MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ddff09f62985a15537bf510e1b95a0e31b5714a498c050671df0325802a7f3e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ddff09f62985a15537bf510e1b95a0e31b5714a498c050671df0325802a7f3e9
SHA3-384 hash: b1f69b0d65cfc7179b1e3a2e4e1c688d125358ed8a26046a2a7b8690087288ff774a67652390ead0e1b3a31461002a89
SHA1 hash: 2869a012cae47b44b11750823befc246f1481d68
MD5 hash: 75fc478585b12d3a8f0216b1b28c6944
humanhash: maryland-bravo-moon-east
File name:75fc478585b12d3a8f0216b1b28c6944.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:454'656 bytes
First seen:2021-08-30 13:14:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c4b3ef5cd2bacd05c5793b6be4b1aeae (4 x RemcosRAT)
ssdeep 6144:4IX3PZ/SLdat3ZjyPt7Z3cGwzwo38Pt7cjqJWa:CatJuP5NSt8P5cEWa
Threatray 6'216 similar samples on MalwareBazaar
TLSH T16EA4A28E62484208F596FF71A88981F903316C35ADB6C44E17D9B13E0FFAAF59B17847
dhash icon 9ca2a393929a9a9a (4 x RemcosRAT)
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
75fc478585b12d3a8f0216b1b28c6944.exe
Verdict:
No threats detected
Analysis date:
2021-08-30 13:42:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5be2d9eb-9330-4d62-9d5b-30fea91c97c7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/183766/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fb9cd01c-0dbd-4870-b21c-78d4d17d8280
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/841580
Signature
Antivirus detection for URL or domain
GuLoader behavior detected
Hides threads from debuggers
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 474013 Sample: T9V927Bbvx.exe Startdate: 30/08/2021 Architecture: WINDOWS Score: 100 45 swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu 2->45 51 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->51 53 Antivirus detection for URL or domain 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 4 other signatures 2->57 11 T9V927Bbvx.exe 1 2->11         started        14 vlc.exe 1 2->14         started        16 vlc.exe 1 2->16         started        signatures3 process4 signatures5 67 Tries to detect Any.run 11->67 69 Hides threads from debuggers 11->69 18 T9V927Bbvx.exe 4 10 11->18         started        23 vlc.exe 2 7 14->23         started        25 vlc.exe 6 16->25         started        process6 dnsIp7 47 103.133.111.149, 49746, 49753, 49755 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 18->47 39 C:\Users\user\AppData\Roaming\vlc.exe, PE32 18->39 dropped 41 C:\Users\user\...\vlc.exe:Zone.Identifier, ASCII 18->41 dropped 43 C:\Users\user\AppData\Local\...\install.vbs, data 18->43 dropped 59 Tries to detect Any.run 18->59 61 Hides threads from debuggers 18->61 27 wscript.exe 1 18->27         started        49 swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu 78.129.249.105, 2017 IOMART-ASGB United Kingdom 23->49 file8 signatures9 process10 process11 29 cmd.exe 1 27->29         started        process12 31 vlc.exe 1 29->31         started        34 conhost.exe 29->34         started        signatures13 71 Multi AV Scanner detection for dropped file 31->71 73 Tries to detect Any.run 31->73 75 Hides threads from debuggers 31->75 36 vlc.exe 6 31->36         started        process14 signatures15 63 Tries to detect Any.run 36->63 65 Hides threads from debuggers 36->65
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ddff09f62985a15537bf510e1b95a0e31b5714a498c050671df0325802a7f3e9/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-08-30 12:12:58 UTC
AV detection:
14 of 46 (30.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3x7qt5rjqwqvkn57kehbxfna4mnvoffetdafazy56azfqavh6puq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
07a7e8b55aae7e593602a7dc0e67dbf0debb3ccd4c4d769d7fab0e34a675b4e7
RemcosRAT
0e79effa0348929c10e8aa39b07b38ba50872d4fe132fd7c131e4ac9892ed046
RemcosRAT
32560ccc4af2d37c587bbc551e1dd8127b8efaafb199f74c18ec111a812a7f30
RemcosRAT
384ccd374a7b0ad96c05c598a8805af2c0171554a8caa56b383b60f7a847e26f
RemcosRAT
3ec89e73e39d8f49eb7af879ca10a3b172a155b50cffd2e98dd4826c4284fd49
RemcosRAT
444dbf26e5c9f7309acd880592c76eb0cb588a33f8ed51ee735ab6d623d64256
RemcosRAT
446fdd51f5eb4359191e189e54a209bd96295c5495cabc1b0b07c8f11d1eb748
RemcosRAT
79e6799e2eb9dbe27b29e3707175322014ffdfbb943c791977d592017a46ad9c
RemcosRAT
8ef0ab64ef4a050f29808379fa8e9448bca73be60e4944f9d13a9a6880ba33f2
RemcosRAT
ef4cb9aea5d837610a28160c179ef3c4f381f84a8cbdd3464563800c53a95f15
RemcosRAT
+ 6'206 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos botnet:gee_2020 downloader persistence rat
Link:
https://tria.ge/reports/210830-mh3plpk18n/
Behaviour
Modifies registry class
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks QEMU agent file
Loads dropped DLL
Executes dropped EXE
Guloader,Cloudeye
Remcos
Malware Config
C2 Extraction:
swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu:2017
Unpacked files
SH256 hash:
49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3
MD5 hash:
1f1b425190b2fb0396ad2d538b1060ba
SHA1 hash:
413f98641d46fdcabfcaf64f29495667de6282ea
Link:
https://www.unpac.me/results/3b03aedb-f5e1-4593-b275-b9b5f33c99b3/
SH256 hash:
ddff09f62985a15537bf510e1b95a0e31b5714a498c050671df0325802a7f3e9
MD5 hash:
75fc478585b12d3a8f0216b1b28c6944
SHA1 hash:
2869a012cae47b44b11750823befc246f1481d68
Link:
https://www.unpac.me/results/3b03aedb-f5e1-4593-b275-b9b5f33c99b3/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ddff09f62985/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ddff09f62985a15537bf510e1b95a0e31b5714a498c050671df0325802a7f3e9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe ddff09f62985a15537bf510e1b95a0e31b5714a498c050671df0325802a7f3e9

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/183766/
  
URLhaus
https://urlhaus.abuse.ch/url/1574035/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1578343/

Comments