MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3257f22e55152e6f6814a0d273d4113f802e9cf39a4841622a7b82cf38bd6af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d3257f22e55152e6f6814a0d273d4113f802e9cf39a4841622a7b82cf38bd6af
SHA3-384 hash: cb163026598e483661c6a78be79d4c6861597c43c8aa358547f1c37d3cb53c4e8b9101dd0baa18be6386e676d3a4d1e6
SHA1 hash: 66b765c634843c74e2f29a96f157156176490a46
MD5 hash: 578b5b7120dd9e637a2fd145190e7157
humanhash: papa-leopard-stairway-bacon
File name:578b5b7120dd9e637a2fd145190e7157
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:86'016 bytes
First seen:2021-07-23 11:14:47 UTC
Last seen:2021-07-23 11:50:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a085a0755db929b477f6fe3456be884d (2 x RemcosRAT)
ssdeep 1536:t6N+QkhSJzrSXKUUMrgQMFxENgbVDFkZm4u:t6MQ8wovrgQMF6ybVDFkMR
Threatray 3'161 similar samples on MalwareBazaar
TLSH T1DF834A2E65C09A33E60016F05D05094B025E3733EF1A5E0B9D79AF1DE9BE9938DB1B0B
dhash icon a01cb88c8c8c8cb0 (12 x GuLoader, 1 x RemcosRAT)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
138
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dyno.exe
Verdict:
Malicious activity
Analysis date:
2021-07-23 09:20:49 UTC
Tags:
trojan rat remcos
Link:
https://app.any.run/tasks/39533895-e2e1-4ec5-a993-885c173e72d2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/173600/
Detection(s):
SecuriteInfo.com.Variant.Razy.896770.7548.23452.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e78dcbca-ce5e-449d-a9b2-3ef73163ec6b
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/820713
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found malware configuration
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Query firmware table information (likely to detect VMs)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 453124 Sample: Dy5DMJ9rAL Startdate: 23/07/2021 Architecture: WINDOWS Score: 100 27 Found malware configuration 2->27 29 Multi AV Scanner detection for submitted file 2->29 31 Yara detected GuLoader 2->31 33 5 other signatures 2->33 7 Dy5DMJ9rAL.exe 1 2->7         started        10 MSKSSRV.sys 2->10         started        12 MSTEE.sys 2->12         started        process3 signatures4 43 Contains functionality to detect hardware virtualization (CPUID execution measurement) 7->43 45 Writes to foreign memory regions 7->45 47 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 7->47 49 3 other signatures 7->49 14 ieinstal.exe 2 7 7->14         started        18 ieinstal.exe 7->18         started        process5 dnsIp6 23 wavesvc32.duckdns.org 156.96.119.123, 1144, 49730, 49735 VDI-NETWORKUS United States 14->23 25 belike.duckdns.org 23.146.242.93, 49728, 80 VDI-NETWORKUS Reserved 14->25 51 Tries to detect Any.run 14->51 53 Hides threads from debuggers 14->53 20 dxdiag.exe 147 8 14->20         started        signatures7 process8 signatures9 35 Query firmware table information (likely to detect VMs) 20->35 37 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->37 39 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 20->39 41 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 20->41
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d3257f22e55152e6f6814a0d273d4113f802e9cf39a4841622a7b82cf38bd6af/
Threat name:
Win32.Trojan.Razy
Create hunting rule
Status:
Malicious
First seen:
2021-07-23 11:15:16 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
11 of 27 (40.74%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083
RemcosRAT
239629ce61bd284521557512f4781f72e7b8bdd56a8691845dc180ffc77b5252
RemcosRAT
26209a2258e61ef810975bfcff8e49a30e38cbd4901b2cc14f2a163f360e99ee
RemcosRAT
59dd63bc09da452ae3781f5570d0dfe344ff76df70419d89659ff73d7e691002
RemcosRAT
59e2ae18fae10822e5363cb8866f2327ecb3b0107d4f13e8f8b8eb58568a2b08
RemcosRAT
6407ccfb541f544c29296abdfb990a57131ea45e45e1ae2a0d947b6fe62d49e2
RemcosRAT
815b5f62adb35607df07859bfd1b75763bf525643e7f21d5a0f8803dd0e86be4
RemcosRAT
8f71fca5621ccb7ba3558cfebc17014d27923d1c73ad97ececb577fd5b937047
RemcosRAT
a76f692240be874358bd241860d2f492eca687f44e0bffade3b631ccf142117d
RemcosRAT
d9da34178f5af034a46aa98a5df2b516854bc866670358c18c5c61266a8fd351
RemcosRAT
+ 3'151 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos botnet:remotehost downloader rat
Link:
https://tria.ge/reports/210723-4bdzgegt7x/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Guloader,Cloudeye
Remcos
Malware Config
C2 Extraction:
wavesvc32.duckdns.org:1144
Unpacked files
SH256 hash:
d3257f22e55152e6f6814a0d273d4113f802e9cf39a4841622a7b82cf38bd6af
MD5 hash:
578b5b7120dd9e637a2fd145190e7157
SHA1 hash:
66b765c634843c74e2f29a96f157156176490a46
Link:
https://www.unpac.me/results/29ed1961-cf47-4baa-9421-3b6c16fb921f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d3257f22e55152e6f6814a0d273d4113f802e9cf39a4841622a7b82cf38bd6af

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe d3257f22e55152e6f6814a0d273d4113f802e9cf39a4841622a7b82cf38bd6af

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/173600/
  
URLhaus
https://urlhaus.abuse.ch/url/1475800/
  
URLhaus
https://urlhaus.abuse.ch/url/1475821/

Comments


Avatar
zbet commented on 2021-07-23 11:14:49 UTC

url : hxxp://linkd.duckdns.org/11d/dyno.exe