MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 83a153e0349b4945fb3bc4c2402aa9000d6725375ee2aba7b1e02e50256522fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 83a153e0349b4945fb3bc4c2402aa9000d6725375ee2aba7b1e02e50256522fa
SHA3-384 hash: 14524ece81237dd0a4126843f8dcf8b796746c9d3ead84860b7c52a79a150155f9dcb065404b4fce773bd21aa108cd6c
SHA1 hash: dfbe4c7e17baa599701f5613c0b18e8712e1d01f
MD5 hash: 3a91727fffb6ec4145a77998af295231
humanhash: delta-angel-six-quiet
File name:CONFIRMATION OF BOOKING #5648897.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:664'190 bytes
First seen:2023-06-27 06:39:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (533 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 12288:aFnsRYI8T12tF3Y1HIQDj0fLnar15WAGDcU4+9AOSK3w+:aFpIUYvIBDjAGJI545W
Threatray 1'467 similar samples on MalwareBazaar
TLSH T147E423093267C4E3D39A91F04A23E5BFF7F40655002A8A477340AF9D7C73A96C5A97E8
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter 0xSnowl
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
288
Origin country :
TH TH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
CONFIRMATION OF BOOKING #5648897.exe
Verdict:
Malicious activity
Analysis date:
2023-06-27 06:40:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/44ef715c-2af0-4cc2-a557-0ae995bf80fc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/403118/
Detection(s):
SecuriteInfo.com.FileRepMalware.2940.18681.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Delayed reading of the file
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/92817/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/649a84424a3ab977be88f8a9/reports/d6ba29c9-8197-439d-bca5-fe00305486f0/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/83a153e0349b4945fb3bc4c2402aa9000d6725375ee2aba7b1e02e50256522fa
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/64aa2762-fa65-4af3-9ee6-23ad4334a6d6
Result
Threat name:
GuLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1261846
Signature
Installs a global keyboard hook
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected GuLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/83a153e0349b4945fb3bc4c2402aa9000d6725375ee2aba7b1e02e50256522fa/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-06-23 08:24:48 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
20 of 36 (55.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qoqvhybutneul6z3ytbeakvjaagwojjxl3rkxj5r4axfajlfel5a._file
Verdict:
unknown
Similar samples:
4db943d3621a557370a3585cd61db3f9835c65f350a2284c9d5f3024adb0ff07
RemcosRAT
503f94f00304bc18900c3494f2da5bcb1d8a103a0b15ce00bbdaeb5dfd8d9b7b
RemcosRAT
79e1fc85396ae65e8431f8ceb92fefb5ec396381840d830c415ea2d81cb78a49
RemcosRAT
82a31318a931319c6478e3d03d14e95e73e5e989fd4f7636114b44cd30d1dfca
RemcosRAT
a1a882d7abefdec8678649330339a2f080a777450da1be5110b88e81a8ea38cc
RemcosRAT
b689885667b1f8a29bafedff5fc69526534732ebb7731d98bbc06f7005b245d5
RemcosRAT
c7126e6559d14c8a6e6502c038b71d2748ea77b6b977134615043e1576770818
RemcosRAT
e4a8a88bffaf744487df4bfd56f975542f59efb4aabe037f2ce5baea61875f98
RemcosRAT
ef66ea0bcee19ccd3d2771a170ff218a3e43b27f1b18f24e08685cb4d3fe053a
RemcosRAT
+ 1'457 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:sure discovery persistence rat
Link:
https://tria.ge/reports/230627-he7eksdc69/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Loads dropped DLL
Remcos
Malware Config
C2 Extraction:
212.87.204.153:4100
Unpacked files
SH256 hash:
a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
MD5 hash:
75ed96254fbf894e42058062b4b4f0d1
SHA1 hash:
996503f1383b49021eb3427bc28d13b5bbd11977
Link:
https://www.unpac.me/results/7c790fb7-42ae-4e38-a18d-4f75848ce6b8/
SH256 hash:
83a153e0349b4945fb3bc4c2402aa9000d6725375ee2aba7b1e02e50256522fa
MD5 hash:
3a91727fffb6ec4145a77998af295231
SHA1 hash:
dfbe4c7e17baa599701f5613c0b18e8712e1d01f
Link:
https://www.unpac.me/results/7c790fb7-42ae-4e38-a18d-4f75848ce6b8/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/83a153e0349b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/83a153e0349b4945fb3bc4c2402aa9000d6725375ee2aba7b1e02e50256522fa

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/403118/

Comments