MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a91b5b3e7fecc3165c0fe4ef988a41b6b99a825a1a40b22fde67ffae6e81db22. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a91b5b3e7fecc3165c0fe4ef988a41b6b99a825a1a40b22fde67ffae6e81db22
SHA3-384 hash: a7dec5badb2e2d87463392ad0a4ff45aa4fc904ba30094a4939a26a98c2114042257cbc5dd69648d133a3c3a70ad8de9
SHA1 hash: 84f1a13db54fae3e9bd36f5e9495eadf27a8c186
MD5 hash: 73cccd4047778e7136529b8aa5f6d603
humanhash: monkey-rugby-eighteen-zebra
File name:Order List0420.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:697'992 bytes
First seen:2023-04-20 13:14:08 UTC
Last seen:2023-04-20 13:15:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e7f9a29f2c85394521a08b9f31f6275 (278 x GuLoader, 44 x RemcosRAT, 40 x VIPKeylogger)
ssdeep 12288:CT5tHp4biwfqthsyJ9+CIcnf2ASLCbEOO16tcXHCojpaX1wHZ+0lDepfJMoEVX:CT5t612sM9zULCoOY6qnA1OZ+6DepfJy
Threatray 605 similar samples on MalwareBazaar
TLSH T13CE423027B50CA37E2DDAB71886A8E779FF1F422A9E11B0363C42E0E79425549D1F2DD
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b96971d5d1556533 (2 x RemcosRAT)
Reporter James_inthe_box
Tags:exe RemcosRAT signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2023-03-22T05:03:40Z
Valid to:2026-03-21T05:03:40Z
Serial number: 50f46be07b3397f3a636b1b1fd88c907c42f0071
Thumbprint Algorithm:SHA256
Thumbprint: dfab015393cd5bcc26c148fbb81d5696c9089760f583723d4e084a3e2d3e1928
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
298
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Order List0420.exe
Verdict:
Malicious activity
Analysis date:
2023-04-20 13:15:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/414799e8-3113-4495-a94d-40be46b7b9b2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/383775/
Detection(s):
SecuriteInfo.com.W32.Trojan.QGBD-1195.28523.22458.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Searching for the window
Launching a process
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/80672/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
guloader icedid overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/64413ad82efbb8b9c3f534d8/reports/e9e0e1e6-cdd1-4af7-8b65-fb86034597fe/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/a91b5b3e7fecc3165c0fe4ef988a41b6b99a825a1a40b22fde67ffae6e81db22
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2ac9eb92-1a5d-4807-8616-9bb0f7a1f7da
Result
Threat name:
GuLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad.phis.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1218043
Signature
Contains functionality to modify clipboard data
Found potential ransomware demand text
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Remcos
Suspicious powershell command line found
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Yara detected GuLoader
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 850985 Sample: Order_List0420.exe Startdate: 20/04/2023 Architecture: WINDOWS Score: 100 39 googlehosted.l.googleusercontent.com 2->39 41 geoplugin.net 2->41 43 2 other IPs or domains 2->43 55 Multi AV Scanner detection for submitted file 2->55 57 Yara detected GuLoader 2->57 59 Sigma detected: Remcos 2->59 61 5 other signatures 2->61 10 Order_List0420.exe 23 2->10         started        signatures3 process4 file5 35 C:\Users\user\AppData\Roaming\...\Biters.Ger, ASCII 10->35 dropped 37 C:\Users\user\AppData\Roaming\...\mozglue.dll, PE32+ 10->37 dropped 73 Suspicious powershell command line found 10->73 75 Obfuscated command line found 10->75 14 powershell.exe 12 10->14         started        signatures6 process7 signatures8 77 Very long command line found 14->77 17 powershell.exe 13 14->17         started        20 conhost.exe 14->20         started        process9 signatures10 51 Writes to foreign memory regions 17->51 53 Tries to detect Any.run 17->53 22 ieinstal.exe 3 16 17->22         started        process11 dnsIp12 45 googlehosted.l.googleusercontent.com 142.250.186.129, 443, 49837 GOOGLEUS United States 22->45 47 drive.google.com 172.217.18.110, 443, 49836 GOOGLEUS United States 22->47 49 2 other IPs or domains 22->49 63 Tries to detect Any.run 22->63 65 Maps a DLL or memory area into another process 22->65 26 ieinstal.exe 1 22->26         started        29 ieinstal.exe 22->29         started        31 ieinstal.exe 22->31         started        33 9 other processes 22->33 signatures13 process14 signatures15 67 Tries to steal Instant Messenger accounts or passwords 26->67 69 Tries to steal Mail credentials (via file / registry access) 26->69 71 Tries to harvest and steal browser information (history, passwords, etc) 33->71
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a91b5b3e7fecc3165c0fe4ef988a41b6b99a825a1a40b22fde67ffae6e81db22/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=venvwpt75tbrmxap4txzrcsbw24zvas2djalel66m77243ub3mra._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
198c4b09ed4b8a46cfca9fd672797c0bb6f6d9a84016fd4f699ec65be9b9de3d
RemcosRAT
25ba5a9b278c96af068849f26564bdb27513e7cded6c256bf5a0034e53f2f11d
RemcosRAT
2ddedbfd89d5ae3cb31d0e3108ed33fff300d99511fb60869506bc1e3ed1d483
RemcosRAT
3c49ef8a8afc483a1e5a58dc76cb46edfa4316561bf2265b323c9f6f572fd447
RemcosRAT
3e8abea82786b2611c3dde68089c20f9cd37dc84da3d0b97a3b3d500aa287ee2
RemcosRAT
6966144426edc4d696a5cae07695d56532e5c960c845fe1c1c9efdaddb130754
RemcosRAT
936ef3a90e5433d26c707b0660fb1530a3f717734dc0c86568854c6131f954f7
RemcosRAT
b4b257be639f431e64226bc29a3e97f7cc8ece1c427a8fe5ce615b54fc00945a
RemcosRAT
c92700f557efbce3d2bdde80abfe0397c6816f4df90487f2fae25d05ecdb1581
RemcosRAT
e894ef9ffce56aa490655d0c7693a51a4125f3e49abba3ddbf9c0d2da250c768
RemcosRAT
+ 595 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos botnet:remotehost collection downloader rat
Link:
https://tria.ge/reports/230420-qg8dnaca5s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Accesses Microsoft Outlook accounts
Checks QEMU agent file
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Guloader,Cloudeye
Remcos
Malware Config
C2 Extraction:
45.82.84.10:2408
Unpacked files
SH256 hash:
a91b5b3e7fecc3165c0fe4ef988a41b6b99a825a1a40b22fde67ffae6e81db22
MD5 hash:
73cccd4047778e7136529b8aa5f6d603
SHA1 hash:
84f1a13db54fae3e9bd36f5e9495eadf27a8c186
Link:
https://www.unpac.me/results/818da119-f993-4ae4-aa3b-d21f3cbad7c8/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a91b5b3e7fec/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/a91b5b3e7fecc3165c0fe4ef988a41b6b99a825a1a40b22fde67ffae6e81db22

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/383775/

Comments