MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b2596e73c754b0590b95e6245538874729bec5c62267719ef9bc8b9de21d01f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs 1 YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b2596e73c754b0590b95e6245538874729bec5c62267719ef9bc8b9de21d01f
SHA3-384 hash: 2ad26f837ed049a3abe4f3bafc8c6b6f390d65dc2027b268eb6f11d53767e71e18ef5e95bbd567b32b05e3d693eab45f
SHA1 hash: 7e1f29946891f1eac2482a37d211ace670b899b7
MD5 hash: c12bce4ab1e7af6e6aadb798e83216f5
humanhash: table-zulu-kitten-double
File name:C12BCE4AB1E7AF6E6AADB798E83216F5.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:112'376 bytes
First seen:2021-05-21 17:35:58 UTC
Last seen:2021-05-21 18:19:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3ad518cf51907bc8ca22f7a1354a4250 (11 x GuLoader, 2 x RemcosRAT)
ssdeep 1536:ymbrFYxQqr3fZG3lTPME+FnL0E+NTF9nw0KhZry2ftwn3p8Ke9Km:5lYxB7YF8FJ+NB9nNKhZryEtwn3je9Km
Threatray 1'584 similar samples on MalwareBazaar
TLSH 86B3B276B5FBF470FE5884F0275C93AC41972AB8C815498BDCC629586BF16329A103FB
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
104.37.7.46:2006

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
104.37.7.46:2006 https://threatfox.abuse.ch/ioc/53621/

Intelligence

File Origin
# of uploads :
2
# of downloads :
138
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
C12BCE4AB1E7AF6E6AADB798E83216F5.exe
Verdict:
Malicious activity
Analysis date:
2021-05-21 17:53:53 UTC
Tags:
trojan rat remcos keylogger
Link:
https://app.any.run/tasks/21f9d0b2-f9f0-482e-bce7-6b51cdcac6c7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.Generic-9863174-0
Create hunting rule

Win.Trojan.Jaik-9863183-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
GuLoader Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/787504
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found malware configuration
Hides threads from debuggers
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious icon found
Sigma detected: WScript or CScript Dropper
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 419900 Sample: pKDw1bLc83.exe Startdate: 21/05/2021 Architecture: WINDOWS Score: 100 53 Potential malicious icon found 2->53 55 Found malware configuration 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 6 other signatures 2->59 10 pKDw1bLc83.exe 2->10         started        13 win.exe 2->13         started        process3 signatures4 61 Contains functionality to detect hardware virtualization (CPUID execution measurement) 10->61 63 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 10->63 65 Tries to detect Any.run 10->65 67 Tries to detect virtualization through RDTSC time measurements 10->67 15 pKDw1bLc83.exe 4 10 10->15         started        69 Hides threads from debuggers 13->69 20 win.exe 6 13->20         started        process5 dnsIp6 39 hshjiopklmsacnzbcjuewahfdsnvmlazbcuewqjh.ydns.eu 103.232.54.201, 49730, 49733, 49735 AIMS-MY-NETAIMSDataCentreSdnBhdMY Viet Nam 15->39 35 C:\Users\user\AppData\Roaming\win.exe, PE32 15->35 dropped 37 C:\Users\user\...\win.exe:Zone.Identifier, ASCII 15->37 dropped 49 Tries to detect Any.run 15->49 51 Hides threads from debuggers 15->51 22 wscript.exe 1 15->22         started        file7 signatures8 process9 process10 24 cmd.exe 1 22->24         started        process11 26 win.exe 24->26         started        29 conhost.exe 24->29         started        signatures12 71 Multi AV Scanner detection for dropped file 26->71 73 Contains functionality to detect hardware virtualization (CPUID execution measurement) 26->73 75 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 26->75 77 3 other signatures 26->77 31 win.exe 2 7 26->31         started        process13 dnsIp14 41 hshjiopklmsacnzbcjuewahfdsnvmlazbcuewqjh.ydns.eu 31->41 43 ghdyuienah123.freedynamicdns.org 46.243.248.60, 2006 M247GB Netherlands 31->43 45 Tries to detect Any.run 31->45 47 Hides threads from debuggers 31->47 signatures15
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8b2596e73c754b0590b95e6245538874729bec5c62267719ef9bc8b9de21d01f/
Threat name:
Win32.Trojan.Scarsi
Create hunting rule
Status:
Malicious
First seen:
2021-05-18 18:31:00 UTC
AV detection:
13 of 29 (44.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rmsznzz4ovfqlefzlzreku4iorzjx3c4mithogpptpeltxrb2apq._file
Verdict:
unknown
Similar samples:
37fba5e93049ee78ac1fdf1fafe945636680193ddcb1dc9533f2c9ac80d3744c
RemcosRAT
479f929625a3e8a8f98256c3a020f5946e0d88fd7e3582e47b63500679d46585
RemcosRAT
522735989689a96d0e10e926aae941e58a695062254573c5796bb129e4c7703e
RemcosRAT
6147decc439b9d258f5b19f77dfa47ea441e681c49e0b699533eea18104f4092
RemcosRAT
6670269c08d80b6511029d06dfa07711a5e0bb1494107da5dc9d9d5661f010f3
RemcosRAT
6e6fa2f1d1b7e3c37b6c7a18a4bd750e6ca980741c87af931c17d2ed7e469c3e
RemcosRAT
c2544476ab17fd3fb816a97f08f16548a73c106cca80e1f5e185086d25a9f414
RemcosRAT
d5956571b9e9bc5c925d5b26a0bd0771c636bff202c0adb7d1d9ad6efe487bae
RemcosRAT
e0f53d67eb5d4a5bab2f6d0bbaff502896e12572b97bf0350c88cfac3fcc5b8f
RemcosRAT
fd5a380a446107f3648301abfefda6b5269ecc51ccf21fb850a8d70332ab962b
RemcosRAT
+ 1'574 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos downloader persistence rat
Link:
https://tria.ge/reports/210521-thgtb9csee/
Behaviour
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks QEMU agent file
Loads dropped DLL
Executes dropped EXE
Guloader,Cloudeye
Remcos
Malware Config
C2 Extraction:
http://hshjiopklmsacnzbcjuewahfdsnvmlazbcuewqjh.ydns.eu/Eric_2021_eyKIYWgo49.bin
ghdyuienah123.freedynamicdns.org:2006
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/8b2596e73c754b0590b95e6245538874729bec5c62267719ef9bc8b9de21d01f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-21 18:21:41 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing