MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed3a8701ae1164a1eec2e06b24ce46f54dd8c19838f7c5f92938cf1156178dca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ed3a8701ae1164a1eec2e06b24ce46f54dd8c19838f7c5f92938cf1156178dca
SHA3-384 hash: b1f123736a0665e82e5705f8e76af08997045004465f337d6e43f507f6da49bc34076b9772fbf5e5eb28ed8a1e4ccb4d
SHA1 hash: 0f8aed9e7b59d845d2e9ad7827aca11905fc94b9
MD5 hash: 507696e0c36a6ea7140fa97a292e2279
humanhash: comet-zebra-enemy-sixteen
File name:507696e0_by_Libranalysis
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:112'360 bytes
First seen:2021-05-19 19:02:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3ad518cf51907bc8ca22f7a1354a4250 (11 x GuLoader, 2 x RemcosRAT)
ssdeep 1536:+YHYtJURe1jx2dmamKR4zYDa+BRdA0s4tbeyw4HM:7KJlxkHRoYDRt1LtKyw4HM
Threatray 1'501 similar samples on MalwareBazaar
TLSH 30B3D462B9BBF871FE1980F0275D47ED819739B4C489880BDDC6252463F1A3696243FB
Reporter Libranalysis
Tags:RemcosRAT


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ABC.exe
Verdict:
Malicious activity
Analysis date:
2021-05-19 12:12:47 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/8aa6d8f2-36b7-4eeb-aa30-52fb04355deb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/158760/
Detection(s):
SecuriteInfo.com.__vbaHresultCheckObj.12133.6129.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/785293
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found malware configuration
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious icon found
Sigma detected: WScript or CScript Dropper
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 417690 Sample: 507696e0_by_Libranalysis Startdate: 19/05/2021 Architecture: WINDOWS Score: 100 51 Multi AV Scanner detection for domain / URL 2->51 53 Potential malicious icon found 2->53 55 Found malware configuration 2->55 57 6 other signatures 2->57 10 507696e0_by_Libranalysis.exe 2->10         started        13 vlc.exe 2->13         started        15 vlc.exe 2->15         started        process3 signatures4 67 Contains functionality to detect hardware virtualization (CPUID execution measurement) 10->67 69 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 10->69 71 Tries to detect Any.run 10->71 73 Tries to detect virtualization through RDTSC time measurements 10->73 17 507696e0_by_Libranalysis.exe 4 10 10->17         started        75 Hides threads from debuggers 13->75 22 vlc.exe 6 13->22         started        24 vlc.exe 6 15->24         started        process5 dnsIp6 45 hshjiopklmsacnzbcjuewahfdsnvmlazbcuewqjh.ydns.eu 103.232.54.201, 49726, 49727, 49728 AIMS-MY-NETAIMSDataCentreSdnBhdMY Viet Nam 17->45 39 C:\Users\user\AppData\Roaming\vlc.exe, PE32 17->39 dropped 41 C:\Users\user\...\vlc.exe:Zone.Identifier, ASCII 17->41 dropped 43 C:\Users\user\AppData\Local\...\install.vbs, data 17->43 dropped 59 Tries to detect Any.run 17->59 61 Hides threads from debuggers 17->61 26 wscript.exe 1 17->26         started        file7 signatures8 process9 process10 28 cmd.exe 1 26->28         started        process11 30 vlc.exe 28->30         started        33 conhost.exe 28->33         started        signatures12 77 Multi AV Scanner detection for dropped file 30->77 79 Contains functionality to detect hardware virtualization (CPUID execution measurement) 30->79 81 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 30->81 83 3 other signatures 30->83 35 vlc.exe 2 7 30->35         started        process13 dnsIp14 47 hshjiopklmsacnzbcjuewahfdsnvmlazbcuewqjh.ydns.eu 35->47 49 swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu 78.129.249.105, 2017 IOMART-ASGB United Kingdom 35->49 63 Tries to detect Any.run 35->63 65 Hides threads from debuggers 35->65 signatures15
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ed3a8701ae1164a1eec2e06b24ce46f54dd8c19838f7c5f92938cf1156178dca/
Threat name:
Win32.Trojan.Jaik
Create hunting rule
Status:
Malicious
First seen:
2021-05-19 13:50:38 UTC
AV detection:
20 of 47 (42.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5u5ioanocfskd3wc4bvsjtsg6vg5rqmyhd34l6jjhdhrcvqxrxfa._file
Verdict:
unknown
Similar samples:
02738721df55077c4a8b8826e7cdd0243003ba4b34cb71f314ad05a29330c9c3
RemcosRAT
1ad231fb8cb3ab712bef3aae2c319cdd3d9f085eea7e0d205ca3729a85eb1294
RemcosRAT
3ee7986c2ffb27457b0e9d270fdd477c953c310503fffc27aed1aa8cc6e8c70d
RemcosRAT
429a766fbf315ee6e6ec01e3a36cc39a66b14c3c71d2a5de94f5fbd2212367dd
RemcosRAT
5f52fd42339c5ea2854261e94c02767880062113ebbfefc0d5e599ec61d4e84a
RemcosRAT
7765b39aa0345fd2af3838a548807c90094ea98d227d625ed742260833643b52
RemcosRAT
7aac0d666b2552cb06d944ea7c54852070a9434708b221232faff64396b8f70a
RemcosRAT
8f1517666a1f5f7f6d0f38814909251d41de92126c2a7df0626de2fa1ae9ba1f
RemcosRAT
aa474883fd952e16e13715aa7a698fa8eb0d596fea71d03dfbaa235a1b08aa15
RemcosRAT
deb7f6e76d0d27a58d7eb53380b8f399d81caa842fe188830327b9aad82afdb0
RemcosRAT
+ 1'491 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos downloader persistence rat
Link:
https://tria.ge/reports/210519-wj2jna36pe/
Behaviour
Modifies registry class
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks QEMU agent file
Loads dropped DLL
Executes dropped EXE
Guloader,Cloudeye
Remcos
Malware Config
C2 Extraction:
http://hshjiopklmsacnzbcjuewahfdsnvmlazbcuewqjh.ydns.eu/Gee_remcos%202020_JdgLl223.bin
swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu:2017
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ed3a8701ae1164a1eec2e06b24ce46f54dd8c19838f7c5f92938cf1156178dca

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe ed3a8701ae1164a1eec2e06b24ce46f54dd8c19838f7c5f92938cf1156178dca

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/158760/
  
URLhaus
https://urlhaus.abuse.ch/url/1255993/
  
Delivery method
Distributed via web download

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-19 20:06:27 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing