MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6744f6083b8e8c5fca03f50101223d6125db7a1aebeb9de0e87c9e67441e8a53. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	6744f6083b8e8c5fca03f50101223d6125db7a1aebeb9de0e87c9e67441e8a53
SHA3-384 hash:	0a411cd0e8ce0896da9256a0ba8bd68cf94b43776bb867794dfd93e8a3d98bc0d496f39e699cc09873f461a11431f216
SHA1 hash:	29161484a64a56d3f4a38a7c76959336d117bf86
MD5 hash:	dcf7ee4f070a1a4af0be8366cb2d0826
humanhash:	robin-fanta-twenty-video
File name:	http___linkso.duckdns.org_11d_solex.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	86'016 bytes
First seen:	2021-07-23 11:22:43 UTC
Last seen:	2021-07-23 11:50:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a085a0755db929b477f6fe3456be884d (2 x RemcosRAT)
ssdeep	1536:tMN2FdarWLeOyodCDSOI5e/tzEosGB6jPA:tM4FdaKLdyodCuO3tzEosGwrA
Threatray	3'162 similar samples on MalwareBazaar
TLSH	T1E1835A5EA4C44517E98816F27C820817006D6F33FD1E9E07653BAF0ED9BE98789F522B
dhash icon	801cb88c8c8c8cb0 (1 x RemcosRAT)
Reporter	Racco42
Tags:	exe RemcosRAT

Intelligence

File Origin

# of uploads :

# of downloads :

138

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

http___linkso.duckdns.org_11d_solex.exe

Verdict:

Malicious activity

Analysis date:

2021-07-23 11:23:20 UTC

Tags:

trojan rat remcos

Link:

https://app.any.run/tasks/ff00b29d-8cd3-40cd-89c3-7056b546e085

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/173601/

Detection(s):

SecuriteInfo.com.Variant.Razy.896770.16153.7550.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/41dd9d83-0147-4243-ab7d-be1589e5a0ed

Result

Threat name:

GuLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/820717

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found malware configuration

Found potential dummy code loops (likely to delay analysis)

GuLoader behavior detected

Hides threads from debuggers

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6744f6083b8e8c5fca03f50101223d6125db7a1aebeb9de0e87c9e67441e8a53/

Threat name:

Win32.Trojan.Razy

Status:

Malicious

First seen:

2021-07-23 11:23:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

12 of 28 (42.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=m5cpmcb3r2gf7sqd6uaqcir5mes5w6q25pvz3yhipspgora6rjjq._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

0b02739c5fd7a7fa53410bc2287c42cf66a3a6d51ecc9570e76e4f0f8129f2d7

RemcosRAT

2ef41da6731f4164de8d3281a4b296965e8a34426f88e47cbfd44a5177419c5c

RemcosRAT

4db943d3621a557370a3585cd61db3f9835c65f350a2284c9d5f3024adb0ff07

RemcosRAT

5a4f75c16948eb90210b50a2af901dad431a231d5a4406ce55dad0cd943d5cd0

RemcosRAT

91e13d173fb96f025e17161b61686fa06272a048eececeb7d4e95ecdcb3de4b8

RemcosRAT

a3fedff31a0349bc1b17791e2382179f465c870b3abd6b49040b3091be722f51

RemcosRAT

d3257f22e55152e6f6814a0d273d4113f802e9cf39a4841622a7b82cf38bd6af

RemcosRAT

dfca1bf3a2bc630e60ee036b0fd5be55b2f2b44e7dc8d2005b86d763bfc7c8ac

RemcosRAT

eb7b058c625b1306c70d8a76546af054bd769347ca067f5db5e1b0b1c7306298

RemcosRAT

+ 3'152 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:guloader family:remcos botnet:remotehost downloader rat

Link:

https://tria.ge/reports/210723-t6a92zjpws/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Checks QEMU agent file

Guloader,Cloudeye

Remcos

Malware Config

C2 Extraction:

wavesvc64.duckdns.org:1111

Unpacked files

SH256 hash:

6744f6083b8e8c5fca03f50101223d6125db7a1aebeb9de0e87c9e67441e8a53

MD5 hash:

dcf7ee4f070a1a4af0be8366cb2d0826

SHA1 hash:

29161484a64a56d3f4a38a7c76959336d117bf86

Link:

https://www.unpac.me/results/8f55bf7c-908d-4b40-84e3-5ded9bd8226a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/6744f6083b8e8c5fca03f50101223d6125db7a1aebeb9de0e87c9e67441e8a53

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/173601/

URLhaus

https://urlhaus.abuse.ch/url/1475822/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample