MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 477b9f95d01a38672655cf452657193fbd4e82a06ca769e041ad31da49a882fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 477b9f95d01a38672655cf452657193fbd4e82a06ca769e041ad31da49a882fa
SHA3-384 hash: 0dde82fd4711f0cc80aa63530a926590d291677bf6bbccf28359c75165df5fea7b36b3e4233a5156012462948f3a9d3b
SHA1 hash: 5a88bebe1110c7ecfd00f03bac3261b50d641115
MD5 hash: 9b57244d14c82ad2f8f8a7e0349574c6
humanhash: oklahoma-pennsylvania-moon-north
File name:d27f99fd71b6dc0dc7fbf0e8619d9c4f.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:126'976 bytes
First seen:2020-03-30 01:55:11 UTC
Last seen:2020-04-01 07:06:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5f0c90c109d16124e83cb7a25caef54f (28 x RemcosRAT, 1 x FormBook, 1 x NetWire)
ssdeep 3072:mlh1qaSs6IF9OK4b80S2Van4Va1cpcQjed5OzqhUWa:Ch1qn3IF9Obbj/a1cpcQjeHOzqhUW
Threatray 773 similar samples on MalwareBazaar
TLSH 3CC3F867F20B80A3D863027156507B72EEBCBC311A5D5157E7E8D8811DF588E902AAFF
Reporter abuse_ch
Tags:exe GuLoader nVpn RemcosRAT


Avatar
abuse_ch
Payload dropped by GuLoader from the following URL:
https://onedrive.live.com/download?cid=CFD8E120D47DF1A4&resid=CFD8E120D47DF1A4%211130&authkey=AGogqJZgOxHGAfU

Intelligence

File Origin
# of uploads :
6
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.Rescoms-6598304-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Rescoms
Create hunting rule
Status:
Malicious
First seen:
2020-03-30 02:35:27 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
29 of 31 (93.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=i55z7foqdi4gojsvz5csmvyzh66u5avanstwtycbvuy5usniql5a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
11a7d2f2722df45e01851eb75765dbcb21f70ea9c8f89f58b9e8ccacda92cc83
RemcosRAT
1d8df098798099b8106386eb335e7f793d9ce4c14c863105aa2f260cea331c44
RemcosRAT
3a90457357756473cd15940468d7af9b7862d683c3c29fa0f01e69720023bdd1
RemcosRAT
3faaf4c39ac62ca025232a6482aaf902472af9e56d5be60e1e7478c29d30e71c
RemcosRAT
49c1e306362700be6143f3dc9592a72ca5d9dc3d7237d9f8e4f14b5c14ea2155
RemcosRAT
83413a3a3f07ee931dbfecaefed51d0b01d2b13b85920bdd485f0b2ce41acba5
RemcosRAT
a899d2b8f1cf3d0a97107dcfecafb3239cade9e8aad01fe007f3b0d8762b8b7a
RemcosRAT
c409017de52a4a6ad3a0cd3ab97ad17f9be172136155bf548bef49d7777cec1a
RemcosRAT
db28682ec511e61fa9a6425d0c7a908a99cf19b3f08c81b0e61bec26e24a15d6
RemcosRAT
e3b9a35e9155fd3c927956f03d54da02f28cc27437537d67ba302ddb4a40e57b
RemcosRAT
+ 763 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

879636a1ac6ab1632360efcc8a0bf9a3eb06e79ede755d9b16202c684c3f8075

RemcosRAT

Executable exe 477b9f95d01a38672655cf452657193fbd4e82a06ca769e041ad31da49a882fa

(this sample)

  
Dropped by
MD5 d27f99fd71b6dc0dc7fbf0e8619d9c4f
  
Dropped by
MD5 19d3e863d5297e39678b946a2e3f0b5e
  
Dropped by
GuLoader
  
Dropped by
SHA256 879636a1ac6ab1632360efcc8a0bf9a3eb06e79ede755d9b16202c684c3f8075
  
Dropped by
SHA256 625d4c3e6fd48112880eeed6c0628aa5daed0371c9d3dfc1ce5bb8430b78c78f
  
URLhaus
https://urlhaus.abuse.ch/url/332086/
  
Dropped by
SHA256 2bd30faef9e89799bc33f076afc8f3521bc84018c8e27829e8f475ee1c8dc13b
  
Dropped by
MD5 361908600e2dd73063e91d7cd3a4dbbd

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdipGetImageEncoders
gdiplus.dll::GdipGetImageEncodersSize
gdiplus.dll::GdipAlloc
MULTIMEDIA_APICan Play MultimediaWINMM.dll::mciSendStringA
WINMM.dll::mciSendStringW
WINMM.dll::PlaySoundW
WINMM.dll::waveInAddBuffer
WINMM.dll::waveInClose
WINMM.dll::waveInOpen
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExA
SHELL32.dll::ShellExecuteW
URL_MONIKERS_APICan Download & Execute componentsurlmon.dll::URLDownloadToFileW
urlmon.dll::URLOpenBlockingStreamW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CreateProcessA
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::VirtualAllocEx
KERNEL32.dll::WriteProcessMemory
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetStartupInfoA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileMappingA
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileA
KERNEL32.dll::DeleteFileW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::GetUserNameW
ADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyA
ADVAPI32.dll::RegCreateKeyW
ADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegOpenKeyExW
WIN_SVC_APICan Manipulate Windows ServicesADVAPI32.dll::ChangeServiceConfigW
ADVAPI32.dll::ControlService
ADVAPI32.dll::OpenSCManagerW
ADVAPI32.dll::OpenSCManagerA
ADVAPI32.dll::OpenServiceW
ADVAPI32.dll::QueryServiceConfigW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::EmptyClipboard
USER32.dll::OpenClipboard
USER32.dll::CreateWindowExA

Comments


Avatar
commented on 2020-03-30 18:44:11 UTC

COVID-19 malspam distributing GuLoader->RemcosRAT:

HELO: mta0.veresegyhaz.tk
Sending IP: 161.35.58.139
From: WHO<info@veresegyhaz.tk>
Subject: Re: COVID-19 Relief: How to Access Complimentary Products
Attachment: Covid-19.001 (contains "CHATTING.EXE")

GuLoader payload URL (RemcosRAT):
https://onedrive.live.com/download?cid=CFD8E120D47DF1A4&resid=CFD8E120D47DF1A4%211132&authkey=AFrU_0NCOPZWS7A

RemcosRAT C2:
91.193.75.126:2019

% Information related to '91.193.75.0 - 91.193.75.255'

% Abuse contact for '91.193.75.0 - 91.193.75.255' is 'abuse@kgb-vpn.org'

inetnum: 91.193.75.0 - 91.193.75.255
netname: NON-LOGGING-VPN-SERVICE
descr: Please note that we don't store any user data.
descr: Our main effort is not to make money, but to preserve values like the
descr: freedom of expression, the freedom of press, the right to data protection
descr: and informational self-determination.
descr: We ask all employees of Spamhaus and all self-proclaimed deputy sheriffs
descr: to stop your attacks against us.
country: EU