MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69b7fe61ae71ecd658c9747a572a8eaf7f0f49c745028e37c0ff3464c9926889. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 6


Intelligence 6 IOCs 1 YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 69b7fe61ae71ecd658c9747a572a8eaf7f0f49c745028e37c0ff3464c9926889
SHA3-384 hash: 0577639bfd3c743c0fa7c01b5b0ec063f3479fce019b0518ced823f69b801260321eada2c92e8b40bd7ff3f4e65c4f27
SHA1 hash: a862fef0a8430be5f6dcf2a783fbaa1192d21c73
MD5 hash: 77cc59fdd27a5740f052f18c4cf8560c
humanhash: one-seventeen-ack-stream
File name:Contract AHNAF-1289.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:90'112 bytes
First seen:2021-05-24 03:20:58 UTC
Last seen:2021-05-25 08:03:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c0aa42a4533845b7eba74fce6ed7746f (1 x RemcosRAT, 1 x GuLoader)
ssdeep 1536:INFf/qTERZz/QeKQb1yuVZo7fktk/0r8ax9Pbm9G2Xo8:gZ3zfnZCydbm9GIo8
Threatray 1'735 similar samples on MalwareBazaar
TLSH 4A9338B2B191FB79C85D83FA9721147C1545BD3C2B7A5947D3C4022C3AE79E68B20B93
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
78.129.249.105:2017

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
78.129.249.105:2017 https://threatfox.abuse.ch/ioc/57966/

Intelligence

File Origin
# of uploads :
3
# of downloads :
146
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Contract AHNAF-1289.exe
Verdict:
No threats detected
Analysis date:
2021-05-24 03:22:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/50a079d0-d762-4231-9a18-b63db7581587

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/161171/
Detection(s):
SecuriteInfo.com.__vbaHresultCheckObj.15020.29513.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1abb7e99-78d6-429c-b32c-a60bbaf5a694
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/789971
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found malware configuration
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Sigma detected: WScript or CScript Dropper
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 422367 Sample: Contract AHNAF-1289.exe Startdate: 24/05/2021 Architecture: WINDOWS Score: 96 43 hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu 2->43 45 swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu 2->45 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Yara detected GuLoader 2->57 59 6 other signatures 2->59 11 Contract AHNAF-1289.exe 1 2->11         started        14 vlc.exe 1 2->14         started        16 vlc.exe 1 2->16         started        signatures3 process4 signatures5 65 Tries to detect Any.run 11->65 67 Hides threads from debuggers 11->67 18 Contract AHNAF-1289.exe 4 10 11->18         started        23 vlc.exe 14->23         started        process6 dnsIp7 47 hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu 103.232.54.82, 49763, 49764, 49766 AIMS-MY-NETAIMSDataCentreSdnBhdMY Viet Nam 18->47 37 C:\Users\user\AppData\Roaming\vlc.exe, PE32 18->37 dropped 39 C:\Users\user\...\vlc.exe:Zone.Identifier, ASCII 18->39 dropped 41 C:\Users\user\AppData\Local\...\install.vbs, data 18->41 dropped 61 Tries to detect Any.run 18->61 63 Hides threads from debuggers 18->63 25 wscript.exe 1 18->25         started        file8 signatures9 process10 process11 27 cmd.exe 1 25->27         started        process12 29 vlc.exe 1 27->29         started        32 conhost.exe 27->32         started        signatures13 69 Contains functionality to detect hardware virtualization (CPUID execution measurement) 29->69 71 Tries to detect Any.run 29->71 73 Hides threads from debuggers 29->73 34 vlc.exe 29->34         started        process14 signatures15 49 Tries to detect Any.run 34->49 51 Hides threads from debuggers 34->51
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/69b7fe61ae71ecd658c9747a572a8eaf7f0f49c745028e37c0ff3464c9926889/
Threat name:
Win32.Infostealer.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-05-24 03:21:07 UTC
AV detection:
3 of 47 (6.38%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ng374ynoohwnmwgjor5fokuov57q6sohiubi4n6a742gjsmsnceq._file
Verdict:
suspicious
Similar samples:
0089a67b8891a809e2c7699b1d97e0d1286756c801aecc20a200a13b049ecb94
RemcosRAT
17febcec21b3156aec42aea1f3b70e45b0ea57572547b483aeb1614a6d5a4d89
RemcosRAT
26429a83373a49db5ad7801f324d8f1ce0aafd687ee405a44cb8d6ebebf65c15
RemcosRAT
3cbf0aeafec688023948cad7bf7475270ba9cb1acb0078cf1a9d6288f2751a20
RemcosRAT
55fbd4afb3b387dcab2c4ccb60e2ced461773add94567b99207ccd7faa3ed05f
RemcosRAT
96beaff70c51e04f38db0943eddd24ecc142ef2815d536b82655e25fbf5a54db
RemcosRAT
9e3fdcc393fc96ce693041533b4ecc9e43d57ad1bca40c99d07713dc90d39bd4
RemcosRAT
adea37317bf08b2dbb86164c609b0ee2eec3ccd6ef0e82c1c46d8447623e5899
RemcosRAT
c6e5156c311412210237810450648947699d1c4862536a4e86b778e899627292
RemcosRAT
cf402201a7df7964444627570fc2e1363ce0818b7765d371d487daae70c4ce29
RemcosRAT
+ 1'725 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos downloader persistence rat
Link:
https://tria.ge/reports/210524-ffn5eqbzej/
Behaviour
Modifies registry class
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks QEMU agent file
Loads dropped DLL
Executes dropped EXE
Guloader,Cloudeye
Remcos
Malware Config
C2 Extraction:
http://hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu/Gee_remcos%202020_JdgLl223.bin
swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu:2017
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/69b7fe61ae71ecd658c9747a572a8eaf7f0f49c745028e37c0ff3464c9926889

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/161171/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-24 03:58:53 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0019] Data Micro-objective::Check String
1) [C0026.002] Data Micro-objective::XOR::Encode Data