MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41ab72f9ce1e64f569029d8b3f8c2fdf680fb75113b8d7451bc8d988cd5f6bd2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	41ab72f9ce1e64f569029d8b3f8c2fdf680fb75113b8d7451bc8d988cd5f6bd2
SHA3-384 hash:	e8efc1de759d2d559e3030dca751c234325dd2698951315f78dae23af680caa289641009db32f969d1a80a6ea83b6dcc
SHA1 hash:	98d5a3cc84b2342ad2cdc1edefb7b8ea353580c6
MD5 hash:	b3cbfb4b45563e3dc2cbfa9e9a5676da
humanhash:	cardinal-emma-red-oven
File name:	b3cbfb4b45563e3dc2cbfa9e9a5676da
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	126'976 bytes
First seen:	2021-08-24 06:35:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c65aff2bab39ef464a2bad0c06b18bd1 (7 x RemcosRAT)
ssdeep	3072:arwB82p7vxmvmYXXnsJnpDP7hrUQV3oD:arwBLp7vxmuYXXnsJnp+QVY
Threatray	4'764 similar samples on MalwareBazaar
TLSH	T1ADC3C8E2A7611824D3B52C70A8B7ADD15715AF114DC3173F21DFDAAF29E0B86A0C335A
dhash icon	4df8862a6a950052 (2 x RemcosRAT)
Reporter	zbetcheckin
Tags:	32 exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

126

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

b3cbfb4b45563e3dc2cbfa9e9a5676da

Verdict:

No threats detected

Analysis date:

2021-08-24 06:38:57 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/2e17040c-65e1-4104-88d7-d50353d306c0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/181753/

Detection(s):

SecuriteInfo.com.Variant.Razy.913027.25206.29074.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

GuLoader

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b32b2e7f-c286-4b65-b46a-ba2a9dcdaaeb

Result

Threat name:

GuLoader

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/838023

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

GuLoader behavior detected

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/41ab72f9ce1e64f569029d8b3f8c2fdf680fb75113b8d7451bc8d988cd5f6bd2/

Threat name:

Win32.Trojan.Razy

Status:

Malicious

First seen:

2021-08-24 04:43:18 UTC

AV detection:

15 of 46 (32.61%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=igvxf6oodzspk2ictwft7dbp35ua7n2rco4nori3zdmyrtk7npja._file

Verdict:

malicious

Label(s):

remcos

cloudeye

RemcosRAT

7afa7c7724abb034d3155e1e1fc1fd3f9961e56fd6119428d975d8aaee3070f9

RemcosRAT

b9b1a3245f7aa2f9fadc4cff8343866030a63f297167df00ca0aa4284f453be1

RemcosRAT

d3257f22e55152e6f6814a0d273d4113f802e9cf39a4841622a7b82cf38bd6af

RemcosRAT

d4d30acde6fa4db431b90817911b44d21c65fc1fa72744625bccafe3899869bc

RemcosRAT

d9040bf8ad755cd41dc6266c0e0049f4bac0eaa23f18a26931357fe21c719701

RemcosRAT

de2346e7683a4ed34d62a2954a38949335e6c1b27085a1cc82c08b0c6aec514e

RemcosRAT

dfca1bf3a2bc630e60ee036b0fd5be55b2f2b44e7dc8d2005b86d763bfc7c8ac

RemcosRAT

+ 4'754 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:guloader family:remcos downloader rat

Link:

https://tria.ge/reports/210824-pg2wdknzbe/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Checks QEMU agent file

Guloader,Cloudeye

Remcos

Unpacked files

SH256 hash:

49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3

MD5 hash:

1f1b425190b2fb0396ad2d538b1060ba

SHA1 hash:

413f98641d46fdcabfcaf64f29495667de6282ea

Link:

https://www.unpac.me/results/9aef9452-b526-4465-95ff-3e2265218fc4/

SH256 hash:

41ab72f9ce1e64f569029d8b3f8c2fdf680fb75113b8d7451bc8d988cd5f6bd2

MD5 hash:

b3cbfb4b45563e3dc2cbfa9e9a5676da

SHA1 hash:

98d5a3cc84b2342ad2cdc1edefb7b8ea353580c6

Link:

https://www.unpac.me/results/9aef9452-b526-4465-95ff-3e2265218fc4/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/41ab72f9ce1e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/41ab72f9ce1e64f569029d8b3f8c2fdf680fb75113b8d7451bc8d988cd5f6bd2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

exe 41ab72f9ce1e64f569029d8b3f8c2fdf680fb75113b8d7451bc8d988cd5f6bd2

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/181753/

URLhaus

https://urlhaus.abuse.ch/url/1559397/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample