MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab77af2c0fe4a39b3e2ec7b7450ef36999baf7c66316f4b3934d5a60e124d50c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab77af2c0fe4a39b3e2ec7b7450ef36999baf7c66316f4b3934d5a60e124d50c
SHA3-384 hash: 8072be54a54e5498ed5478201681b6db779aab4b8fa16c6f157721044f8c0d27c4b54097f3360594d966d54837d2411f
SHA1 hash: 44f5fdf6902d114524afc110cd927f95f72903fa
MD5 hash: 04be7ed51e345a56403df4657b376990
humanhash: mirror-pluto-cardinal-wisconsin
File name:Scan_order.scr
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:77'824 bytes
First seen:2021-01-11 07:07:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 064d9ba8d40942674328edc4d8e0fd2c (1 x RemcosRAT)
ssdeep 1536:Klk8B6BXvSJtdFpIqRD0rKMIU/EmmwMOKEKkLQJDy2:crYVvOtdFp9gK88zOKEKkLQJd
TLSH 037309D3F550EDB1C4E981B89B12C16E0069B9F3BD99D9C3B9803B6C1332DDD9834A56
Reporter abuse_ch
Tags:GuLoader RemcosRAT scr


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: slot0.jocmachinerys.com
Sending IP: 45.85.90.246
From: Wendy Cheng <info@daimler.com>
Reply-To: swiftlogz@yandex.com
Subject: RE: RE: REQUEST FOR YOUR COMPANY QUOTATION
Attachment: Scan_order.r26 (contains "Scan_order.scr")

GuLoader payload URL:
https://drive.google.com/uc?export=download&id=1LZsqqMCLui4uAjpAqMIbGbmi-9F8VM3f

RemcosRAT C2:
wealthyblessed.myddns.rocks:52360 (185.157.161.61)

Intelligence

File Origin
# of uploads :
1
# of downloads :
146
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Scan_order.scr
Verdict:
Suspicious activity
Analysis date:
2021-01-11 07:08:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d4f8298a-e597-4b28-a6ef-b3a05e21aaa5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/111195/
Detection(s):
SecuriteInfo.com.generic.ml.26428.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/577600
Signature
Connects to many ports of the same IP (likely port scanning)
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab77af2c0fe4a39b3e2ec7b7450ef36999baf7c66316f4b3934d5a60e124d50c/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vn326lap4srzwproy63ukdxtngm3v56gmmlpjm4tjvngbyje2uga._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
netwirerc
Create hunting rule
guloader
Create hunting rule
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos rat
Link:
https://tria.ge/reports/210111-f9bpjx4dp6/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Remcos
Unpacked files
SH256 hash:
ab77af2c0fe4a39b3e2ec7b7450ef36999baf7c66316f4b3934d5a60e124d50c
MD5 hash:
04be7ed51e345a56403df4657b376990
SHA1 hash:
44f5fdf6902d114524afc110cd927f95f72903fa
Link:
https://www.unpac.me/results/bee41933-0b58-4e7e-b627-2a893ea9fc0e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ab77af2c0fe4a39b3e2ec7b7450ef36999baf7c66316f4b3934d5a60e124d50c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

rar 8858142380f173d5001f62408bbd6a58db25db8402e81ee953ab572afa19cbd6

RemcosRAT

Executable exe ab77af2c0fe4a39b3e2ec7b7450ef36999baf7c66316f4b3934d5a60e124d50c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/950966/
  
Dropped by
MD5 72db5f4820cf5e896da89ea1a0c25fa3
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/111195/
  
Dropped by
SHA256 8858142380f173d5001f62408bbd6a58db25db8402e81ee953ab572afa19cbd6

Comments