MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5113448d51807a38a76525708683448e742c5461ab21b14b7b4b5682acd627dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5113448d51807a38a76525708683448e742c5461ab21b14b7b4b5682acd627dd
SHA3-384 hash: 01aa3dca88e447808af36e039c1585dc8dc9d5b53a57078d1a6898e2fd99909314ee936f5afc30f26e34b004b6e55b29
SHA1 hash: 4e70aed54595067ec69661201247d8664811f710
MD5 hash: bd960a153b84571d576d5dd4c48f09ba
humanhash: blue-hamper-butter-indigo
File name:5113448d51807a38a76525708683448e742c5461ab21b14b7b4b5682acd627dd
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:481'995 bytes
First seen:2024-07-10 17:32:29 UTC
Last seen:2024-07-10 18:21:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep 12288:R0NwzIoEluDKUIqqUXeVeLm8pNisAhU3Bbg:fzIoEluWUXeVeLmfsA6RM
TLSH T1D9A4F155524AF8A6C42086F01BF4CB3E1F993FCB1957C249EE9A7E5E783338201AE5C5
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 71e8e8cccce4f0f1 (7 x RemcosRAT)
Reporter NDA0E
Tags:exe GuLoader RemcosRAT


Avatar
NDA0E
Drops RemcosRAT payload via Google Drive: https://drive.google.com/uc?export=download&id=1xjYTWrf1RSOlsGkswYHu7KbgGg9Asbaz

RemcosRAT C2: a458386d9.duckdns.org:3256 (217.76.50.73:3256)

Intelligence

File Origin
# of uploads :
2
# of downloads :
440
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
guloader
Create hunting rule
ID:
1
File name:
5113448d51807a38a76525708683448e742c5461ab21b14b7b4b5682acd627dd.exe
Verdict:
Malicious activity
Analysis date:
2024-07-10 17:34:33 UTC
Tags:
guloader loader remcos rat remote evasion stealer mpress
Link:
https://app.any.run/tasks/607551a9-474f-4f3f-a727-bda4773eb23b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.6100.15358.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=668ec5cf6df1b20b8ec46e99win10vpnfull_triage
Tags:
Encryption Execution Stealth
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/5113448d51807a38a76525708683448e742c5461ab21b14b7b4b5682acd627dd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9d6143b8-0dd0-472d-b660-5ec0fddd5bfc
Result
Threat name:
Remcos, GuLoader
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1470972
Signature
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Disables UAC (registry)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Powershell drops PE file
Sigma detected: Remcos
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1470972 Sample: fKPsJbn9jd.exe Startdate: 10/07/2024 Architecture: WINDOWS Score: 100 60 a458386d9.duckdns.org 2->60 62 geoplugin.net 2->62 64 2 other IPs or domains 2->64 80 Found malware configuration 2->80 82 Yara detected GuLoader 2->82 84 Yara detected Remcos RAT 2->84 88 5 other signatures 2->88 10 fKPsJbn9jd.exe 35 2->10         started        14 svchost.exe 1 1 2->14         started        signatures3 86 Uses dynamic DNS services 60->86 process4 dnsIp5 52 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 10->52 dropped 54 C:\Users\user\AppData\Local\...\UserInfo.dll, PE32 10->54 dropped 56 C:\Users\user\AppData\Local\...\BgImage.dll, PE32 10->56 dropped 58 C:\Users\user\AppData\...gernes254.Ins, ASCII 10->58 dropped 100 Suspicious powershell command line found 10->100 17 powershell.exe 20 10->17         started        72 127.0.0.1 unknown unknown 14->72 file6 signatures7 process8 file9 46 C:\Users\user\AppData\...\Fortllingens.exe, PE32 17->46 dropped 48 C:\Users\...\Fortllingens.exe:Zone.Identifier, ASCII 17->48 dropped 74 Writes to foreign memory regions 17->74 76 Found suspicious powershell code related to unpacking or dynamic code loading 17->76 78 Powershell drops PE file 17->78 21 Fortllingens.exe 5 17 17->21         started        26 conhost.exe 17->26         started        signatures10 process11 dnsIp12 66 a458386d9.duckdns.org 217.76.50.73, 3256, 49738, 49739 SVNET-SE-ASSverigeNetMedianetworkiHalmstadABSE Sweden 21->66 68 drive.usercontent.google.com 142.250.185.129, 443, 49737 GOOGLEUS United States 21->68 70 2 other IPs or domains 21->70 50 C:\ProgramData\remcos\logs.dat, data 21->50 dropped 92 Detected unpacking (changes PE section rights) 21->92 94 Detected Remcos RAT 21->94 96 Tries to steal Mail credentials (via file registry) 21->96 98 5 other signatures 21->98 28 cmd.exe 1 21->28         started        31 Fortllingens.exe 1 21->31         started        33 Fortllingens.exe 1 21->33         started        35 2 other processes 21->35 file13 signatures14 process15 signatures16 102 Uses cmd line tools excessively to alter registry or file data 28->102 37 reg.exe 1 28->37         started        40 conhost.exe 28->40         started        104 Tries to steal Instant Messenger accounts or passwords 31->104 106 Tries to harvest and steal browser information (history, passwords, etc) 31->106 108 Tries to steal Mail credentials (via file / registry access) 33->108 42 conhost.exe 35->42         started        44 reg.exe 1 1 35->44         started        process17 signatures18 90 Disables UAC (registry) 37->90
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5113448d51807a38a76525708683448e742c5461ab21b14b7b4b5682acd627dd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5113448d51807a38a76525708683448e742c5461ab21b14b7b4b5682acd627dd/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Suspicious
First seen:
2024-07-10 16:42:33 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kejujdkrqb5drj3fevyina2erz2cyvdbvmq3cs33jnliflgwe7oq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader collection downloader evasion execution persistence spyware stealer trojan
Link:
https://tria.ge/reports/240710-v4vhjatakc/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Guloader,Cloudeye
UAC bypass
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c9b512fb-d020-4aed-94e2-0970c770fa25
Unpacked files
SH256 hash:
943b33829f9013e4d361482a5c8981ba20a7155c78691dbe02a8f8cd2a02efa0
MD5 hash:
acbda33dd5700c122e2fe48e3d4351fd
SHA1 hash:
2c154baf7c64052ee712b7cdf9c36b7697dd3fc8
Link:
https://www.unpac.me/results/7179c365-3f3e-44e6-b278-eb8ea168d54e/
SH256 hash:
dbf91707fa157603bea025a6411cdcb497ab11262c9c18b14dc431a45aa17c0b
MD5 hash:
521df745a41f0b8164ffd01717cacbba
SHA1 hash:
dc7a9eacfbeb1fae52091da5e80db6cb1b6bce74
Link:
https://www.unpac.me/results/7179c365-3f3e-44e6-b278-eb8ea168d54e/
SH256 hash:
8780095aa2f49725388cddf00d79a74e85c9c4863b366f55c39c606a5fb8440c
MD5 hash:
1c8b2b40c642e8b5a5b3ff102796fb37
SHA1 hash:
3245f55afac50f775eb53fd6d14abb7fe523393d
Link:
https://www.unpac.me/results/7179c365-3f3e-44e6-b278-eb8ea168d54e/
SH256 hash:
5113448d51807a38a76525708683448e742c5461ab21b14b7b4b5682acd627dd
MD5 hash:
bd960a153b84571d576d5dd4c48f09ba
SHA1 hash:
4e70aed54595067ec69661201247d8664811f710
Link:
https://www.unpac.me/results/7179c365-3f3e-44e6-b278-eb8ea168d54e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5113448d51807a38a76525708683448e742c5461ab21b14b7b4b5682acd627dd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:NSIS_April_2024
Create hunting rule
Author:NDA0N
Description:Detects NSIS installers
Rule name:NSIS_GuLoader
Create hunting rule
Author:NDA0E
Description:Detects GuLoader using NSIS
Rule name:NSIS_GuLoader_July_2024
Create hunting rule
Author:NDA0E
Description:Detects GuLoader packed with NSIS installer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::SetFileSecurityA
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExA
SHELL32.dll::SHFileOperationA
SHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDiskFreeSpaceA
KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileExA
KERNEL32.dll::MoveFileA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExA
USER32.dll::OpenClipboard
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments