MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c8a1fcc7289127fe8b58aacf60776b0165e11a240cb1d44f7048f5ccae8769d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c8a1fcc7289127fe8b58aacf60776b0165e11a240cb1d44f7048f5ccae8769d
SHA3-384 hash: e037dd3d77f06f21337d2376f833839a01306ff7de61adda0d52ad3d0d4a6c29d9eb2ca5378128e051eaab3f43c6f93a
SHA1 hash: 176c9f62be8a68d3339caec26a78d121f40596fa
MD5 hash: 2ab363fe5c41d07b57c8406e1d05d886
humanhash: moon-four-cold-utah
File name:72e23d24f1b191e454e8fb9da1ae4c1b.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:126'976 bytes
First seen:2020-04-01 15:40:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5f0c90c109d16124e83cb7a25caef54f (28 x RemcosRAT, 1 x FormBook, 1 x NetWire)
ssdeep 3072:mVh1qaSs6IF9OK4b80S2Van4Va1cpcQjed5OzqhUeq4a:ih1qn3IF9Obbj/a1cpcQjeHOzqhUQ
Threatray 777 similar samples on MalwareBazaar
TLSH F8C3E867F20B80A3D863027156507B72EEBCBC311A5D5157E7E8D8811DF588E902AAFF
Reporter abuse_ch
Tags:exe GuLoader RemcosRAT


Avatar
abuse_ch
Payload dropped by GuLoader from the following URL:
https://drive.google.com/uc?export=download&id=1WH55pV9KBbK7PW583pXU4zGdk4Q4QfYf

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.Rescoms-6598304-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Rescoms
Create hunting rule
Status:
Malicious
First seen:
2020-04-01 16:35:35 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
27 of 28 (96.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lsfb7tdsrejh72fvrkwpmb3wwalf4encidfr2rhxashvzsxio2oq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
11a7d2f2722df45e01851eb75765dbcb21f70ea9c8f89f58b9e8ccacda92cc83
RemcosRAT
1d8df098798099b8106386eb335e7f793d9ce4c14c863105aa2f260cea331c44
RemcosRAT
3a90457357756473cd15940468d7af9b7862d683c3c29fa0f01e69720023bdd1
RemcosRAT
3faaf4c39ac62ca025232a6482aaf902472af9e56d5be60e1e7478c29d30e71c
RemcosRAT
49c1e306362700be6143f3dc9592a72ca5d9dc3d7237d9f8e4f14b5c14ea2155
RemcosRAT
83413a3a3f07ee931dbfecaefed51d0b01d2b13b85920bdd485f0b2ce41acba5
RemcosRAT
a899d2b8f1cf3d0a97107dcfecafb3239cade9e8aad01fe007f3b0d8762b8b7a
RemcosRAT
c409017de52a4a6ad3a0cd3ab97ad17f9be172136155bf548bef49d7777cec1a
RemcosRAT
db28682ec511e61fa9a6425d0c7a908a99cf19b3f08c81b0e61bec26e24a15d6
RemcosRAT
e3b9a35e9155fd3c927956f03d54da02f28cc27437537d67ba302ddb4a40e57b
RemcosRAT
+ 767 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

ecc89d332c731a7d2d428969b863013590186e3ed618737711723fab76cb0d74

RemcosRAT

Executable exe 5c8a1fcc7289127fe8b58aacf60776b0165e11a240cb1d44f7048f5ccae8769d

(this sample)

  
Dropped by
MD5 72e23d24f1b191e454e8fb9da1ae4c1b
  
Dropped by
MD5 d31e53d70c9f14db753a5e307ce0bcfb
  
Dropped by
GuLoader
  
Dropped by
SHA256 ecc89d332c731a7d2d428969b863013590186e3ed618737711723fab76cb0d74
  
Dropped by
SHA256 59097b5a29561f06bc0b4689178dfaec4650edd4e00c5a630e26505cccca59a2
  
URLhaus
https://urlhaus.abuse.ch/url/333465/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdipGetImageEncoders
gdiplus.dll::GdipGetImageEncodersSize
gdiplus.dll::GdipAlloc
MULTIMEDIA_APICan Play MultimediaWINMM.dll::mciSendStringA
WINMM.dll::mciSendStringW
WINMM.dll::PlaySoundW
WINMM.dll::waveInAddBuffer
WINMM.dll::waveInClose
WINMM.dll::waveInOpen
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExA
SHELL32.dll::ShellExecuteW
URL_MONIKERS_APICan Download & Execute componentsurlmon.dll::URLDownloadToFileW
urlmon.dll::URLOpenBlockingStreamW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CreateProcessA
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::VirtualAllocEx
KERNEL32.dll::WriteProcessMemory
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetStartupInfoA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileMappingA
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileA
KERNEL32.dll::DeleteFileW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::GetUserNameW
ADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyA
ADVAPI32.dll::RegCreateKeyW
ADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegOpenKeyExW
WIN_SVC_APICan Manipulate Windows ServicesADVAPI32.dll::ChangeServiceConfigW
ADVAPI32.dll::ControlService
ADVAPI32.dll::OpenSCManagerW
ADVAPI32.dll::OpenSCManagerA
ADVAPI32.dll::OpenServiceW
ADVAPI32.dll::QueryServiceConfigW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::EmptyClipboard
USER32.dll::OpenClipboard
USER32.dll::CreateWindowExA

Comments