MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6cf35735aff0eba459a6a1f4b65722ba08dfb0beed54b0df8e9be3ec3edba98. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemcosRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 9 File information Comments

SHA256 hash:	c6cf35735aff0eba459a6a1f4b65722ba08dfb0beed54b0df8e9be3ec3edba98
SHA3-384 hash:	8ba525650e5cd0dcb6cafd8491684ab721262aee721cc06258b063e599f68dff3fbfcaac1131624b4748944534e07d85
SHA1 hash:	50337a4aa52b65cac5fd2745c3fe7d88d503d00f
MD5 hash:	ace3e9fc3a2277aa4e72881c9f204642
humanhash:	hot-texas-nuts-nitrogen
File name:	CompanyLicense.exe
Download:	download sample
Signature	RemcosRAT Create hunting rule
File size:	98'304 bytes
First seen:	2021-01-19 16:23:41 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	cdaaae34b462dd94bb47458bdb1adef4 (3 x RemcosRAT)
ssdeep	768:8zNE6BYzwvWXallllllllllllllllllllllllllllllllllllllllllllllllllK:oE66zwuoPMvaB5DqinLdNW2XLnolNI8
Threatray	3'578 similar samples on MalwareBazaar
TLSH	8EA3B133A244EBF9E2C7B0F64B2195A80054BCF04B65D507EDB83A192D727E7CD05A6E
Reporter	abuse_ch
Tags:	exe nVpn RAT RemcosRAT

abuse_ch

Malspam distributing RemcosRAT:

HELO: mta0.comestaly.com
Sending IP: 165.227.105.235
From: Isabel Flores <sales@comestaly.com>
Subject: New RFQ TK011821 For TASK
Attachment: CompanyLicense.rar (contains "CompanyLicense.exe")

RemcosRAT C2:
northside.hopto.org:2048

Intelligence

File Origin

# of uploads :

# of downloads :

205

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

CompanyLicense.exe

Verdict:

No threats detected

Analysis date:

2021-01-19 15:59:20 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/708bf9f7-0775-4a52-bdad-ed27a8db47d6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Guloader

Link:

https://www.capesandbox.com/analysis/112941/

Detection(s):

Win.Malware.Banload-6981577-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file in the %temp% subdirectories

DNS request

Sending a custom TCP request

Creating a file

Creating a file in the %AppData% subdirectories

Setting a single autorun event

Setting a global event handler for the keyboard

Connection attempt to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Remcos GuLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/585256

Signature

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Contains functionality to hide a thread from the debugger

Creates autostart registry keys with suspicious values (likely registry only malware)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Sigma detected: Remcos

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected GuLoader

Yara detected Remcos RAT

Yara detected VB6 Downloader Generic

Behaviour

Behavior Graph:

Download SVG

Detection:

remcos

Link:

https://mwdb.cert.pl/sample/c6cf35735aff0eba459a6a1f4b65722ba08dfb0beed54b0df8e9be3ec3edba98/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2021-01-19 16:24:05 UTC

AV detection:

10 of 28 (35.71%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=y3htk42274hlurm2nipuwzlsfoqi36yl53kuwdpy5g7d5q7nxkma._file

Verdict:

malicious

Label(s):

guloader

RemcosRAT

27d318fe5d1d8f02c39b6b82690e4be83eeb3f357618cbabd7d808a23924b277

RemcosRAT

460aa0fd440b1acb5aa90b5667d4c387494f6622014e5d4115b1e3b6b080c5c0

RemcosRAT

4d0dfe01c27dfd2c35464a3f435cfb4cad6e996d6fc407cc8f10fc0b3d0692fe

RemcosRAT

4fb3528f5fc1a30b03cf69920e1db68cd4943c1c303a09cac0723a10abfcc378

RemcosRAT

7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267

RemcosRAT

ab77af2c0fe4a39b3e2ec7b7450ef36999baf7c66316f4b3934d5a60e124d50c

RemcosRAT

d3aa9fd1ed4af3cc3a49e612b93a03f799ada340c1c086f7403448fe77115bb1

RemcosRAT

e7cf4a0d3f94afea480bf5e64a658029d02191330244697ba9afd81dd5b56386

RemcosRAT

ecbbdea89347df30a9575353b8886499a88d30f5606f60c922c62e4a56637c74

RemcosRAT

+ 3'568 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:remcos persistence rat

Link:

https://tria.ge/reports/210119-stwgwhdhj2/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Adds Run key to start application

Remcos

Unpacked files

SH256 hash:

49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3

MD5 hash:

1f1b425190b2fb0396ad2d538b1060ba

SHA1 hash:

413f98641d46fdcabfcaf64f29495667de6282ea

Link:

https://www.unpac.me/results/a70d3b9a-b294-45d1-94cd-30f8ddd8baa0/

SH256 hash:

c6cf35735aff0eba459a6a1f4b65722ba08dfb0beed54b0df8e9be3ec3edba98

MD5 hash:

ace3e9fc3a2277aa4e72881c9f204642

SHA1 hash:

50337a4aa52b65cac5fd2745c3fe7d88d503d00f

Link:

https://www.unpac.me/results/a70d3b9a-b294-45d1-94cd-30f8ddd8baa0/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/c6cf35735aff0eba459a6a1f4b65722ba08dfb0beed54b0df8e9be3ec3edba98

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_RemcosRAT Create hunting rule
Author:	abuse.ch

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Parallax Create hunting rule
Author:	@bartblaze
Description:	Identifies Parallax RAT.

Rule name:	Remcos Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Remcos in memory

Rule name:	remcos_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	REMCOS_RAT_variants Create hunting rule

Rule name:	win_remcos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

b1de92513b38931554d4195123ea234e

RemcosRAT

exe c6cf35735aff0eba459a6a1f4b65722ba08dfb0beed54b0df8e9be3ec3edba98

(this sample)

Dropped by

MD5 b1de92513b38931554d4195123ea234e

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/112941/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample