MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 539e74bd0c03ccd3fe00e95ee29c3ada84e5aa46216449c665b3890b81dcf0cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 539e74bd0c03ccd3fe00e95ee29c3ada84e5aa46216449c665b3890b81dcf0cc
SHA3-384 hash: 947477d9d56e59262dc3eda2f5f0ff61af62a6e6c2e6f114ff48d3156291184496eb3c7571e553bd64d05364dd8e1802
SHA1 hash: 2304fc250c02fc342ad838aeaf47072039c5cda3
MD5 hash: 2b3c647a9f8df6a8095d8d151d4bb8cb
humanhash: berlin-sweet-five-double
File name:5995 MALAYSIA SDN BHD PAYMENT RECEIPTS 071221_PDF.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:163'840 bytes
First seen:2021-12-08 17:20:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 60d3b74f9c73d4a8b6d73d089d6df1c8 (1 x RemcosRAT)
ssdeep 3072:oKd8LZRm3J+9dG9isOcGTcUlciit93H2IEFz6:ot6JUdLHmjv9jEN
Threatray 8'122 similar samples on MalwareBazaar
TLSH T118F3F866F5D0B019E00781BDE826A8BA2D157C341F815D4FB78C6B4A2B751C7A1A3B3F
File icon (PE):PE icon
dhash icon ce0798d20e98c800 (1 x RemcosRAT)
Reporter Anonymous
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5995 MALAYSIA SDN BHD PAYMENT RECEIPTS 071221_PDF.exe
Verdict:
Malicious activity
Analysis date:
2021-12-08 18:02:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e0c9b88d-20e3-4745-86da-0c54feeeabd0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
GuLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/212579/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/1353/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/61b0e9874d8e6f3a5e19d9b8/reports/a013846a-b49a-4fd5-a806-c34773495713/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fd6ceb46-b6e8-49bf-9876-2cfea6b2a541
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/904065
Signature
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
GuLoader behavior detected
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/539e74bd0c03ccd3fe00e95ee29c3ada84e5aa46216449c665b3890b81dcf0cc/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-12-07 22:59:16 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
24 of 45 (53.33%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
15520c752a3375cd92bee021404e10830d4732681be2e50b3d293bcbd3c1e262
RemcosRAT
414a14294a3c88613f1480a69fa0d7cf3dfbb83eedd5ef0acc3ad39f6e01ee65
RemcosRAT
4db943d3621a557370a3585cd61db3f9835c65f350a2284c9d5f3024adb0ff07
RemcosRAT
ace7e59fa80a108d4f3fd0a56a99f03d17e56ec2c756092aa65b910352f59921
RemcosRAT
ae83f208925ec791bd10f37e0cd1bfc98473ea586c4814288a243c7d579c2e55
RemcosRAT
bf41232cf8f3b7a59706152858b300a9c7af30e7e0291f120dfd38657daf5b9c
RemcosRAT
db48dc160b1f48b8939b0d49c5f0bee2a28bc3b340cff62cea8da50424e1afea
RemcosRAT
e015835dd69bbd384cb9b347984b648562281ba9e532ca110b6962bce9262251
RemcosRAT
f6083599947328d2637adb3cb9810fefd0d9195c504dc2e081fcfca776090c2b
RemcosRAT
+ 8'112 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos botnet:december downloader persistence rat upx
Link:
https://tria.ge/reports/211208-vwz32sged6/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks QEMU agent file
UPX packed file
Guloader,Cloudeye
Remcos
Malware Config
C2 Extraction:
tisnew.ddns.net:5107
Unpacked files
SH256 hash:
539e74bd0c03ccd3fe00e95ee29c3ada84e5aa46216449c665b3890b81dcf0cc
MD5 hash:
2b3c647a9f8df6a8095d8d151d4bb8cb
SHA1 hash:
2304fc250c02fc342ad838aeaf47072039c5cda3
Link:
https://www.unpac.me/results/f3d3ad2e-004d-479c-8df3-5ab6caf33ee9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/539e74bd0c03ccd3fe00e95ee29c3ada84e5aa46216449c665b3890b81dcf0cc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/212579/

Comments