MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 78e27eed3667aa1a2c2a2fbe131f3ef7ccdb4a04908728a5b2c85e3c45c7f2df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 78e27eed3667aa1a2c2a2fbe131f3ef7ccdb4a04908728a5b2c85e3c45c7f2df
SHA3-384 hash: 4126e812061644b6b97da2093c6997125077e296485c93900d9fb0e5f003fc552a368dc04edfdf9d53ff19333f01bce8
SHA1 hash: 444240783aaea1f87392624232d08ff091cebde0
MD5 hash: 54624050568bdc2f109cf3cf966d07e2
humanhash: uranus-gee-seventeen-quiet
File name:54624050568bdc2f109cf3cf966d07e2.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:86'016 bytes
First seen:2021-05-28 19:48:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 534501dd9ce577814935581296a7adca (4 x GuLoader, 4 x RemcosRAT)
ssdeep 1536:obM3jL11qGATu5PLdUbLKBQ0T+Wh17mw:NjL10Tu5PstgJUw
Threatray 1'595 similar samples on MalwareBazaar
TLSH 3A834A72FA90F37CD25007B42D6781BC9D71BD3C79A07846EB8BA2246EFB8149646347
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
46.243.239.36:1996

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
46.243.239.36:1996 https://threatfox.abuse.ch/ioc/66375/

Intelligence

File Origin
# of uploads :
1
# of downloads :
276
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
54624050568bdc2f109cf3cf966d07e2.exe
Verdict:
Malicious activity
Analysis date:
2021-05-28 20:00:37 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/0a5810b3-c984-439e-a923-c3be3bcd7889

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/163104/
Detection(s):
Win.Dropper.Vebzenpak-9865056-0
Create hunting rule

Win.Trojan.Generickdz-9865226-0
Create hunting rule

Win.Trojan.Generickdz-9865275-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c521cc57-cb49-4add-8801-5a3d3f0be5d8
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/794068
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found malware configuration
Hides threads from debuggers
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: WScript or CScript Dropper
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 426465 Sample: 8OKhE1B3Yp.exe Startdate: 28/05/2021 Architecture: WINDOWS Score: 100 43 hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu 2->43 45 wedsazxcvfghyuiokjhbnvfcdsaweyplmhbvrtud.ydns.eu 2->45 55 Found malware configuration 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 Yara detected GuLoader 2->59 61 3 other signatures 2->61 11 8OKhE1B3Yp.exe 1 2->11         started        14 win.exe 1 2->14         started        16 win.exe 1 2->16         started        signatures3 process4 signatures5 67 Contains functionality to detect hardware virtualization (CPUID execution measurement) 11->67 69 Tries to detect Any.run 11->69 71 Tries to detect virtualization through RDTSC time measurements 11->71 18 8OKhE1B3Yp.exe 4 10 11->18         started        73 Hides threads from debuggers 14->73 23 win.exe 14->23         started        process6 dnsIp7 47 hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu 103.232.54.82, 49743, 49748, 49751 AIMS-MY-NETAIMSDataCentreSdnBhdMY Viet Nam 18->47 49 192.168.2.1 unknown unknown 18->49 37 C:\Users\user\AppData\Roaming\win.exe, PE32 18->37 dropped 39 C:\Users\user\...\win.exe:Zone.Identifier, ASCII 18->39 dropped 41 C:\Users\user\AppData\Local\...\install.vbs, data 18->41 dropped 63 Tries to detect Any.run 18->63 65 Hides threads from debuggers 18->65 25 wscript.exe 1 18->25         started        file8 signatures9 process10 process11 27 cmd.exe 1 25->27         started        process12 29 win.exe 1 27->29         started        32 conhost.exe 27->32         started        signatures13 75 Multi AV Scanner detection for dropped file 29->75 77 Contains functionality to detect hardware virtualization (CPUID execution measurement) 29->77 79 Tries to detect Any.run 29->79 81 2 other signatures 29->81 34 win.exe 29->34         started        process14 signatures15 51 Tries to detect Any.run 34->51 53 Hides threads from debuggers 34->53
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/78e27eed3667aa1a2c2a2fbe131f3ef7ccdb4a04908728a5b2c85e3c45c7f2df/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-05-26 20:40:14 UTC
AV detection:
27 of 47 (57.45%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pdrh53jwm6vbulbkf67bghz667gnwsqescdsrjnszbpdyroh6lpq._file
Verdict:
unknown
Similar samples:
00c13c67dcabc8708b2ef443517788825e9496b66eddc757fbe5cf6d859f34ec
RemcosRAT
0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083
RemcosRAT
26429a83373a49db5ad7801f324d8f1ce0aafd687ee405a44cb8d6ebebf65c15
RemcosRAT
48b182b6f84f85278909eb70d8821812630a3c87f6c52d9e8c90adbf0e7b2ffe
RemcosRAT
815b5f62adb35607df07859bfd1b75763bf525643e7f21d5a0f8803dd0e86be4
RemcosRAT
8f71fca5621ccb7ba3558cfebc17014d27923d1c73ad97ececb577fd5b937047
RemcosRAT
9e3fdcc393fc96ce693041533b4ecc9e43d57ad1bca40c99d07713dc90d39bd4
RemcosRAT
a5fb63409bbc68224d3e2be7511cc6a49fd205892813890c3a76feeabd5a5e56
RemcosRAT
c63a3f86be406a11e8f7760403e407a97441753205f8cef432fd634856ca2992
RemcosRAT
fe3cb815b3ed9a0619d530afed14d2994514a66874e7e2446aed93586df566c4
RemcosRAT
+ 1'585 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos downloader persistence rat
Link:
https://tria.ge/reports/210528-d9p53p5hax/
Behaviour
Modifies registry class
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks QEMU agent file
Loads dropped DLL
Executes dropped EXE
Guloader,Cloudeye
Remcos
Malware Config
C2 Extraction:
http://hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu/XP_remcos%202021_ogBiNEKs50.bin
wedsazxcvfghyuiokjhbnvfcdsaweyplmhbvrtud.ydns.eu:1996
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/78e27eed3667aa1a2c2a2fbe131f3ef7ccdb4a04908728a5b2c85e3c45c7f2df

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 78e27eed3667aa1a2c2a2fbe131f3ef7ccdb4a04908728a5b2c85e3c45c7f2df

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/163104/
  
URLhaus
https://urlhaus.abuse.ch/url/1293027/
  
Delivery method
Distributed via web download

Comments