MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1fd547ad0224d0be610644c1e65feca18df843f079d9839537dc9f6b3e2a87e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a1fd547ad0224d0be610644c1e65feca18df843f079d9839537dc9f6b3e2a87e
SHA3-384 hash: 4d6f55df9ada4159876c8426b4a70822bf51c4eef68b12b62f8601bc3be850a3f40df40a7fc9b8a8316db1da9124b442
SHA1 hash: 1359dd4b41a975fc1b33d86760f45ccd6d59dafb
MD5 hash: c199744f1018f349f0acca6e5fbe514a
humanhash: single-monkey-five-music
File name:Quotation request List.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'357'328 bytes
First seen:2025-04-28 11:58:32 UTC
Last seen:2025-04-28 11:59:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7ed0d71376e55d58ab36dc7d3ffda898 (133 x GuLoader, 28 x RemcosRAT, 23 x AgentTesla)
ssdeep 24576:rncIY4zoLa0naVMNDIwrv5+S+RPBRKtI7kEGtgfOtAotG1nHGcdW2ovlFw2y+pW:rncIlzoLa0naVMNUwxTMPB0tI5Wgkta5
TLSH T1A555BEC268408395DCBBF2F264DA55381AD62CEE91E511896EF5725C04F1AFBCC2E93C
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 0e0e031b156d03a6 (5 x GuLoader, 2 x RemcosRAT)
Reporter cocaman
Tags:exe QUOTATION RemcosRAT signed

Code Signing Certificate

Organisation:Forsommeren
Issuer:Forsommeren
Algorithm:sha256WithRSAEncryption
Valid from:2024-05-17T00:32:09Z
Valid to:2025-05-17T00:32:09Z
Serial number: 783ff5dabcfd80478c0c0b7674f3a22983790292
Thumbprint Algorithm:SHA256
Thumbprint: c894831dba06cd40965f2b8ccf6cbcef629ce345a918e0618610156065438be4
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
541
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Quotation request List.exe
Verdict:
Malicious activity
Analysis date:
2025-04-28 12:03:29 UTC
Tags:
rat remcos auto-reg remote
Link:
https://app.any.run/tasks/8bb702d9-00a9-4d2b-bc77-f3b4502fcc11

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/4727/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=680f6e7dc8b2e86d0ac3c1f2
Tags:
uloader virus nsis blic
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file
Creating a file in the %temp% subdirectories
Delayed reading of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context blackhole installer microsoft_visual_cc overlay packed signed
Link:
https://www.filescan.io/uploads/680f6d8c212716475faff2e2/reports/78515825-46b1-4217-aa19-36a8c15bdc56/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a1fd547ad0224d0be610644c1e65feca18df843f079d9839537dc9f6b3e2a87e
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b531773a-7098-48e5-95f3-1c0c84a3833a
Result
Threat name:
Remcos, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1676238
Signature
AI detected suspicious PE digital signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Detected Remcos RAT
Found malware configuration
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1676238 Sample: Quotation request List.exe Startdate: 28/04/2025 Architecture: WINDOWS Score: 100 38 185.244.30.100 DAVID_CRAIGGG Netherlands 2->38 40 drive.usercontent.google.com 2->40 42 drive.google.com 2->42 44 Found malware configuration 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 8 other signatures 2->50 8 Quotation request List.exe 7 34 2->8         started        11 remcos.exe 11 2->11         started        13 remcos.exe 11 2->13         started        15 remcos.exe 11 2->15         started        signatures3 process4 file5 32 C:\Users\user\AppData\Local\...\System.dll, PE32 8->32 dropped 17 Quotation request List.exe 2 10 8->17         started        process6 dnsIp7 34 drive.usercontent.google.com 142.250.68.225, 443, 49725 GOOGLEUS United States 17->34 36 drive.google.com 142.250.68.238, 443, 49724 GOOGLEUS United States 17->36 26 C:\ProgramData\Remcos\remcos.exe, PE32 17->26 dropped 28 C:\ProgramData\...\remcos.exe:Zone.Identifier, ASCII 17->28 dropped 52 Detected Remcos RAT 17->52 54 Creates autostart registry keys with suspicious names 17->54 22 remcos.exe 22 17->22         started        file8 signatures9 process10 file11 30 C:\Users\user\AppData\Local\...\System.dll, PE32 22->30 dropped 56 Antivirus detection for dropped file 22->56 58 Multi AV Scanner detection for dropped file 22->58 60 Tries to detect virtualization through RDTSC time measurements 22->60 signatures12
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a1fd547ad0224d0be610644c1e65feca18df843f079d9839537dc9f6b3e2a87e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a1fd547ad0224d0be610644c1e65feca18df843f079d9839537dc9f6b3e2a87e/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2025-04-28 01:30:26 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uh6vi6wqejgqxzqqmrgb4zp6zimn7bb7a6ozqoktpxe7nm7cvb7a._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos botnet:remotehost credential_access discovery downloader persistence rat stealer
Link:
https://tria.ge/reports/250428-n5r1gaxmy4/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Uses browser remote debugging
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Guloader family
Guloader,Cloudeye
Remcos
Remcos family
Malware Config
C2 Extraction:
185.244.30.100:4801
185.244.30.100:4802
185.244.30.100:4800
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/71bd0bc5-1dd8-4633-9347-ff6fdc560600
Unpacked files
SH256 hash:
a1fd547ad0224d0be610644c1e65feca18df843f079d9839537dc9f6b3e2a87e
MD5 hash:
c199744f1018f349f0acca6e5fbe514a
SHA1 hash:
1359dd4b41a975fc1b33d86760f45ccd6d59dafb
Link:
https://www.unpac.me/results/2608bbc0-f32b-419e-bbaa-32b144320e1a/
SH256 hash:
4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe
MD5 hash:
3e6bf00b3ac976122f982ae2aadb1c51
SHA1 hash:
caab188f7fdc84d3fdcb2922edeeb5ed576bd31d
Link:
https://www.unpac.me/results/2608bbc0-f32b-419e-bbaa-32b144320e1a/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a1fd547ad022/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a1fd547ad0224d0be610644c1e65feca18df843f079d9839537dc9f6b3e2a87e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip 17842f421b4ec56787b918efc2d4177bda5de70c247fd15e7a193f213b1d793a

RemcosRAT

Executable exe a1fd547ad0224d0be610644c1e65feca18df843f079d9839537dc9f6b3e2a87e

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 17842f421b4ec56787b918efc2d4177bda5de70c247fd15e7a193f213b1d793a
Cape
Cape
https://www.capesandbox.com/analysis/4727/
  
Dropped by
MD5 8b2d2f1a250f01e241bfd9067eadb187

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::GetWindowsDirectoryW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments