MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e95a3d6fa66dde612e6c43e15acd6e7b825ddb520ea562ad8f256190f2d21b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e95a3d6fa66dde612e6c43e15acd6e7b825ddb520ea562ad8f256190f2d21b8
SHA3-384 hash: b77bbfc7cc577095f6ad0d2d513ce3daf9a48bbce915be9bc94472d76b19ee790b7c468fd1aafe1fff04231ee4db6743
SHA1 hash: 9014ca3ec897b1d4c55b3cb1554906abbce05d09
MD5 hash: 4a9d70d327e6849dcbc9f62bad537a71
humanhash: lima-massachusetts-fifteen-thirteen
File name:PO 21571345240826.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:200'440 bytes
First seen:2023-04-04 07:21:53 UTC
Last seen:2023-04-05 09:22:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (527 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 6144:CRlWoK3iFGHuWDePaTBEF1weioG6rnXxmHm:6+yDmBEF2exjnXxmG
Threatray 529 similar samples on MalwareBazaar
TLSH T1D814021151F0D077ECA64EB11FB5AEB6EDBAB6042865660F1724A78C7D33382631C3AD
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter lowmal3
Tags:exe RemcosRAT signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2023-02-25T00:32:58Z
Valid to:2026-02-24T00:32:58Z
Serial number: 7915492ce1a07b20b076f9214290d268f6b2389c
Thumbprint Algorithm:SHA256
Thumbprint: 88c8a42a32b19cfb762b0f80d443c73194e676b2b0fa3e555568484b04ebb140
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
261
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
guloader
Create hunting rule
ID:
1
File name:
PO 21571345240826.exe
Verdict:
Malicious activity
Analysis date:
2023-04-04 07:24:24 UTC
Tags:
guloader
Link:
https://app.any.run/tasks/b10fab3d-a3ce-4778-9bf1-accb4c6cad98

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/379904/
Detection(s):
SecuriteInfo.com.Heuristic.HEUR.AGEN.1361137.5416.17570.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Creating a file in the %temp% subdirectories
Delayed reading of the file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/76458/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
guloader icedid overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/642bd01c35c10d8aaf289468/reports/234a27f1-090b-4adf-84cf-584a1c555889/overview
Verdict:
Malicious
Labled as:
HEUR/AGEN.1361137
Link:
https://www.hybrid-analysis.com/sample/3e95a3d6fa66dde612e6c43e15acd6e7b825ddb520ea562ad8f256190f2d21b8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/7cfcf57b-93d1-4205-83cf-34d1fb253cf5
Result
Threat name:
Remcos, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1207816
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Tries to detect Any.run
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Yara detected GuLoader
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 840729 Sample: PO_21571345240826.exe Startdate: 04/04/2023 Architecture: WINDOWS Score: 100 31 googlehosted.l.googleusercontent.com 2->31 33 geoplugin.net 2->33 35 2 other IPs or domains 2->35 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected GuLoader 2->53 55 Yara detected Remcos RAT 2->55 57 4 other signatures 2->57 8 PO_21571345240826.exe 2 24 2->8         started        signatures3 process4 file5 27 C:\Users\user\AppData\Local\...\System.dll, PE32 8->27 dropped 59 Detected unpacking (changes PE section rights) 8->59 61 Tries to detect Any.run 8->61 12 PO_21571345240826.exe 3 16 8->12         started        signatures6 process7 dnsIp8 39 104.223.19.115, 2404, 49830, 49831 ASN-QUADRANET-GLOBALUS United States 12->39 41 drive.google.com 142.250.185.206, 443, 49828 GOOGLEUS United States 12->41 43 2 other IPs or domains 12->43 29 C:\ProgramData\remcos\logs.dat, data 12->29 dropped 63 Tries to detect Any.run 12->63 65 Maps a DLL or memory area into another process 12->65 67 Installs a global keyboard hook 12->67 17 PO_21571345240826.exe 1 12->17         started        20 PO_21571345240826.exe 1 12->20         started        22 PO_21571345240826.exe 1 12->22         started        24 27 other processes 12->24 file9 signatures10 process11 dnsIp12 45 Tries to steal Instant Messenger accounts or passwords 17->45 47 Tries to steal Mail credentials (via file / registry access) 17->47 37 192.168.11.1 unknown unknown 24->37 49 Tries to harvest and steal browser information (history, passwords, etc) 24->49 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3e95a3d6fa66dde612e6c43e15acd6e7b825ddb520ea562ad8f256190f2d21b8/
Threat name:
Win32.Trojan.InjectorX
Create hunting rule
Status:
Malicious
First seen:
2023-04-04 01:01:21 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=h2k2hvx2m3o6mexgyq7bllgw464clxnvedvfmkwy6jlbsdzneg4a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
cloudeye
Create hunting rule
Similar samples:
1a0b3222046f0838c8a536e376b898b6c97cdb821aaebae4f9ed0dc9eeb23b7c
RemcosRAT
229803d2640463de8048f78dab377fe80cffd8f46b075eacb276358b1a78cd15
RemcosRAT
28ca1fe12d85075d947b1bc3292c14cba784ed1e22287e56819d9a1d86b2f7e4
RemcosRAT
3e924b372c019c41e9995a276ce5c1b1487d14ceb9fbc8d606a09a83df5989b8
RemcosRAT
9f754a38e5364593dfbf8b8c6214d139ec94be6b85be9b2b13404429eba69212
RemcosRAT
c3a3c6015ffc1bc98b5a21f89e78049900e5796e67e098bead011a20a99e7b0d
RemcosRAT
d878b96dad5b242df04a937598ce6a20027ff414f2498e7c606116843d1c74f0
RemcosRAT
d99fdee30a323b0ed4cfbd9c4661530f45b368f829869604fb9a83debfff7a32
RemcosRAT
f4716cf29a2fa3ff5650ff6a4d35a26a5a534658fe7518fdf2c08554158db841
RemcosRAT
+ 519 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos botnet:remotehost downloader rat
Link:
https://tria.ge/reports/230404-h683gsde63/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Loads dropped DLL
Guloader,Cloudeye
Remcos
Malware Config
C2 Extraction:
104.223.19.115:2404
Unpacked files
SH256 hash:
a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
MD5 hash:
75ed96254fbf894e42058062b4b4f0d1
SHA1 hash:
996503f1383b49021eb3427bc28d13b5bbd11977
Link:
https://www.unpac.me/results/57d60ec6-1752-4951-a4ee-8a76f1400472/
SH256 hash:
3e95a3d6fa66dde612e6c43e15acd6e7b825ddb520ea562ad8f256190f2d21b8
MD5 hash:
4a9d70d327e6849dcbc9f62bad537a71
SHA1 hash:
9014ca3ec897b1d4c55b3cb1554906abbce05d09
Link:
https://www.unpac.me/results/57d60ec6-1752-4951-a4ee-8a76f1400472/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3e95a3d6fa66/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/3e95a3d6fa66dde612e6c43e15acd6e7b825ddb520ea562ad8f256190f2d21b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Suspicious_Macro_Presence
Create hunting rule
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 3e95a3d6fa66dde612e6c43e15acd6e7b825ddb520ea562ad8f256190f2d21b8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/379904/

Comments