHresultCheckObj.9138.5973
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:110'592 bytes
First seen:2021-06-07 18:38:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 20511f60b3c62ae145d60c4c066b22a5 (3 x GuLoader, 1 x RemcosRAT)
ssdeep 3072:68n1eqngtFaxWqEfGBpQ2JyB92mTZP9dsWtnHlvXzyoyZlGLwh/9Gco:6XFaxWqEfGBpQ2JyB92mTZP9dsSno/9J
Threatray 1'771 similar samples on MalwareBazaar
TLSH 1DB3F793EE261D38CC892DF07467F9612326FC11051B1A2F3148DBFD6BA2A63B55970B
Reporter SecuriteInfoCom
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
260
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
HNM.exe
Verdict:
Malicious activity
Analysis date:
2021-06-07 12:27:59 UTC
Tags:
trojan opendir
Link:
https://app.any.run/tasks/4cace54c-8a8a-4125-b1fa-188d88ac8a5f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/165086/
Detection(s):
SecuriteInfo.com.__vbaHresultCheckObj.9138.5973.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the Windows directory
DNS request
Sending a UDP request
Unauthorized injection to a recently created process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/798306
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found malware configuration
Hides threads from debuggers
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: WScript or CScript Dropper
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 430702 Sample: SecuriteInfo.com.__vbaHresu... Startdate: 07/06/2021 Architecture: WINDOWS Score: 100 51 Multi AV Scanner detection for domain / URL 2->51 53 Found malware configuration 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 4 other signatures 2->57 10 SecuriteInfo.com.__vbaHresultCheckObj.9138.exe 2 2->10         started        13 win.exe 1 2->13         started        15 win.exe 1 2->15         started        process3 signatures4 67 Contains functionality to detect hardware virtualization (CPUID execution measurement) 10->67 69 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 10->69 71 Tries to detect Any.run 10->71 73 Tries to detect virtualization through RDTSC time measurements 10->73 17 SecuriteInfo.com.__vbaHresultCheckObj.9138.exe 4 10 10->17         started        75 Hides threads from debuggers 13->75 22 win.exe 6 13->22         started        24 win.exe 6 15->24         started        process5 dnsIp6 45 ztechinternational.com 192.185.113.219, 49715, 49718, 49720 UNIFIEDLAYER-AS-1US United States 17->45 39 C:\Users\user\AppData\Roaming\win.exe, PE32 17->39 dropped 41 C:\Users\user\...\win.exe:Zone.Identifier, ASCII 17->41 dropped 43 C:\Users\user\AppData\Local\...\install.vbs, data 17->43 dropped 59 Tries to detect Any.run 17->59 61 Hides threads from debuggers 17->61 26 wscript.exe 1 17->26         started        file7 signatures8 process9 process10 28 cmd.exe 1 26->28         started        process11 30 win.exe 1 28->30         started        33 conhost.exe 28->33         started        signatures12 77 Multi AV Scanner detection for dropped file 30->77 79 Contains functionality to detect hardware virtualization (CPUID execution measurement) 30->79 81 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 30->81 83 3 other signatures 30->83 35 win.exe 2 7 30->35         started        process13 dnsIp14 47 gsyagvxnzmkoplbhduisbagtevcnxmzlopljdgye.ydns.eu 188.72.110.19, 2177 TRABIAMD Netherlands 35->47 49 ztechinternational.com 35->49 63 Tries to detect Any.run 35->63 65 Hides threads from debuggers 35->65 signatures15
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/32dcdbac829f1b6607c1581488a6cf95541fba686f5f81c23b9e1e79761a971b/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2021-06-07 13:29:33 UTC
AV detection:
12 of 29 (41.38%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=glonxlect4nwmb6blakirjwpsvkb7otin5pydqr3typhs5q2s4nq._file
Verdict:
suspicious
Similar samples:
064cad19bee4580a82bc4ee3558e8510100ebba8da83720749f553cc411d5cb3
RemcosRAT
2131f107d3c701344f650d0413fa83ee2112247d3f2bcff2c5ab6c2de5932f88
RemcosRAT
3cbf0aeafec688023948cad7bf7475270ba9cb1acb0078cf1a9d6288f2751a20
RemcosRAT
414a14294a3c88613f1480a69fa0d7cf3dfbb83eedd5ef0acc3ad39f6e01ee65
RemcosRAT
4f4a33f70099855f5f503716515f388da3a5daa1e2fac59ec6c881e89ef7d072
RemcosRAT
522735989689a96d0e10e926aae941e58a695062254573c5796bb129e4c7703e
RemcosRAT
55c12cb22033e12af48c4bb80b660e4ace8ed2364e7147979e30355bab7d5469
RemcosRAT
6f8fc539952555b057adf7810aca782a29f8f624e1d46a0f4732db3763130725
RemcosRAT
d98fd8189273e4f4fcbb8b1d5b32459b5d7adcd6eaff9efef0c32ace0fdfab0e
RemcosRAT
f6083599947328d2637adb3cb9810fefd0d9195c504dc2e081fcfca776090c2b
RemcosRAT
+ 1'761 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:ose_2021 persistence rat
Link:
https://tria.ge/reports/210607-2b6e2a1fwn/
Behaviour
Modifies registry class
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks QEMU agent file
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
gsyagvxnzmkoplbhduisbagtevcnxmzlopljdgye.ydns.eu:2177
Unpacked files
SH256 hash:
49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3
MD5 hash:
1f1b425190b2fb0396ad2d538b1060ba
SHA1 hash:
413f98641d46fdcabfcaf64f29495667de6282ea
Link:
https://www.unpac.me/results/a913bc47-70cd-44a3-873e-492578e330ef/
SH256 hash:
32dcdbac829f1b6607c1581488a6cf95541fba686f5f81c23b9e1e79761a971b
MD5 hash:
6aa873ee68b60704e3d00f5c885a90f7
SHA1 hash:
c1a1601ce429cf7cb2d4c255325bf408fe69b1d5
Link:
https://www.unpac.me/results/a913bc47-70cd-44a3-873e-492578e330ef/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/32dcdbac829f1b6607c1581488a6cf95541fba686f5f81c23b9e1e79761a971b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 32dcdbac829f1b6607c1581488a6cf95541fba686f5f81c23b9e1e79761a971b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1336708/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/165086/

Comments