MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6803fa63c9748b167d2d49005fe625eb30333c9dae3ecd0f040cbb5f8bd71068. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6803fa63c9748b167d2d49005fe625eb30333c9dae3ecd0f040cbb5f8bd71068
SHA3-384 hash: 6f58de17086097b2519a89bd73053deeae0eeb06f1967aedc51672ff64a7537bf932da13c5e4dfaeee2100c7ebf1a059
SHA1 hash: ce828b6b6d4ef64d350163cfc4442f69fba7be27
MD5 hash: 0e9edeaaacc3b5904935e8f5d3a650ff
humanhash: spring-jupiter-virginia-six
File name:Inv.BKKR008011723.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:325'096 bytes
First seen:2023-04-11 06:40:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fd61eafe142870d6d0380163804a642 (39 x GuLoader, 6 x RemcosRAT, 4 x AgentTesla)
ssdeep 6144:JaCoWjClRmnTkF6/HeaUX55uHwT578h4N/0yuzaw0QAHdiGJuZvH:JaCTnAhJ5kwloKNSy1S9
Threatray 671 similar samples on MalwareBazaar
TLSH T19064C0D7AEA02497CC7A0BB0C7638BA407B1BEFADEB26B2357C431265DE63515134217
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 82aab2c2e0f0f0f0 (1 x RemcosRAT)
Reporter lowmal3
Tags:exe RemcosRAT signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2023-02-16T01:36:13Z
Valid to:2026-02-15T01:36:13Z
Serial number: 79fb6322d9c2b3eecd44b2af147473623d213389
Thumbprint Algorithm:SHA256
Thumbprint: 56b43fd4cb107c1a96ccc95f062a5317deb8ede3b43a9bfdc892d20c107308d8
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
257
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Inv.BKKR008011723.exe
Verdict:
Malicious activity
Analysis date:
2023-04-11 06:42:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/277b3c7a-28c0-40d1-bd96-38ad9c0129a8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/381330/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.23077.24750.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file
Creating a file in the %temp% directory
Delayed reading of the file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
guloader overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/643500ff08896da610c014fd/reports/35933d81-2476-4286-a42a-1c4e8167f2c6/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/6803fa63c9748b167d2d49005fe625eb30333c9dae3ecd0f040cbb5f8bd71068
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ad43a2af-f197-4943-bcef-c4b43d5d5068
Result
Threat name:
Remcos, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1211486
Signature
Hides threads from debuggers
Installs a global keyboard hook
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Tries to detect Any.run
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6803fa63c9748b167d2d49005fe625eb30333c9dae3ecd0f040cbb5f8bd71068/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nab7uy6josfrm7jnjeaf7zrf5mydgpe5vy7m2dyebs5v7c6xcbua._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1a0b3222046f0838c8a536e376b898b6c97cdb821aaebae4f9ed0dc9eeb23b7c
RemcosRAT
229803d2640463de8048f78dab377fe80cffd8f46b075eacb276358b1a78cd15
RemcosRAT
31d9c25d965fa6de72c0c376159c19da21bc5dcd579bc038b2134d19b1ca9ab2
RemcosRAT
494d5735144af171cc15708b37b491b74be1522494958e605ac348dd4897dcf9
RemcosRAT
4d8274e888e5e74818b1f5b13ceb2a11ce585e97b53faf26b690f35a4a446b2d
RemcosRAT
81ce31f6f3cd9a6a6037c411a1485bee35eaa93965fc6ccc2bd857c991fcad90
RemcosRAT
ae2f07cd525c3e542b16caa6fbabf8e97b57eb4cd73a333d018fc4d15b5c1c26
RemcosRAT
b24f7c42e0a6a3a4a95868fc259140674e39d6b208fdee00ad3c772c0fd9cb8c
RemcosRAT
d878b96dad5b242df04a937598ce6a20027ff414f2498e7c606116843d1c74f0
RemcosRAT
e4e2091a348b6f883c60951545d1318dae365658c50f7a5d342144f42aa224d6
RemcosRAT
+ 661 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost collection rat spyware stealer
Link:
https://tria.ge/reports/230411-hfr2aaah92/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Loads dropped DLL
Reads user/profile data of web browsers
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Malware Config
C2 Extraction:
193.25.214.194:2404
Unpacked files
SH256 hash:
852047023ba0cae91c7a43365878613cfb4e64e36ff98c460e113d5088d68ef5
MD5 hash:
be2621a78a13a56cf09e00dd98488360
SHA1 hash:
75f0539dc6af200a07cdb056cddddec595c6cfd2
Link:
https://www.unpac.me/results/0a406c1a-8f07-4a98-acf4-063002e524dd/
SH256 hash:
2ecaecdb6793e2fbe5af809836d1f0ae805e190a873cf90e2c7910d3c7a0ae2f
MD5 hash:
5137b8a48131c71957bd89b6a80763f3
SHA1 hash:
b8be78fb52f8ccbbaf4ba83f128c17c7313ff4db
Link:
https://www.unpac.me/results/0a406c1a-8f07-4a98-acf4-063002e524dd/
SH256 hash:
6803fa63c9748b167d2d49005fe625eb30333c9dae3ecd0f040cbb5f8bd71068
MD5 hash:
0e9edeaaacc3b5904935e8f5d3a650ff
SHA1 hash:
ce828b6b6d4ef64d350163cfc4442f69fba7be27
Link:
https://www.unpac.me/results/0a406c1a-8f07-4a98-acf4-063002e524dd/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6803fa63c974/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/6803fa63c9748b167d2d49005fe625eb30333c9dae3ecd0f040cbb5f8bd71068

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 6803fa63c9748b167d2d49005fe625eb30333c9dae3ecd0f040cbb5f8bd71068

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/381330/

Comments