MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 860e16c192167d5dd823b8e533858cdada7aa9b3173254f2f57031af68b84e0c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 860e16c192167d5dd823b8e533858cdada7aa9b3173254f2f57031af68b84e0c
SHA3-384 hash: 475655d168757cbc54b1d81cd71d820179b2c67d160cc4464bbd78755e78bb2a2fed3710143e6c8aca5d8b543473a827
SHA1 hash: b95de481325d407e97336126af3a3a4d1ddfe315
MD5 hash: 60a55d0c6cba71cd1215b63ee7a1cc82
humanhash: xray-fish-echo-michigan
File name:http___s-rco.duckdns.org_11d_solex.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:126'976 bytes
First seen:2021-08-23 15:42:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c65aff2bab39ef464a2bad0c06b18bd1 (7 x RemcosRAT)
ssdeep 1536:fnYgNdzXtWBB9m3w4MPnoQKFF/8ethr+mcjDVyk8i7jLimejN3j:fYgN6Bg3FMqZ7hrZwVNLibN
Threatray 4'734 similar samples on MalwareBazaar
TLSH T142C3E6E29B615834D3752C70E8A3ADC163119F015ED3573F21DFFAAB25A0B82A4D734A
dhash icon b2b2e8e8b6d6bac8 (1 x RemcosRAT)
Reporter Racco42
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http___s-rco.duckdns.org_11d_solex.exe
Verdict:
No threats detected
Analysis date:
2021-08-23 15:45:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0b25b49d-3df2-4bea-be34-b5c2c61808a0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/181545/
Detection(s):
SecuriteInfo.com.__vbaHresultCheckObj.21994.30782.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/28eb49e6-cab8-49fd-a468-3673a3c3af40
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/837668
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
GuLoader behavior detected
Hides threads from debuggers
Machine Learning detection for sample
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/860e16c192167d5dd823b8e533858cdada7aa9b3173254f2f57031af68b84e0c/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qyhbnqmscz6v3wbdxdsthbmm3lnhvkntc4zfj4xvoay262fyjyga._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
2ef41da6731f4164de8d3281a4b296965e8a34426f88e47cbfd44a5177419c5c
RemcosRAT
4db943d3621a557370a3585cd61db3f9835c65f350a2284c9d5f3024adb0ff07
RemcosRAT
6744f6083b8e8c5fca03f50101223d6125db7a1aebeb9de0e87c9e67441e8a53
RemcosRAT
d3257f22e55152e6f6814a0d273d4113f802e9cf39a4841622a7b82cf38bd6af
RemcosRAT
d4d30acde6fa4db431b90817911b44d21c65fc1fa72744625bccafe3899869bc
RemcosRAT
d9040bf8ad755cd41dc6266c0e0049f4bac0eaa23f18a26931357fe21c719701
RemcosRAT
de2346e7683a4ed34d62a2954a38949335e6c1b27085a1cc82c08b0c6aec514e
RemcosRAT
+ 4'724 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos downloader rat
Link:
https://tria.ge/reports/210823-mh7wpv3yg6/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Guloader,Cloudeye
Remcos
Unpacked files
SH256 hash:
49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3
MD5 hash:
1f1b425190b2fb0396ad2d538b1060ba
SHA1 hash:
413f98641d46fdcabfcaf64f29495667de6282ea
Link:
https://www.unpac.me/results/8bcf7363-e09d-41bd-b5a8-9d7b622478fd/
SH256 hash:
860e16c192167d5dd823b8e533858cdada7aa9b3173254f2f57031af68b84e0c
MD5 hash:
60a55d0c6cba71cd1215b63ee7a1cc82
SHA1 hash:
b95de481325d407e97336126af3a3a4d1ddfe315
Link:
https://www.unpac.me/results/8bcf7363-e09d-41bd-b5a8-9d7b622478fd/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/860e16c19216/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/860e16c192167d5dd823b8e533858cdada7aa9b3173254f2f57031af68b84e0c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/181545/
  
URLhaus
https://urlhaus.abuse.ch/url/1557705/

Comments