MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c63a3f86be406a11e8f7760403e407a97441753205f8cef432fd634856ca2992. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c63a3f86be406a11e8f7760403e407a97441753205f8cef432fd634856ca2992
SHA3-384 hash: 2455bec661a68ff3e8d2a8c832c50ff03a661baaa7de1ac506020f7de3f19c801cd0f3536b4d8546a0966628d1624d69
SHA1 hash: 151d4cd68958df35ae706cc232627a05e923307f
MD5 hash: 2dd62d78b9f7e9c5529502e085b55756
humanhash: saturn-ceiling-quebec-seventeen
File name:SBG-1100319PurchaseOrder.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:204'800 bytes
First seen:2021-04-15 19:30:05 UTC
Last seen:2021-04-15 20:52:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e917dfcbe7bbc83f756c722d2ba3704e (1 x RemcosRAT)
ssdeep 3072:hPLl4Y52bzb2z50FdSfZaa0e5+YghusL5PEqJ:hPLl4Y5s6ziKfx0eERV
Threatray 885 similar samples on MalwareBazaar
TLSH FA145496F21DF969EC3EC9B19A2003BB0C6C35311519825FC68E1F1A2271FE6CA57E47
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SBG-1100319PurchaseOrder.exe
Verdict:
Malicious activity
Analysis date:
2021-04-15 19:31:17 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/3c507bd2-0bce-404a-8ccf-467dbea34f1e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/135422/
Detection(s):
SecuriteInfo.com.__vbaHresultCheckObj.6942.29345.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file in the %temp% subdirectories
DNS request
Sending a custom TCP request
Creating a file
Setting a keyboard event handler
Creating a file in the %AppData% subdirectories
Setting a single autorun event
Connection attempt to an infection source
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/678273
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Creates autostart registry keys with suspicious values (likely registry only malware)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found malware configuration
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Potential malicious icon found
Sigma detected: Remcos
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 388089 Sample: SBG-1100319PurchaseOrder.exe Startdate: 15/04/2021 Architecture: WINDOWS Score: 100 30 sheilabeltagy4m.hopto.org 2->30 32 micheal3m.hopto.org 2->32 46 Potential malicious icon found 2->46 48 Found malware configuration 2->48 50 Yara detected GuLoader 2->50 52 5 other signatures 2->52 8 SBG-1100319PurchaseOrder.exe 1 1 2->8         started        11 wscript.exe 2->11         started        signatures3 process4 signatures5 58 Creates autostart registry keys with suspicious values (likely registry only malware) 8->58 60 Contains functionality to detect hardware virtualization (CPUID execution measurement) 8->60 62 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 8->62 64 3 other signatures 8->64 13 SBG-1100319PurchaseOrder.exe 2 12 8->13         started        18 filename1.exe 1 11->18         started        process6 dnsIp7 40 micheal3m.hopto.org 79.134.225.124, 2048, 49722, 49725 FINK-TELECOM-SERVICESCH Switzerland 13->40 42 vug8la.am.files.1drv.com 13->42 44 3 other IPs or domains 13->44 24 C:\Users\user\AppData\Local\...\filename1.exe, PE32 13->24 dropped 26 C:\Users\user\AppData\Roaming\...\logs.dat, data 13->26 dropped 28 C:\Users\user\AppData\Local\...\filename1.vbs, ASCII 13->28 dropped 66 Hides threads from debuggers 13->66 68 Installs a global keyboard hook 13->68 70 Contains functionality to detect hardware virtualization (CPUID execution measurement) 18->70 72 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 18->72 74 Tries to detect Any.run 18->74 76 2 other signatures 18->76 20 filename1.exe 7 18->20         started        file8 signatures9 process10 dnsIp11 34 vug8la.am.files.1drv.com 20->34 36 onedrive.live.com 20->36 38 dm-files.fe.1drv.com 20->38 54 Tries to detect Any.run 20->54 56 Hides threads from debuggers 20->56 signatures12
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c63a3f86be406a11e8f7760403e407a97441753205f8cef432fd634856ca2992/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2021-04-15 19:30:15 UTC
AV detection:
10 of 29 (34.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yy5d7bv6ibvbd2hxoycahzahvf2ec5jsax4m55bs7vruqvwkfgja._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
22b13820a6139c7682d5e1108aefde2200dc593e14fe7fca28eb27d5e616bef7
RemcosRAT
3cbf0aeafec688023948cad7bf7475270ba9cb1acb0078cf1a9d6288f2751a20
RemcosRAT
479f929625a3e8a8f98256c3a020f5946e0d88fd7e3582e47b63500679d46585
RemcosRAT
522735989689a96d0e10e926aae941e58a695062254573c5796bb129e4c7703e
RemcosRAT
6147decc439b9d258f5b19f77dfa47ea441e681c49e0b699533eea18104f4092
RemcosRAT
7765b39aa0345fd2af3838a548807c90094ea98d227d625ed742260833643b52
RemcosRAT
8f71fca5621ccb7ba3558cfebc17014d27923d1c73ad97ececb577fd5b937047
RemcosRAT
c3ca97abe1f0584928691bf13d02b25a4e20288a2477e466d67000c0bbe04df3
RemcosRAT
c6e5156c311412210237810450648947699d1c4862536a4e86b778e899627292
RemcosRAT
deb7f6e76d0d27a58d7eb53380b8f399d81caa842fe188830327b9aad82afdb0
RemcosRAT
+ 875 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos downloader guloader persistence rat
Link:
https://tria.ge/reports/210415-wv37m4hz3a/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks QEMU agent file
Guloader Payload
Guloader,Cloudeye
Remcos
Malware Config
C2 Extraction:
sheilabeltagy4m.hopto.org:2048
micheal3m.hopto.org:2048
Unpacked files
SH256 hash:
49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3
MD5 hash:
1f1b425190b2fb0396ad2d538b1060ba
SHA1 hash:
413f98641d46fdcabfcaf64f29495667de6282ea
Link:
https://www.unpac.me/results/ba49989f-9214-4c14-ac7d-7661d39b2d6d/
SH256 hash:
c63a3f86be406a11e8f7760403e407a97441753205f8cef432fd634856ca2992
MD5 hash:
2dd62d78b9f7e9c5529502e085b55756
SHA1 hash:
151d4cd68958df35ae706cc232627a05e923307f
Link:
https://www.unpac.me/results/ba49989f-9214-4c14-ac7d-7661d39b2d6d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/c63a3f86be406a11e8f7760403e407a97441753205f8cef432fd634856ca2992

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/135422/

Comments