MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd7a135d43cc26d8b77b151c19bafab99e45c344988b7da907d7dc293310d09f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd7a135d43cc26d8b77b151c19bafab99e45c344988b7da907d7dc293310d09f
SHA3-384 hash: 9c2c63eb1155d8dcee39d9933ca230b8a057c3d2a8cf2aae685236aa263247819fb778faf24e57e9ef927e527f437401
SHA1 hash: 3f07f116f194ca4b6d3938747c9fbe09ff3b53b6
MD5 hash: 55b2555c28d0acfdc0d069c430d95f42
humanhash: wisconsin-charlie-nine-floor
File name:rAUGORDER-INV21100351192110035120-EXPDOC´s.scr
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:465'776 bytes
First seen:2023-09-06 15:17:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d4b94e8ee3f620a89d114b9da4b31873 (90 x GuLoader, 18 x njrat, 9 x RemcosRAT)
ssdeep 12288:65kqKEIzhlvPU+A9SegJHAZbuxGb5w66gBEkMc1rC8CE:DqJihlvPpA9rgdu7imB
Threatray 352 similar samples on MalwareBazaar
TLSH T165A42300ADA2A91BC5B3D7751F7B8AA41FB6C81192952807032B7CEC3C777425F9FA19
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 6ae4ccbab486f470 (3 x RemcosRAT)
Reporter FXOLabs
Tags:exe RemcosRAT scr signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2023-05-06T01:05:01Z
Valid to:2026-05-05T01:05:01Z
Serial number: 09d5ec6c154d601a331c20dd7cdf09ec1b352659
Thumbprint Algorithm:SHA256
Thumbprint: 166c7591b1bdb0142a5f39475ea2983a933ab8bece85ae6cc74fb7991ec44471
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
304
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
rAUGORDER-INV21100351192110035120-EXPDOC´s.scr
Verdict:
Suspicious activity
Analysis date:
2023-09-06 15:18:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/419a7f7a-9f9c-4f0f-9f61-2bb303432841

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/446668/
Detection(s):
SecuriteInfo.com.FileRepMalware.17183.20619.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Delayed reading of the file
Creating a file in the %temp% subdirectories
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/64f8982c31c991f8dc087628/reports/3bffbdbf-c09c-4fa1-854d-25b8396c9fc6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/bd7a135d43cc26d8b77b151c19bafab99e45c344988b7da907d7dc293310d09f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/fd83d9a0-2fcc-40b4-8a67-af93775e883f
Result
Threat name:
GuLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1304515
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to modify clipboard data
Creates autostart registry keys with suspicious values (likely registry only malware)
Drops PE files with a suspicious file extension
Found malware configuration
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1304515 Sample: rAUGORDER-INV21100351192110... Startdate: 06/09/2023 Architecture: WINDOWS Score: 100 30 ourt2949aslumes9.duckdns.org 2->30 32 micasaab.com 2->32 34 geoplugin.net 2->34 48 Snort IDS alert for network traffic 2->48 50 Found malware configuration 2->50 52 Antivirus detection for URL or domain 2->52 54 12 other signatures 2->54 8 rAUGORDER-INV21100351192110035120-EXPDOC#U00b4s.scr.exe 4 51 2->8         started        signatures3 process4 file5 24 C:\Users\user\AppData\Local\...\System.dll, PE32 8->24 dropped 26 C:\Users\user\AppData\Local\...\LangDLL.dll, PE32 8->26 dropped 56 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->56 58 Writes to foreign memory regions 8->58 60 Tries to detect Any.run 8->60 62 Maps a DLL or memory area into another process 8->62 12 wab.exe 4 17 8->12         started        signatures6 process7 dnsIp8 36 94.156.6.253, 2402, 49986, 49987 NET1-ASBG Bulgaria 12->36 38 micasaab.com 185.10.75.14, 49985, 80 IRANHOST-ASIR Iran (ISLAMIC Republic Of) 12->38 40 geoplugin.net 178.237.33.50, 49988, 80 ATOM86-ASATOM86NL Netherlands 12->40 28 C:\Users\user\AppData\...\livsndvendighed.scr, PE32 12->28 dropped 64 Creates autostart registry keys with suspicious values (likely registry only malware) 12->64 66 Tries to detect Any.run 12->66 68 Maps a DLL or memory area into another process 12->68 70 Installs a global keyboard hook 12->70 17 wab.exe 1 12->17         started        20 wab.exe 1 12->20         started        22 wab.exe 2 12->22         started        file9 signatures10 process11 signatures12 42 Tries to steal Instant Messenger accounts or passwords 17->42 44 Tries to harvest and steal browser information (history, passwords, etc) 17->44 46 Tries to steal Mail credentials (via file / registry access) 20->46
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bd7a135d43cc26d8b77b151c19bafab99e45c344988b7da907d7dc293310d09f/
Threat name:
Win32.Trojan.Makoob
Create hunting rule
Status:
Malicious
First seen:
2023-09-06 12:04:40 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xv5bgxkdzqtnrn33cuobtox2xgpelq2etcfx3kih27ocsmyq2cpq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
012cdac9c7fabd82e1be72dcacb79bd73fabdef7bd148f4f1035943e5882270b
RemcosRAT
448234787d7924280fedbb49f5702f0483ef8046394f8adc14006f3f8b6793b2
RemcosRAT
5be9a105842416d225d391c67414ca7dd1f429a785edb44d76023d6bedc381ad
RemcosRAT
691b3c73fa3301b9c36de80df0e7aa9d551a87ccc77a04b93786d6f1f5a41969
RemcosRAT
80a10c6ddb0a21c9a5c8d1495612f8b8a50c17d6d4469f04fe2f5c0e1f7b2e97
RemcosRAT
a969522536954bf8122e7ebe679bc7d881dbb8337906cfd581aec9762f8ffb80
RemcosRAT
ab2036dc90a503a003ed28e17ed2cf24001848be05580b6246656f88abe01c86
RemcosRAT
b4d2e40296ddd8f6127f9d2ba3703b134fee350602ee9c90f6d73737a2186a86
RemcosRAT
dd39027f02b3a47cb2677440f59575089a0673f134cff175d908be574ebc80ac
RemcosRAT
dfdedc4060f4944298bcdf25778b7f7eaaef43fdae61238d7debf88825e66294
RemcosRAT
+ 342 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230906-splkzagf8s/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks QEMU agent file
Loads dropped DLL
Unpacked files
SH256 hash:
e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27
MD5 hash:
ee260c45e97b62a5e42f17460d406068
SHA1 hash:
df35f6300a03c4d3d3bd69752574426296b78695
Link:
https://www.unpac.me/results/466ba18f-41bb-4293-8147-29087a609aea/
SH256 hash:
bd7a135d43cc26d8b77b151c19bafab99e45c344988b7da907d7dc293310d09f
MD5 hash:
55b2555c28d0acfdc0d069c430d95f42
SHA1 hash:
3f07f116f194ca4b6d3938747c9fbe09ff3b53b6
Link:
https://www.unpac.me/results/466ba18f-41bb-4293-8147-29087a609aea/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bd7a135d43cc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bd7a135d43cc26d8b77b151c19bafab99e45c344988b7da907d7dc293310d09f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe bd7a135d43cc26d8b77b151c19bafab99e45c344988b7da907d7dc293310d09f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/446668/

Comments