MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9040bf8ad755cd41dc6266c0e0049f4bac0eaa23f18a26931357fe21c719701. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d9040bf8ad755cd41dc6266c0e0049f4bac0eaa23f18a26931357fe21c719701
SHA3-384 hash: e3fd0ead433cba28224779f7ec9bb11cf84c1c9e945779e87212d758306a5ec189128b4726c28806f657886dee4a4f7d
SHA1 hash: 94b39b2dcf8682cb2b5b039428219ca4a6d6eb6b
MD5 hash: e39cccd2c1f0998f0e34fa525132868d
humanhash: low-carpet-thirteen-illinois
File name:e39cccd2c1f0998f0e34fa525132868d
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:135'168 bytes
First seen:2021-08-17 10:17:34 UTC
Last seen:2021-08-17 10:47:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 37e215a56c837657c68542780cbce344 (2 x GuLoader, 1 x RemcosRAT)
ssdeep 3072:Xu9+L1Dpafpq70qTfRSlO9ts42CvASp+2H8UeH:X6+L1DkfPqTJSAPs42CvzpFc
Threatray 4'394 similar samples on MalwareBazaar
TLSH T1A8D3D0D0F98BFDA1E0820F710875505C53D6B92882940F277BBFDB7A1B7BA811E8522D
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Bank Details.xlsx
Verdict:
Malicious activity
Analysis date:
2021-08-17 08:55:02 UTC
Tags:
encrypted opendir exploit CVE-2017-11882
Link:
https://app.any.run/tasks/a0abf609-0b68-41a0-b9ec-f8d0460b8ea3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/179936/
Detection(s):
SecuriteInfo.com.__vbaHresultCheckObj.8987.31370.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Setting a single autorun event
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/118f36ba-1ec8-4f99-b5b8-b0e230aed6c3
Result
Threat name:
GuLoader Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/834257
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious values (likely registry only malware)
Found malware configuration
GuLoader behavior detected
Hides threads from debuggers
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious icon found
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected GuLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d9040bf8ad755cd41dc6266c0e0049f4bac0eaa23f18a26931357fe21c719701/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-08-17 09:23:22 UTC
AV detection:
11 of 27 (40.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ecax6fnovonihogezwa4acj6s5mb2vch4mke2jrgv76ehdrs4aq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083
RemcosRAT
2bf17b827e1be1f3a8b305a4e215347d08d32ccac5eb4028d49391b30c6ac4a7
RemcosRAT
414a14294a3c88613f1480a69fa0d7cf3dfbb83eedd5ef0acc3ad39f6e01ee65
RemcosRAT
4db943d3621a557370a3585cd61db3f9835c65f350a2284c9d5f3024adb0ff07
RemcosRAT
815b5f62adb35607df07859bfd1b75763bf525643e7f21d5a0f8803dd0e86be4
RemcosRAT
8653a11ee811265418a3b6f12945c585b77aea72f02b2d80f481c1100d895299
RemcosRAT
a76f692240be874358bd241860d2f492eca687f44e0bffade3b631ccf142117d
RemcosRAT
f6083599947328d2637adb3cb9810fefd0d9195c504dc2e081fcfca776090c2b
RemcosRAT
fdbd4ab43b66094471908c19e02c0e981c6c870ee546c53d31165936b5791596
RemcosRAT
+ 4'384 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos botnet:remotehost downloader persistence rat
Link:
https://tria.ge/reports/210817-bvpvp9qraa/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks QEMU agent file
Guloader,Cloudeye
Remcos
Malware Config
C2 Extraction:
WEALTH.dynuddns.com:39200
Unpacked files
SH256 hash:
49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3
MD5 hash:
1f1b425190b2fb0396ad2d538b1060ba
SHA1 hash:
413f98641d46fdcabfcaf64f29495667de6282ea
Link:
https://www.unpac.me/results/fc8d69ab-7e3f-43d3-904e-cd3a8abdd857/
SH256 hash:
d9040bf8ad755cd41dc6266c0e0049f4bac0eaa23f18a26931357fe21c719701
MD5 hash:
e39cccd2c1f0998f0e34fa525132868d
SHA1 hash:
94b39b2dcf8682cb2b5b039428219ca4a6d6eb6b
Link:
https://www.unpac.me/results/fc8d69ab-7e3f-43d3-904e-cd3a8abdd857/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d9040bf8ad75/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d9040bf8ad755cd41dc6266c0e0049f4bac0eaa23f18a26931357fe21c719701

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe d9040bf8ad755cd41dc6266c0e0049f4bac0eaa23f18a26931357fe21c719701

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1541280/
Cape
Cape
https://www.capesandbox.com/analysis/179936/
  
URLhaus
https://urlhaus.abuse.ch/url/1541661/

Comments


Avatar
zbet commented on 2021-08-17 10:17:37 UTC

url : hxxp://198.23.207.82/rmp/vbc.exe