MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 354da6fb77b3ee3bdb54e8c160fd24f542ff0f4a3aff092c19df3058c4228277. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 354da6fb77b3ee3bdb54e8c160fd24f542ff0f4a3aff092c19df3058c4228277
SHA3-384 hash: 910e3a0a8f6744a42c896f539cbcc21bb251aa54ed880a736ff43670826c2edf0101f6fe917f9d1bcca63951af234191
SHA1 hash: b0e6667f0c9bd2c504cf8f932386b7f6c86371ce
MD5 hash: cfb7bb1e45e00bf507136153347bd085
humanhash: don-vegan-blue-rugby
File name:Purchasing Order - IO-2100177.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:94'208 bytes
First seen:2021-08-30 13:56:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f7c083b6cb03cef464dc06bc16741f3a (1 x RemcosRAT, 1 x NanoCore, 1 x GuLoader)
ssdeep 768:WNYYta/UWibTXX7GnSxXgW4u3g87bcccp/5YsRDObj/1uSTU9Al9qhy0ZIShOQU2:WtaRivynSmNu3LK6DRuSTasOy0ZykHV
Threatray 5'104 similar samples on MalwareBazaar
TLSH T163939D42A5415956E42982F23A7183D0B3F9FF23981ACFCD79993F0C2BB754358A439E
Reporter James_inthe_box
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchasing Order - IO-2100177.exe
Verdict:
No threats detected
Analysis date:
2021-08-30 14:02:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4c33d0f9-8e03-4a70-aae2-f229ed6663f9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/183794/
Detection(s):
SecuriteInfo.com.Trojan.Heur.VP2.fm0@aKsZS@ni.2809.1059.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a UDP request
Unauthorized injection to a recently created process
Setting a single autorun event
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f5cd74b4-0b21-40d8-b3c6-b5b6ed566962
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/841615
Signature
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Found malware configuration
GuLoader behavior detected
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious icon found
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 474050 Sample: Purchasing Order - IO-2100177.exe Startdate: 30/08/2021 Architecture: WINDOWS Score: 100 36 oba.hopto.org 2->36 60 Potential malicious icon found 2->60 62 Found malware configuration 2->62 64 Multi AV Scanner detection for dropped file 2->64 66 8 other signatures 2->66 8 Purchasing Order - IO-2100177.exe 1 1 2->8         started        11 remcos.exe 1 2->11         started        13 remcos.exe 1 2->13         started        signatures3 process4 signatures5 68 Creates autostart registry keys with suspicious values (likely registry only malware) 8->68 70 Creates multiple autostart registry keys 8->70 72 Tries to detect Any.run 8->72 15 Purchasing Order - IO-2100177.exe 4 14 8->15         started        74 Multi AV Scanner detection for dropped file 11->74 76 Hides threads from debuggers 11->76 20 remcos.exe 2 10 11->20         started        22 remcos.exe 7 13->22         started        process6 dnsIp7 38 onedrive.live.com 15->38 46 2 other IPs or domains 15->46 26 C:\Users\user\AppData\Roaming\...\remcos.exe, PE32 15->26 dropped 28 C:\Users\user\...\remcos.exe:Zone.Identifier, ASCII 15->28 dropped 30 C:\Users\user\AppData\Local\...\install.vbs, data 15->30 dropped 52 Creates multiple autostart registry keys 15->52 54 Tries to detect Any.run 15->54 56 Hides threads from debuggers 15->56 24 wscript.exe 15->24         started        40 oba.hopto.org 185.244.30.240, 2405, 49726, 49727 DAVID_CRAIGGG Netherlands 20->40 42 onedrive.live.com 20->42 48 2 other IPs or domains 20->48 58 Installs a global keyboard hook 20->58 44 onedrive.live.com 22->44 50 2 other IPs or domains 22->50 32 C:\Users\user\AppData\Local\...\filename1.exe, PE32 22->32 dropped 34 C:\Users\user\AppData\Local\...\filename1.vbs, ASCII 22->34 dropped file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/354da6fb77b3ee3bdb54e8c160fd24f542ff0f4a3aff092c19df3058c4228277/
Threat name:
Win32.Trojan.Mucc
Create hunting rule
Status:
Malicious
First seen:
2021-08-30 08:23:52 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
9 of 46 (19.57%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
41ab72f9ce1e64f569029d8b3f8c2fdf680fb75113b8d7451bc8d988cd5f6bd2
RemcosRAT
4db943d3621a557370a3585cd61db3f9835c65f350a2284c9d5f3024adb0ff07
RemcosRAT
548aefb935e11a84133bd8b3d367d988b9ad2e3bde7f4c0fffcf6a94b529be72
RemcosRAT
80815a7e6ad20eed27bf6b3112f7b735d102cfc375e40444cef9abca506ed80a
RemcosRAT
d4d30acde6fa4db431b90817911b44d21c65fc1fa72744625bccafe3899869bc
RemcosRAT
d9040bf8ad755cd41dc6266c0e0049f4bac0eaa23f18a26931357fe21c719701
RemcosRAT
de2346e7683a4ed34d62a2954a38949335e6c1b27085a1cc82c08b0c6aec514e
RemcosRAT
fc4e44c0b91ce5f076bab43f739c4100de70423b9e867d2f34ff265e37596bd9
RemcosRAT
+ 5'094 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos botnet:sunday downloader persistence rat
Link:
https://tria.ge/reports/210830-zzzx781q4e/
Behaviour
Modifies registry class
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks QEMU agent file
Deletes itself
Loads dropped DLL
Executes dropped EXE
Guloader,Cloudeye
Remcos
Malware Config
C2 Extraction:
oba.hopto.org:2405
Unpacked files
SH256 hash:
49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3
MD5 hash:
1f1b425190b2fb0396ad2d538b1060ba
SHA1 hash:
413f98641d46fdcabfcaf64f29495667de6282ea
Link:
https://www.unpac.me/results/328b4ae8-0aeb-4a5a-b5b7-3f03babd86bf/
SH256 hash:
354da6fb77b3ee3bdb54e8c160fd24f542ff0f4a3aff092c19df3058c4228277
MD5 hash:
cfb7bb1e45e00bf507136153347bd085
SHA1 hash:
b0e6667f0c9bd2c504cf8f932386b7f6c86371ce
Link:
https://www.unpac.me/results/328b4ae8-0aeb-4a5a-b5b7-3f03babd86bf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/354da6fb77b3ee3bdb54e8c160fd24f542ff0f4a3aff092c19df3058c4228277

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/183794/

Comments