MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 617738e1dd2b1ca260fe4cd650b249406c2b26adf903f38e8bf7b6b6cae031e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 617738e1dd2b1ca260fe4cd650b249406c2b26adf903f38e8bf7b6b6cae031e2
SHA3-384 hash: eadbc1eb8831efc6216e3df54ec85d455b2a0d85767f7abfda55b14e254a4c2e9df6039a84c4602155bdf55f1b7dc082
SHA1 hash: b9bc2b61b5c4270c9e6889db798624cfa037742a
MD5 hash: 63f2f1d3337163cbf3817f78c36d4892
humanhash: may-violet-football-maryland
File name:63f2f1d3337163cbf3817f78c36d4892.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:90'112 bytes
First seen:2021-08-30 16:15:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bf3ce860853768dc69ae8e8c2bfcfd1e (3 x RemcosRAT, 1 x GuLoader)
ssdeep 1536:13EC8OV0Y7iCgt00DQEi/vb7CTwWHsGmRijDjl4KKTnI+IHldNKgN7AhgVuspsN3:ifdt00pWS8GmRgDJy
Threatray 4'646 similar samples on MalwareBazaar
TLSH T162937CE1A7286520E0B646BD46030ED03414EF620EC78F1F255FEE9F9E353562AE3796
dhash icon 0000001858b4a600 (8 x RemcosRAT, 3 x GuLoader, 1 x Formbook)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
151
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
63f2f1d3337163cbf3817f78c36d4892.exe
Verdict:
No threats detected
Analysis date:
2021-08-30 16:17:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/23eb2f94-676f-483d-bebd-ec4f1c5cb3df

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/183847/
Detection(s):
SecuriteInfo.com.__vbaHresultCheckObj.2005.15058.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a UDP request
Unauthorized injection to a recently created process
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c907b4f3-5120-4c2f-8222-88ee68fd6442
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/841732
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
GuLoader behavior detected
Hides threads from debuggers
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/617738e1dd2b1ca260fe4cd650b249406c2b26adf903f38e8bf7b6b6cae031e2/
Threat name:
Win32.Trojan.Mucc
Create hunting rule
Status:
Malicious
First seen:
2021-08-30 16:16:07 UTC
AV detection:
11 of 28 (39.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mf3tryo5fmokeyh6jtlfbmsjibwcwjvn7eb7hdul663lnsxaghra._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
47046d5dfe7ecf45e4c31f25b975af78684f9727b91a7d052b5731e95d2f0a4c
RemcosRAT
88ceee260ee9b4baa66e0aeb88821c2edbfebdb3f946cb8e1d3c4850ab0a0365
RemcosRAT
9bdb2adacff9530fde8a0b020e84188b0b39995db62ba167608d8e2493bd3ee4
RemcosRAT
ae83f208925ec791bd10f37e0cd1bfc98473ea586c4814288a243c7d579c2e55
RemcosRAT
afc7d530c112b47cd33295262f533df60f12568ede477091434381b0d6a2cc8c
RemcosRAT
bd6cf98ff23cdad2f5bb43bb60e61275d8ad1ad7baeb609aa0a812fc048fede0
RemcosRAT
db48dc160b1f48b8939b0d49c5f0bee2a28bc3b340cff62cea8da50424e1afea
RemcosRAT
fc4e44c0b91ce5f076bab43f739c4100de70423b9e867d2f34ff265e37596bd9
RemcosRAT
+ 4'636 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/210830-n2htn57k9n/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Guloader,Cloudeye
Unpacked files
SH256 hash:
49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3
MD5 hash:
1f1b425190b2fb0396ad2d538b1060ba
SHA1 hash:
413f98641d46fdcabfcaf64f29495667de6282ea
Link:
https://www.unpac.me/results/9dc9fbd8-1968-48f8-9c6d-7ab4833d24e3/
SH256 hash:
617738e1dd2b1ca260fe4cd650b249406c2b26adf903f38e8bf7b6b6cae031e2
MD5 hash:
63f2f1d3337163cbf3817f78c36d4892
SHA1 hash:
b9bc2b61b5c4270c9e6889db798624cfa037742a
Link:
https://www.unpac.me/results/9dc9fbd8-1968-48f8-9c6d-7ab4833d24e3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/617738e1dd2b1ca260fe4cd650b249406c2b26adf903f38e8bf7b6b6cae031e2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 617738e1dd2b1ca260fe4cd650b249406c2b26adf903f38e8bf7b6b6cae031e2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1557705/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/183847/

Comments