MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 698f8bd0407e6db9e0828829fbe1329a6e11095292fdcee4b3c52f4378878f6a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 698f8bd0407e6db9e0828829fbe1329a6e11095292fdcee4b3c52f4378878f6a
SHA3-384 hash: 8f7311b6b1dd9ba4e72b9b1e30fd25807a5c8b8472ab25000a6d44e2f13d0f321d421ce497222bdcc345845588c205d4
SHA1 hash: 13d126fac336f85ea013fcfe7f434ee5f484ecfc
MD5 hash: 3595ce9be3ec31b7ba6c98f6660d31bb
humanhash: grey-kilo-idaho-ack
File name:DOc 000399288299991.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:737'840 bytes
First seen:2023-04-11 10:53:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e7f9a29f2c85394521a08b9f31f6275 (278 x GuLoader, 44 x RemcosRAT, 40 x VIPKeylogger)
ssdeep 12288:JMwq9DFYE0qkTPCe/IB7X2sTnzaaBtWugX:JMwwYE0qsC+ItXZ+X
Threatray 602 similar samples on MalwareBazaar
TLSH T11EF4AE6B3094A0B9EB6716370E48D21DA1607E7924029E4A32733F7F7EBC7465D406FA
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 3868f0e8e8f0f032 (3 x RemcosRAT)
Reporter lowmal3
Tags:exe RemcosRAT signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-09-06T02:48:56Z
Valid to:2025-09-05T02:48:56Z
Serial number: 0d9344601d23a501671d3ed8817c8e547e8acc3f
Thumbprint Algorithm:SHA256
Thumbprint: 956c5aa2b5c0c91a175e1bad546afa751cc403dd409ac2ead023a07b83e94707
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
285
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
DOc 000399288299991.exe
Verdict:
Malicious activity
Analysis date:
2023-04-11 10:55:01 UTC
Tags:
rat remcos stealer keylogger
Link:
https://app.any.run/tasks/5f783e3c-ccc5-4e10-bc23-8b492622dd8d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/381431/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a process
Creating a window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/77364/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
guloader icedid overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/64353c4cc064c538e1b358e8/reports/1471065b-0359-4673-abe3-bb99ad2a2a95/overview
Verdict:
Suspicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/698f8bd0407e6db9e0828829fbe1329a6e11095292fdcee4b3c52f4378878f6a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/034c3013-ac07-4029-93ee-b11231afa03d
Result
Threat name:
Remcos, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1211666
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to modify clipboard data
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Remcos
Suspicious powershell command line found
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 844584 Sample: DOc_000399288299991.exe Startdate: 11/04/2023 Architecture: WINDOWS Score: 100 44 googlehosted.l.googleusercontent.com 2->44 46 geoplugin.net 2->46 48 2 other IPs or domains 2->48 60 Multi AV Scanner detection for submitted file 2->60 62 Yara detected GuLoader 2->62 64 Yara detected Remcos RAT 2->64 66 6 other signatures 2->66 10 DOc_000399288299991.exe 1 33 2->10         started        signatures3 process4 file5 40 C:\Users\user\AppData\Local\...talage.Deb, ASCII 10->40 dropped 42 C:\Users\user\AppData\...\uninstall3.exe, PE32 10->42 dropped 74 Suspicious powershell command line found 10->74 76 Obfuscated command line found 10->76 14 powershell.exe 12 10->14         started        signatures6 process7 signatures8 84 Very long command line found 14->84 17 powershell.exe 13 14->17         started        20 conhost.exe 14->20         started        process9 signatures10 56 Writes to foreign memory regions 17->56 58 Tries to detect Any.run 17->58 22 ieinstal.exe 3 16 17->22         started        27 ieinstal.exe 17->27         started        process11 dnsIp12 50 155.94.185.15, 2404, 49855, 49856 ASN-QUADRANET-GLOBALUS United States 22->50 52 googlehosted.l.googleusercontent.com 142.250.181.225, 443, 49854 GOOGLEUS United States 22->52 54 2 other IPs or domains 22->54 38 C:\ProgramData\remcos\logs.dat, data 22->38 dropped 68 Tries to detect Any.run 22->68 70 Maps a DLL or memory area into another process 22->70 72 Installs a global keyboard hook 22->72 29 ieinstal.exe 1 22->29         started        32 ieinstal.exe 1 22->32         started        34 ieinstal.exe 14 22->34         started        36 ieinstal.exe 22->36         started        file13 signatures14 process15 signatures16 78 Tries to steal Instant Messenger accounts or passwords 29->78 80 Tries to harvest and steal browser information (history, passwords, etc) 29->80 82 Tries to steal Mail credentials (via file / registry access) 32->82
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/698f8bd0407e6db9e0828829fbe1329a6e11095292fdcee4b3c52f4378878f6a/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Suspicious
First seen:
2023-04-11 10:54:08 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nghyxucapzw3tyecrau7xyjstjxbcckssl645zftyuxug6ehr5va._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
19bc779bdb31a070d3b122e2c58547649586b5481655a52db8b3ccadd958bed3
RemcosRAT
2c02e5bec85fedefe1d21d2cc02b0d7e91eebfedcb53f444127463987de67bc0
RemcosRAT
2ddedbfd89d5ae3cb31d0e3108ed33fff300d99511fb60869506bc1e3ed1d483
RemcosRAT
3e8abea82786b2611c3dde68089c20f9cd37dc84da3d0b97a3b3d500aa287ee2
RemcosRAT
4d68a43a78bc0c69f5ee7a04fc4c1e3b1629ee81ba83d0a250e063bf2f6b0e57
RemcosRAT
536a5d0e0a0283a2037d9a01efaf92c4e119647ad3b8aa4d644461de984399f8
RemcosRAT
6966144426edc4d696a5cae07695d56532e5c960c845fe1c1c9efdaddb130754
RemcosRAT
6b33dcd29a3bddb0574c50b604db51b808c0909df8beeb575fea8979ce55dd49
RemcosRAT
91591f30fa6c90a96fbb95b72424ce5bfdf1f6342630991bfc69f980086eda14
RemcosRAT
c7a282bb4bc111616da14a7f6bac27b0b7c7437156a7992382dc695f50d6300a
RemcosRAT
+ 592 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos botnet:remotehost collection downloader rat
Link:
https://tria.ge/reports/230411-mzjapsca26/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Guloader,Cloudeye
Remcos
Malware Config
C2 Extraction:
155.94.185.15:2404
Unpacked files
SH256 hash:
eae9c9db228c5477b694c47491ca6271fc7864beead615202d1f3d98acb22718
MD5 hash:
fad6d8c923ac5b4f7f39740aa95bd020
SHA1 hash:
a841722205be959b2fd66044a5da149b6663a129
Link:
https://www.unpac.me/results/ff1fae57-42fc-405e-83c2-9f08b472e9db/
SH256 hash:
698f8bd0407e6db9e0828829fbe1329a6e11095292fdcee4b3c52f4378878f6a
MD5 hash:
3595ce9be3ec31b7ba6c98f6660d31bb
SHA1 hash:
13d126fac336f85ea013fcfe7f434ee5f484ecfc
Link:
https://www.unpac.me/results/ff1fae57-42fc-405e-83c2-9f08b472e9db/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/698f8bd0407e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/698f8bd0407e6db9e0828829fbe1329a6e11095292fdcee4b3c52f4378878f6a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe 698f8bd0407e6db9e0828829fbe1329a6e11095292fdcee4b3c52f4378878f6a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/381431/

Comments