MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67334009d5d6fb492333a8d6a850b2c464654aaaf96ddeef125129af29ea3d66. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	67334009d5d6fb492333a8d6a850b2c464654aaaf96ddeef125129af29ea3d66
SHA3-384 hash:	58f1016c100ad136c176906e388d10d79523ed404e6e40a2adb182557ee9a1d843978e2b5d2e004ae016ba912d36f78a
SHA1 hash:	ff6320dd5948d3eab817e4027b09bc53053bd59c
MD5 hash:	67641664818bff85950ba48865f5abe1
humanhash:	paris-timing-fillet-high
File name:	R60-2000-NL1-15.27 (ZSW).exe
Download:	download sample
Signature	RemcosRAT Alert Create hunting rule
File size:	373'217 bytes
First seen:	2023-09-05 02:10:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d4b94e8ee3f620a89d114b9da4b31873 (90 x GuLoader, 18 x njrat, 9 x RemcosRAT)
ssdeep	6144:UqaFH+9EKMusYcV51Z+qJ7H8s2Sf+NVim3hN30CwSvO6c+DjU5mcwo7Kq:c5o5cV1LFf+FN385+DcmcbKq
Threatray	2'530 similar samples on MalwareBazaar
TLSH	T1DA84F171F3A19417C4F6023E3C29967EA7E14C432D97FF1A23807F6A7972702960E659
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	9878e0c88cca64b4 (1 x RemcosRAT)
Reporter	abuse_ch
Tags:	exe RAT RemcosRAT

abuse_ch

RemcosRAT C2:
94.156.6.253:2402

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

326

Origin country :

NL

Vendor Threat Intelligence

ANY.RUN guloader

Malware family:

guloader

Alert

Create hunting rule

ID:

1

File name:

R60-2000-NL1-15.27 (ZSW).exe

Verdict:

Malicious activity

Analysis date:

2023-09-05 02:12:45 UTC

Tags:

guloader

Link:

https://app.any.run/tasks/ea6a3a52-a74f-4437-ac0a-e521a010d6d0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/446188/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Trojan.NSIS.Guloader.19536.27632.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Clean

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a window

Creating a file

Delayed reading of the file

Creating a file in the %temp% subdirectories

Dragonfly

Gathering data

FileScan.IO Suspicious

Verdict:

Suspicious

Threat level:

  5/10

Confidence:

100%

Tags:

control lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/64f68e37b7dd6394f710dff2/reports/f5aa2b85-533d-40a5-8585-afb3f40dda31/overview

Hybrid Analysis Malware

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/67334009d5d6fb492333a8d6a850b2c464654aaaf96ddeef125129af29ea3d66

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Unknown

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/b230058d-747e-46a6-9da0-081ddebcd900

Joe Sandbox GuLoader, Remcos

Result

Threat name:

GuLoader, Remcos

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.evad.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1303203

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected GuLoader

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/67334009d5d6fb492333a8d6a850b2c464654aaaf96ddeef125129af29ea3d66/

ReversingLabs TitaniumCloud Win32.Trojan.Guloader

Threat name:

Win32.Trojan.Guloader

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-09-05 02:11:05 UTC

File Type:

PE (Exe)

Extracted files:

5

AV detection:

16 of 24 (66.67%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=m4zuacov235usiztvdlkqufsyrsgksvk7fw553yskeu26kpkhvta._file

Threatray remcos cloudeye

Verdict:

malicious

Label(s):

remcos

Alert

Create hunting rule

cloudeye

Alert

Create hunting rule

Similar samples:

36cf6ced1c9832ffb8bea522b7683ef40a540eb70a4202c0df752b758d31025b

RemcosRAT

46f34cde2327b419337554aba74d7b380c82d8cfb761cb538d44b1c3e2447430

RemcosRAT

55eebc888e9151e28295587ff7c12c40f8b7ae5f23d29bac79c6444277940a6a

RemcosRAT

846ae70abd97cfc15d14a0261e9c6c38643e071dddf73fafe3bc3e5d3769511b

RemcosRAT

acf25f959cbb9c5ce26c16792b997f3bdd28927bd23614e466a4bbf2a0322029

RemcosRAT

aef53177b5c335884d1ad5d424ecdc989a7aa24e6b14f156ce3a909453412aae

RemcosRAT

b2823172397c389e1ff948bd03473193ed8527eb19edff06cbb16e2b43ebc19f

RemcosRAT

b2d5e15268cb130c995118e17afa1198ca19604a20b91f1907a7ef18210db30f

RemcosRAT

b3b189de40e32305a83993fcda0d13f3a84200cd06e7d9549323940c603bff22

RemcosRAT

+ 2'520 additional samples on MalwareBazaar

Hatching Triage guloader

Result

Malware family:

guloader

Alert

Create hunting rule

Score:

  10/10

Tags:

family:guloader downloader persistence

Link:

https://tria.ge/reports/230905-cl9wdsda72/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Adds Run key to start application

Checks QEMU agent file

Loads dropped DLL

Guloader,Cloudeye

UnpacMe 2

Unpacked files

SH256 hash:

e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27

MD5 hash:

ee260c45e97b62a5e42f17460d406068

SHA1 hash:

df35f6300a03c4d3d3bd69752574426296b78695

Link:

https://www.unpac.me/results/889b5f6d-7504-4fe5-8f7b-f4d470ea7775/

SH256 hash:

67334009d5d6fb492333a8d6a850b2c464654aaaf96ddeef125129af29ea3d66

MD5 hash:

67641664818bff85950ba48865f5abe1

SHA1 hash:

ff6320dd5948d3eab817e4027b09bc53053bd59c

Link:

https://www.unpac.me/results/889b5f6d-7504-4fe5-8f7b-f4d470ea7775/

VMRay GuLoader

Malware family:

GuLoader

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/67334009d5d6/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/67334009d5d6fb492333a8d6a850b2c464654aaaf96ddeef125129af29ea3d66

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/446188/