MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99f100122f5280ac44bc01f3bb7df9d3bd69681335e5f50d4ddfeca6e8ac3cb1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 99f100122f5280ac44bc01f3bb7df9d3bd69681335e5f50d4ddfeca6e8ac3cb1
SHA3-384 hash: 244410fe398dd8627d4da3ba7db0d9e98fadb4fe328f09d730f531c2c62ca82ca18fb4963e7539800a36611279a9e8df
SHA1 hash: ad87e2bddaba6e302f3441ef51fa0b64880cd007
MD5 hash: 1034b0592238bb02bfa08d4817a3e5ed
humanhash: comet-undress-may-bakerloo
File name:1034b0592238bb02bfa08d4817a3e5ed
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:622'928 bytes
First seen:2022-02-25 07:03:52 UTC
Last seen:2022-02-25 09:07:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (719 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 12288:3bZXDhvop+KUtr3qBM3c1b1keyjkRFBjIFenVVzj5uqd:3bFBYm3qBf1b1tIUnVpjB
Threatray 10'423 similar samples on MalwareBazaar
TLSH T12BD42396EF75D837E0B08C3425A2F2296B6C5F126F195E5367C07A4BE973DC28C26D02
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RemcosRAT signed

Code Signing Certificate

Organisation:BREVFLETNINGERS
Issuer:BREVFLETNINGERS
Algorithm:sha256WithRSAEncryption
Valid from:2022-02-24T23:22:18Z
Valid to:2023-02-24T23:22:18Z
Serial number: 00
Intelligence: 325 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 0159ab9f7effd3d9818805d3780f3482ff0ff90ff893a7df7af006667f18a705
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
253
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/244623/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.28394.28495.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/7383/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62187f6adfdfa8501c5901f3/reports/de72e5e8-cbe7-4d2a-a819-57d8dba315eb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1ae067e0-f639-4f5f-b609-8ca9d736c568
Result
Threat name:
GuLoader Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/946246
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Drops executable to a common third party application directory
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs a global keyboard hook
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected GuLoader
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 578728 Sample: pbXis1wqjF.exe Startdate: 25/02/2022 Architecture: WINDOWS Score: 100 64 davidwongwarzone.zapto.org 2->64 70 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->70 72 Multi AV Scanner detection for domain / URL 2->72 74 Found malware configuration 2->74 76 10 other signatures 2->76 12 pbXis1wqjF.exe 23 2->12         started        16 UDP.exe 17 2->16         started        signatures3 process4 file5 52 C:\Users\user\AppData\Local\...\firefox.exe, PE32+ 12->52 dropped 54 C:\Users\user\AppData\Local\...\System.dll, PE32 12->54 dropped 56 C:\Users\user\AppData\...\crashreporter.exe, PE32+ 12->56 dropped 58 C:\Users\user\AppData\Local\Temp\VMWSU.dll, PE32+ 12->58 dropped 96 Tries to detect Any.run 12->96 98 Hides threads from debuggers 12->98 100 Drops executable to a common third party application directory 12->100 18 pbXis1wqjF.exe 4 10 12->18         started        60 C:\Users\user\AppData\Local\...\System.dll, PE32 16->60 dropped 23 UDP.exe 6 16->23         started        signatures6 process7 dnsIp8 66 136.144.41.109, 49778, 49784, 49792 WORLDSTREAMNL Netherlands 18->66 46 C:\Users\user\AppData\Roaming\UDP.exe, PE32 18->46 dropped 48 C:\Users\user\...\UDP.exe:Zone.Identifier, ASCII 18->48 dropped 50 C:\Users\user\AppData\Local\...\install.vbs, data 18->50 dropped 78 Tries to detect Any.run 18->78 80 Hides threads from debuggers 18->80 25 wscript.exe 1 18->25         started        file9 signatures10 process11 process12 27 cmd.exe 1 25->27         started        process13 29 UDP.exe 17 27->29         started        33 conhost.exe 27->33         started        file14 62 C:\Users\user\AppData\Local\...\System.dll, PE32 29->62 dropped 102 Multi AV Scanner detection for dropped file 29->102 104 Detected unpacking (changes PE section rights) 29->104 106 Tries to steal Mail credentials (via file registry) 29->106 108 2 other signatures 29->108 35 UDP.exe 2 7 29->35         started        signatures15 process16 dnsIp17 68 davidwongwarzone.zapto.org 54.209.212.142, 2030, 49785, 49786 AMAZON-AESUS United States 35->68 82 Tries to detect Any.run 35->82 84 Hides threads from debuggers 35->84 86 Installs a global keyboard hook 35->86 88 Injects a PE file into a foreign processes 35->88 39 UDP.exe 1 35->39         started        42 UDP.exe 35->42         started        44 UDP.exe 2 35->44         started        signatures18 process19 signatures20 90 Tries to steal Instant Messenger accounts or passwords 39->90 92 Tries to harvest and steal browser information (history, passwords, etc) 39->92 94 Tries to steal Mail credentials (via file / registry access) 42->94
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/99f100122f5280ac44bc01f3bb7df9d3bd69681335e5f50d4ddfeca6e8ac3cb1/
Threat name:
Win32.Trojan.NSISInject
Create hunting rule
Status:
Malicious
First seen:
2022-02-25 07:04:15 UTC
File Type:
PE (Exe)
Extracted files:
61
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=thyqaerpkkakyrf4ahz3w7pz2o6ws2atgxs7kdkn37wkn2fmhsyq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
remcos
Create hunting rule
Similar samples:
354da6fb77b3ee3bdb54e8c160fd24f542ff0f4a3aff092c19df3058c4228277
RemcosRAT
41ab72f9ce1e64f569029d8b3f8c2fdf680fb75113b8d7451bc8d988cd5f6bd2
RemcosRAT
548aefb935e11a84133bd8b3d367d988b9ad2e3bde7f4c0fffcf6a94b529be72
RemcosRAT
57e117773ebe7caaac7d1db9759f5c8313d15db896f7b736459c65164770a5f5
RemcosRAT
6f476c63a6d699d1f0166313deb1e0f623c689882de8411bcd4f0b4f880526dd
RemcosRAT
80815a7e6ad20eed27bf6b3112f7b735d102cfc375e40444cef9abca506ed80a
RemcosRAT
d9040bf8ad755cd41dc6266c0e0049f4bac0eaa23f18a26931357fe21c719701
RemcosRAT
e4b26e2c09188228c4db16281887a17e90baaf95c7b691fa75d05af9f79ff20a
RemcosRAT
+ 10'413 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos botnet:gee2022 collection downloader persistence rat spyware stealer suricata
Link:
https://tria.ge/reports/220225-hvysdagfaj/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Checks QEMU agent file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Guloader,Cloudeye
Remcos
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE Generic .bin download from Dotted Quad
Malware Config
C2 Extraction:
davidwongwarzone.zapto.org:2030
Unpacked files
SH256 hash:
99f100122f5280ac44bc01f3bb7df9d3bd69681335e5f50d4ddfeca6e8ac3cb1
MD5 hash:
1034b0592238bb02bfa08d4817a3e5ed
SHA1 hash:
ad87e2bddaba6e302f3441ef51fa0b64880cd007
Link:
https://www.unpac.me/results/f7440e87-f09d-4dfb-9217-95cb21b2484a/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/99f100122f52/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.33
Link:
https://yomi.yoroi.company/submissions/99f100122f5280ac44bc01f3bb7df9d3bd69681335e5f50d4ddfeca6e8ac3cb1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 99f100122f5280ac44bc01f3bb7df9d3bd69681335e5f50d4ddfeca6e8ac3cb1

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2059382/
Cape
Cape
https://www.capesandbox.com/analysis/244623/

Comments


Avatar
zbet commented on 2022-02-25 07:03:53 UTC

url : hxxp://136.144.41.109/GWI.exe