MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 963043215c54f2a5b1ae6a53787ed78c838beb576e2744e304665f611c7fcb60. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 10

Intelligence 10 IOCs 1 YARA File information Comments

SHA256 hash:	963043215c54f2a5b1ae6a53787ed78c838beb576e2744e304665f611c7fcb60
SHA3-384 hash:	77df476c784745a3dc2db7b6de48bfd46de52a7c64defb27bb5b5d645dd17bbd3b12bfbe26428ae528b5a998033de53f
SHA1 hash:	086bc0e2994e030d79484b138ed57ea6611467dd
MD5 hash:	71e74306d9f78dbb9583c3327f875946
humanhash:	nine-lithium-harry-mountain
File name:	http___slavec.duckdns.org_11d_solex.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	81'920 bytes
First seen:	2021-07-28 15:48:38 UTC
Last seen:	2021-07-28 16:49:55 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7be5ce563aba0a332d6ee101ce2ee420 (1 x GuLoader, 1 x RemcosRAT)
ssdeep	768:tmsR22y5tviCz8AvoXicxStuKFDVvmyCE8sjk01eqG2tfolL3uDbhosOc:tms45fz8AwycmFDNmnso07G2tKeoo
Threatray	3'366 similar samples on MalwareBazaar
TLSH	T11A837D23A588D5D2D404AA307C53C8E53902285DEB524D0736FF6B953EF0AC25AFCBA7
dhash icon	801ccccc8c8ccc74 (1 x RemcosRAT)
Reporter	Racco42
Tags:	exe RemcosRAT

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://xxfetch.duckdns.org/index.php	https://threatfox.abuse.ch/ioc/163415/

Intelligence

File Origin

# of uploads :

# of downloads :

123

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

solex.exe

Verdict:

Malicious activity

Analysis date:

2021-07-28 15:16:10 UTC

Tags:

trojan rat remcos

Link:

https://app.any.run/tasks/aaa64b29-e8f7-4157-8a97-e90ce3dfad99

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/174710/

Detection(s):

SecuriteInfo.com.Variant.Razy.897973.30135.27251.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

REMCOS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d2f17132-ea23-4d17-b1c0-8b7bda6f6955

Result

Threat name:

GuLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/823431

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found malware configuration

GuLoader behavior detected

Hides threads from debuggers

Multi AV Scanner detection for submitted file

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses dynamic DNS services

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Win32.Trojan.Razy

Status:

Malicious

First seen:

2021-07-28 11:03:31 UTC

AV detection:

15 of 28 (53.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=syyegik4ktzklmnonjjxq7wxrsbyx22xnytujyyemzpwchd7znqa._file

Verdict:

malicious

Label(s):

remcos

RemcosRAT

4db943d3621a557370a3585cd61db3f9835c65f350a2284c9d5f3024adb0ff07

RemcosRAT

5a4f75c16948eb90210b50a2af901dad431a231d5a4406ce55dad0cd943d5cd0

RemcosRAT

91e13d173fb96f025e17161b61686fa06272a048eececeb7d4e95ecdcb3de4b8

RemcosRAT

b9b1a3245f7aa2f9fadc4cff8343866030a63f297167df00ca0aa4284f453be1

RemcosRAT

d3257f22e55152e6f6814a0d273d4113f802e9cf39a4841622a7b82cf38bd6af

RemcosRAT

de2346e7683a4ed34d62a2954a38949335e6c1b27085a1cc82c08b0c6aec514e

RemcosRAT

dfca1bf3a2bc630e60ee036b0fd5be55b2f2b44e7dc8d2005b86d763bfc7c8ac

RemcosRAT

eb7b058c625b1306c70d8a76546af054bd769347ca067f5db5e1b0b1c7306298

RemcosRAT

+ 3'356 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:guloader family:remcos botnet:remotehost downloader rat

Link:

https://tria.ge/reports/210728-zb8n4e95be/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Checks QEMU agent file

Guloader,Cloudeye

Remcos

Malware Config

C2 Extraction:

wavesvc64.duckdns.org:1111

Unpacked files

SH256 hash:

49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3

MD5 hash:

1f1b425190b2fb0396ad2d538b1060ba

SHA1 hash:

413f98641d46fdcabfcaf64f29495667de6282ea

Link:

https://www.unpac.me/results/73621b29-b8d5-4917-a778-44c596637a38/

SH256 hash:

963043215c54f2a5b1ae6a53787ed78c838beb576e2744e304665f611c7fcb60

MD5 hash:

71e74306d9f78dbb9583c3327f875946

SHA1 hash:

086bc0e2994e030d79484b138ed57ea6611467dd

Link:

https://www.unpac.me/results/73621b29-b8d5-4917-a778-44c596637a38/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/963043215c54f2a5b1ae6a53787ed78c838beb576e2744e304665f611c7fcb60

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/174710/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample