MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b71ca8477aec239a3024551bfadd54156121e3cb394509d0642241048fc2b83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b71ca8477aec239a3024551bfadd54156121e3cb394509d0642241048fc2b83
SHA3-384 hash: 337a38691e2f2c98c258d899df6d81bbbfcde30c7cf9b0b7bac2034b31194c7ff2d7f8f755a2f207092a362d1178f92a
SHA1 hash: a1209968f241486b2fa92c803090a593eb1f3088
MD5 hash: b081c03600ad63f4b7a27bddbd2bfe47
humanhash: fish-diet-mirror-juliet
File name:file.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:592'864 bytes
First seen:2023-06-20 13:40:44 UTC
Last seen:2023-06-20 14:03:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (525 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 6144:klgvTRHyTFYITyHsoh9/GTJlu0Qk/QLaocdMZvh/0bjze8j5vdN:c24Zq/GXu0radYMZ5CHJjZ
Threatray 1'429 similar samples on MalwareBazaar
TLSH T145C415E2E54D821ECED97EB0B7A650F95BFCBD200501AD0613EFB6C8CA3E142A54E175
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0874eb58d8e6b859 (1 x RemcosRAT)
Reporter abuse_ch
Tags:exe RAT RemcosRAT signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2023-03-28T07:04:19Z
Valid to:2026-03-27T07:04:19Z
Serial number: 3040a15ed1c68029abe86cfef5e33edc22dcb487
Thumbprint Algorithm:SHA256
Thumbprint: e71b22f72e297d5ec2b224d42fb394f6f635cad5ce2ac75ade427fc303c65136
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
304
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
file.exe
Verdict:
Malicious activity
Analysis date:
2023-06-20 13:42:06 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/da2f7213-cb0b-49c7-9779-ba90843f2ac9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/401106/
Detection(s):
SecuriteInfo.com.Win32.Trojan-gen.23522.29608.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Sending an HTTP GET request
Launching a process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/91915/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6491ac6fb453925d4072d49c/reports/77896627-40c5-46d5-9d2c-9ec0f20c6473/overview
Verdict:
Malicious
Labled as:
Generik.KCAADQF trojan
Link:
https://www.hybrid-analysis.com/sample/5b71ca8477aec239a3024551bfadd54156121e3cb394509d0642241048fc2b83
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/144fbde1-1952-434e-a9a3-d1859f683911
Result
Threat name:
GuLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1258296
Signature
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Remcos
Suspicious powershell command line found
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Very long command line found
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 891323 Sample: file.exe Startdate: 20/06/2023 Architecture: WINDOWS Score: 100 30 kl8nn6dcsfg69bn20h.duckdns.org 2->30 32 googlehosted.l.googleusercontent.com 2->32 34 2 other IPs or domains 2->34 46 Multi AV Scanner detection for domain / URL 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected GuLoader 2->50 52 4 other signatures 2->52 9 file.exe 18 2->9         started        signatures3 process4 file5 28 C:\Users\user\AppData\...28epaleser.Scy132, ASCII 9->28 dropped 58 Suspicious powershell command line found 9->58 13 powershell.exe 12 9->13         started        signatures6 process7 signatures8 60 Obfuscated command line found 13->60 62 Very long command line found 13->62 64 Found suspicious powershell code related to unpacking or dynamic code loading 13->64 16 powershell.exe 13 13->16         started        19 conhost.exe 13->19         started        process9 signatures10 42 Writes to foreign memory regions 16->42 44 Tries to detect Any.run 16->44 21 ieinstal.exe 3 8 16->21         started        process11 dnsIp12 36 kl8nn6dcsfg69bn20h.duckdns.org 103.212.81.158, 3846, 50158, 50159 KANTIPUR-AS-APKantipurPublicationPvtLtdNP Bangladesh 21->36 38 drive.google.com 142.250.184.238, 443, 50156 GOOGLEUS United States 21->38 40 googlehosted.l.googleusercontent.com 142.250.186.97, 443, 50157 GOOGLEUS United States 21->40 26 C:\ProgramData\remcos\logs.dat, data 21->26 dropped 54 Tries to detect Any.run 21->54 56 Installs a global keyboard hook 21->56 file13 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b71ca8477aec239a3024551bfadd54156121e3cb394509d0642241048fc2b83/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lny4vbdxv3bdtiycivi37loviflbehr4wokfbhigiisbash4fobq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
2484f3b9e112f39471b0375d98ac190b4ffe3e29a295bcecdb8fd7b71af0094b
RemcosRAT
2afb072fe81c319cbe4cee6d2c660a16a833b4243c8e5ea0aa041b2b974c3ef5
RemcosRAT
30c31a99eda4daca4085458968e8d09f450f1ed7170f76b95cf7694acb0c7f02
RemcosRAT
79e1fc85396ae65e8431f8ceb92fefb5ec396381840d830c415ea2d81cb78a49
RemcosRAT
b3aef47ce44656fbea5139d6bd03d8847f633199b00462aefebe43ac6c91e352
RemcosRAT
b689885667b1f8a29bafedff5fc69526534732ebb7731d98bbc06f7005b245d5
RemcosRAT
e4a8a88bffaf744487df4bfd56f975542f59efb4aabe037f2ce5baea61875f98
RemcosRAT
ef66ea0bcee19ccd3d2771a170ff218a3e43b27f1b18f24e08685cb4d3fe053a
RemcosRAT
+ 1'419 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/230620-qy359scd36/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Guloader,Cloudeye
Unpacked files
SH256 hash:
5b71ca8477aec239a3024551bfadd54156121e3cb394509d0642241048fc2b83
MD5 hash:
b081c03600ad63f4b7a27bddbd2bfe47
SHA1 hash:
a1209968f241486b2fa92c803090a593eb1f3088
Link:
https://www.unpac.me/results/7485c5e3-0f42-449b-8dfa-e1b8df5ce930/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5b71ca8477ae/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.75
Link:
https://yomi.yoroi.company/submissions/5b71ca8477aec239a3024551bfadd54156121e3cb394509d0642241048fc2b83

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/401106/

Comments