MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 414a14294a3c88613f1480a69fa0d7cf3dfbb83eedd5ef0acc3ad39f6e01ee65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 12

Intelligence 12 IOCs YARA 10 File information Comments

SHA256 hash:	414a14294a3c88613f1480a69fa0d7cf3dfbb83eedd5ef0acc3ad39f6e01ee65
SHA3-384 hash:	ac3b246602e08c6d75389cc693a69db22033889092a8e94f4f2654e675e824a9839be620b8072b13108936a06cd42055
SHA1 hash:	86d0019ff312c12ceb84587ed9bfa46db495e67a
MD5 hash:	787cbb388c2388d8911e406f8b5060b6
humanhash:	oven-colorado-nitrogen-hot
File name:	787cbb388c2388d8911e406f8b5060b6.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	184'320 bytes
First seen:	2021-03-07 07:14:19 UTC
Last seen:	2021-03-07 08:48:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	172cbafb22ccddc8b184c7734ac21918 (2 x RemcosRAT)
ssdeep	1536:+Hb3bLzlwucsB2UT2MT8GMGj0MYwGheh:Ejz2kT2GPh
Threatray	307 similar samples on MalwareBazaar
TLSH	DB041954F958749FFDC281711CB2CAA5288C3D3255448DCFB284BB5F2C72AC365BAA27
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

258

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

EN201201775.xlsx

Verdict:

Malicious activity

Analysis date:

2021-03-04 04:38:01 UTC

Tags:

exploit CVE-2017-11882 trojan guloader loader rat remcos keylogger

Link:

https://app.any.run/tasks/59def439-f271-4fc2-be97-a7957c10c8e2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Guloader

Link:

https://www.capesandbox.com/analysis/122668/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.45832969.10284.27900.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Sending a UDP request

DNS request

Sending an HTTP GET request to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

GuLoader

Detection:

malicious

Classification:

rans.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/630655

Signature

Contains functionality to hide a thread from the debugger

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Potential malicious icon found

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected GuLoader

Yara detected VB6 Downloader Generic

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/414a14294a3c88613f1480a69fa0d7cf3dfbb83eedd5ef0acc3ad39f6e01ee65/

Threat name:

Win32.Trojan.Vebzenpak

Status:

Malicious

First seen:

2021-03-05 01:08:50 UTC

AV detection:

19 of 28 (67.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=iffbikkkhsegcpyuqctj7igxz467xob65xk66cwmhljz63qb5zsq._file

Verdict:

malicious

Label(s):

guloader

RemcosRAT

11f06223417d6045acaa15cf7f5515d9afdfc23590c9cd021c2ae90a736bb6cd

RemcosRAT

21ba0bed0b05a2ce68496e73a5c103fb5b815ac2c77e997f46e5d09666c1c978

RemcosRAT

411e56b415d4c23a741958c3f1ada72b3e958c078d27c339678bb690b7a895c3

RemcosRAT

43aa01ebbd20c81ee60bd5b6bacabcdd0a84e0aeb892c0ea18383261dbcdb0fb

RemcosRAT

6c131f342e8226706ba1b39cc955852b022130c14ea12bd3b3cf340bbea25bf6

RemcosRAT

7c201535a28746b62adfa831cfccac096903f5b17ee83b8364fc890fa70a59fd

RemcosRAT

92f656d44d38fbc5e7964e36634bf95d18e157228624d1b38ea933633579ddc4

RemcosRAT

a6f46c55982462a48a9fa43feb02b514df87a97b06a1ee073c57ae132cc1bec7

RemcosRAT

b7d74de8e9514ca3fbfa4676be4433069bc913f86953a79d40c6272d5077242c

RemcosRAT

+ 297 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos persistence rat

Link:

https://tria.ge/reports/210307-vg2c53kyve/

Behaviour

Modifies registry class

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Adds Run key to start application

Loads dropped DLL

Executes dropped EXE

Remcos

Unpacked files

SH256 hash:

49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3

MD5 hash:

1f1b425190b2fb0396ad2d538b1060ba

SHA1 hash:

413f98641d46fdcabfcaf64f29495667de6282ea

Link:

https://www.unpac.me/results/30924ad9-2c1b-43a7-bb10-9f4d1d37eb1e/

SH256 hash:

414a14294a3c88613f1480a69fa0d7cf3dfbb83eedd5ef0acc3ad39f6e01ee65

MD5 hash:

787cbb388c2388d8911e406f8b5060b6

SHA1 hash:

86d0019ff312c12ceb84587ed9bfa46db495e67a

Link:

https://www.unpac.me/results/30924ad9-2c1b-43a7-bb10-9f4d1d37eb1e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

GuLoader

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/414a14294a3c88613f1480a69fa0d7cf3dfbb83eedd5ef0acc3ad39f6e01ee65

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	unixredflags2 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Hunts for UNIX red flags

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

URLhaus

https://urlhaus.abuse.ch/url/1029475/

Cape

https://www.capesandbox.com/analysis/122668/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample