MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7247a3f88c9926488072d10907f19c9ed6b73f2ad2e218c89749d53957ba0362. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7247a3f88c9926488072d10907f19c9ed6b73f2ad2e218c89749d53957ba0362
SHA3-384 hash: 8c57771e1d92bb9be0a40c2e4ce217469df4ee032c1793097464a850ce1c114a3b7ada8cdb01c691ad952a5e78683ecc
SHA1 hash: f28722c60a354a79fd6fad6932ff28d1034eaba5
MD5 hash: 42836e7a6c9e56debb04aa192c9dd3f0
humanhash: beryllium-thirteen-mountain-sad
File name:42836e7a6c9e56debb04aa192c9dd3f0.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:525'136 bytes
First seen:2023-08-01 10:53:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b78ecf47c0a3e24a6f4af114e2d1f5de (300 x GuLoader, 23 x Formbook, 21 x RemcosRAT)
ssdeep 12288:p7LABZYQkao8Rqc5pbIvFPWOLogchFk/cmW1bGfKKxvEFlI:xN8cc5pbGlo6W1bG7dUI
Threatray 111 similar samples on MalwareBazaar
TLSH T1E8B4F083EE804267D818043596D7BB1029F29CBD6B96CF2353D831363FB6152257E3AB
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c2aab2c2c0f0f0f0 (5 x GuLoader, 1 x RemcosRAT)
Reporter abuse_ch
Tags:exe RemcosRAT signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-10-29T02:22:20Z
Valid to:2025-10-28T02:22:20Z
Serial number: 1e7050ab2b934e9e1b9f34495975e31e62747d66
Thumbprint Algorithm:SHA256
Thumbprint: 039d202f234b81eeb42204991595ba0a5911ae7518e11596c1b7e87300d2ec3d
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
284
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
guloader
Create hunting rule
ID:
1
File name:
42836e7a6c9e56debb04aa192c9dd3f0.exe
Verdict:
Malicious activity
Analysis date:
2023-08-01 11:05:10 UTC
Tags:
guloader
Link:
https://app.any.run/tasks/a4b0affe-656c-4315-8c13-1ebfbd142a46

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/439565/
Detection(s):
SecuriteInfo.com.Mal.Generic-S.31020.16397.20236.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% subdirectories
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control guloader lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/64c8e44d1b48787a4970c9bd/reports/87789acd-82cd-420c-8838-72343313c9f8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/7247a3f88c9926488072d10907f19c9ed6b73f2ad2e218c89749d53957ba0362
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/071550b0-3378-4dc8-a20a-efbb194b4d55
Result
Threat name:
GuLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.spyw.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1283655
Signature
Antivirus detection for URL or domain
Drops VBS files to the startup folder
Found suspicious powershell code related to unpacking or dynamic code loading
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Drops script at startup location
Sigma detected: Remcos
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses the Telegram API (likely for C&C communication)
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected GuLoader
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1283655 Sample: ntJoJWf6p3.exe Startdate: 01/08/2023 Architecture: WINDOWS Score: 100 81 cdn.pixelbin.io 2->81 83 geoplugin.net 2->83 85 4 other IPs or domains 2->85 107 Snort IDS alert for network traffic 2->107 109 Antivirus detection for URL or domain 2->109 111 Multi AV Scanner detection for submitted file 2->111 113 7 other signatures 2->113 12 ntJoJWf6p3.exe 32 2->12         started        16 wscript.exe 1 2->16         started        signatures3 process4 file5 77 C:\Users\user\AppData\Local\...\System.dll, PE32 12->77 dropped 153 Writes to foreign memory regions 12->153 155 Tries to detect Any.run 12->155 18 CasPol.exe 18 13 12->18         started        157 Suspicious powershell command line found 16->157 159 Wscript starts Powershell (via cmd or directly) 16->159 161 Very long command line found 16->161 23 cmd.exe 16->23         started        25 powershell.exe 16->25         started        signatures6 process7 dnsIp8 87 23.95.60.83, 50261, 50263, 50274 AS-COLOCROSSINGUS United States 18->87 89 api4.ipify.org 173.231.16.76, 443, 50262 WEBNXUS United States 18->89 91 api.telegram.org 149.154.167.220, 443, 50264, 50265 TELEGRAMRU United Kingdom 18->91 75 C:\Users\user\AppData\Local\Temp\hkcmd.vbs, Unicode 18->75 dropped 115 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->115 117 Tries to steal Mail credentials (via file / registry access) 18->117 119 Tries to harvest and steal browser information (history, passwords, etc) 18->119 121 Tries to detect Any.run 18->121 27 wscript.exe 1 18->27         started        30 conhost.exe 18->30         started        123 Wscript starts Powershell (via cmd or directly) 23->123 125 Uses ping.exe to sleep 23->125 32 cmd.exe 23->32         started        34 conhost.exe 23->34         started        36 PING.EXE 23->36         started        38 conhost.exe 25->38         started        file9 signatures10 process11 signatures12 139 Suspicious powershell command line found 27->139 141 Wscript starts Powershell (via cmd or directly) 27->141 143 Very long command line found 27->143 40 powershell.exe 7 27->40         started        43 cmd.exe 1 27->43         started        45 powershell.exe 32->45         started        process13 signatures14 129 Suspicious powershell command line found 40->129 47 powershell.exe 40->47         started        50 conhost.exe 40->50         started        131 Wscript starts Powershell (via cmd or directly) 43->131 133 Uses ping.exe to sleep 43->133 135 Uses ping.exe to check the status of other devices and networks 43->135 52 cmd.exe 1 43->52         started        55 PING.EXE 1 43->55         started        57 conhost.exe 43->57         started        137 Found suspicious powershell code related to unpacking or dynamic code loading 45->137 process15 dnsIp16 97 d13bcqfgin4vvj.cloudfront.net 108.156.2.109, 443, 50271 AMAZON-02US United States 47->97 59 RegAsm.exe 47->59         started        127 Wscript starts Powershell (via cmd or directly) 52->127 63 powershell.exe 8 52->63         started        99 127.0.0.1 unknown unknown 55->99 signatures17 process18 dnsIp19 93 geoplugin.net 178.237.33.50, 50277, 80 ATOM86-ASATOM86NL Netherlands 59->93 95 192.210.255.48, 2404, 50275, 50276 AS-COLOCROSSINGUS United States 59->95 145 Maps a DLL or memory area into another process 59->145 66 RegAsm.exe 59->66         started        69 RegAsm.exe 59->69         started        71 RegAsm.exe 59->71         started        73 16 other processes 59->73 79 C:\Users\user\AppData\Roaming\...\XP.vbs, Unicode 63->79 dropped 147 Suspicious powershell command line found 63->147 149 Drops VBS files to the startup folder 63->149 151 Found suspicious powershell code related to unpacking or dynamic code loading 63->151 file20 signatures21 process22 signatures23 101 Tries to steal Instant Messenger accounts or passwords 66->101 103 Tries to steal Mail credentials (via file / registry access) 66->103 105 Tries to harvest and steal browser information (history, passwords, etc) 73->105
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7247a3f88c9926488072d10907f19c9ed6b73f2ad2e218c89749d53957ba0362/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Suspicious
First seen:
2023-08-01 10:54:06 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ojd2h6emteterads2eeqp4m4t3llopzk2lrbrsexjhktsv52anra._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
06bbd56f97c98fe910af5904b60443fcbf1d88488f374f35d4a0423f045c7b4f
RemcosRAT
1aba3ebf5fc7d6221270fa7e13713216e06b678b197524a35d3a5cd9b1e0d857
RemcosRAT
591109da111aac82d548d21277af8fe59f6860ec229847cc1571652bddbc957f
RemcosRAT
629969a0881903021d039f309d10a9028a1b967153706f7db6386c0773ce727d
RemcosRAT
73f87dc14d15addd846f2073187ac64be665ce79f618fff31c981ac95a51d288
RemcosRAT
75bb54e0d27dfeb0efa4680d7136307f9a82edef662e9fc3c4339b05b3fe7079
RemcosRAT
8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b
RemcosRAT
92e55159b6e18fb75e5aa6d39a9b37822619c9d31123894ade0f7c4544a045cb
RemcosRAT
b643d5ee1be492fcbfbfb4c9b9bf3da8460b74ab2097b96e6545318c92f2ee26
RemcosRAT
f1d545ed6ad2433790b985ad84d102f937b16f44c09f32d9be33f95ef80b7d4d
RemcosRAT
+ 101 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos botnet:remotehost downloader rat spyware stealer
Link:
https://tria.ge/reports/230801-mzjlgafc96/
Behaviour
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks QEMU agent file
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Guloader,Cloudeye
Remcos
Malware Config
C2 Extraction:
192.210.255.48:2404
Dropper Extraction:
https://cdn.pixelbin.io/v2/long-glade-33dc08/original/rump_img.jpeg
Unpacked files
SH256 hash:
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e
MD5 hash:
3f176d1ee13b0d7d6bd92e1c7a0b9bae
SHA1 hash:
fe582246792774c2c9dd15639ffa0aca90d6fd0b
Link:
https://www.unpac.me/results/247cf281-fe91-4ace-bf26-ab96f63c8e09/
SH256 hash:
7247a3f88c9926488072d10907f19c9ed6b73f2ad2e218c89749d53957ba0362
MD5 hash:
42836e7a6c9e56debb04aa192c9dd3f0
SHA1 hash:
f28722c60a354a79fd6fad6932ff28d1034eaba5
Link:
https://www.unpac.me/results/247cf281-fe91-4ace-bf26-ab96f63c8e09/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7247a3f88c99/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/7247a3f88c9926488072d10907f19c9ed6b73f2ad2e218c89749d53957ba0362

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 7247a3f88c9926488072d10907f19c9ed6b73f2ad2e218c89749d53957ba0362

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2645524/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/439565/

Comments