MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6083599947328d2637adb3cb9810fefd0d9195c504dc2e081fcfca776090c2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f6083599947328d2637adb3cb9810fefd0d9195c504dc2e081fcfca776090c2b
SHA3-384 hash: 6c5f1e63dddb6060130ae160f4b76621d990b94bae6b71195ff5ef7004fd7eebbf89f837d522fdd744b8e0bb5a3ad02f
SHA1 hash: 8bd6a8afb1f7749a1de864c6cbbf297ccdb83b1f
MD5 hash: 99548f77a249924a7355728f3ba1c328
humanhash: freddie-chicken-kitten-low
File name:99548f77a249924a7355728f3ba1c328.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:184'320 bytes
First seen:2021-03-06 05:58:14 UTC
Last seen:2021-03-06 07:57:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 172cbafb22ccddc8b184c7734ac21918 (2 x RemcosRAT)
ssdeep 1536:wbQihzJ0RAQCAqTAj2jo8MG7m80PuYju:rkJsA5Aj2Um
Threatray 295 similar samples on MalwareBazaar
TLSH 27040770F198709FF6D690756CB5D6A9248D3C31114A8DEEF2807E1F6DB26D360B0A2B
Reporter abuse_ch
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
99548f77a249924a7355728f3ba1c328.exe
Verdict:
Malicious activity
Analysis date:
2021-03-06 06:00:21 UTC
Tags:
trojan guloader loader opendir rat remcos keylogger
Link:
https://app.any.run/tasks/5c38f89c-d864-410e-8b00-e27793e55095

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/122573/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.45831061.11923.26975.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending a UDP request
DNS request
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/630404
Signature
Contain functionality to detect virtual machines
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious icon found
Sigma detected: Remcos
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 364175 Sample: LMKQB8tQQ2.exe Startdate: 06/03/2021 Architecture: WINDOWS Score: 100 44 hjduiebcvzcalpmjdbcnwqadhsiybcnzxswedgap.ydns.eu 2->44 52 Potential malicious icon found 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 Yara detected GuLoader 2->56 58 4 other signatures 2->58 11 LMKQB8tQQ2.exe 2->11         started        14 win.exe 2->14         started        16 win.exe 2->16         started        signatures3 process4 signatures5 68 Contain functionality to detect virtual machines 11->68 70 Tries to detect Any.run 11->70 72 Hides threads from debuggers 11->72 74 Contains functionality to hide a thread from the debugger 11->74 18 LMKQB8tQQ2.exe 4 10 11->18         started        23 win.exe 6 14->23         started        25 win.exe 6 16->25         started        process6 dnsIp7 46 mtspsmjeli.sch.id 103.150.60.242, 49717, 49721, 49724 PC24NET-AS-IDPTPC24TelekomunikasiIndonesiaID unknown 18->46 40 C:\Users\user\AppData\Roaming\win.exe, PE32 18->40 dropped 42 C:\Users\user\...\win.exe:Zone.Identifier, ASCII 18->42 dropped 60 Tries to detect Any.run 18->60 62 Hides threads from debuggers 18->62 27 wscript.exe 1 18->27         started        file8 signatures9 process10 process11 29 cmd.exe 1 27->29         started        process12 31 win.exe 29->31         started        34 conhost.exe 29->34         started        signatures13 76 Multi AV Scanner detection for dropped file 31->76 78 Machine Learning detection for dropped file 31->78 80 Contain functionality to detect virtual machines 31->80 82 2 other signatures 31->82 36 win.exe 2 7 31->36         started        process14 dnsIp15 48 hjduiebcvzcalpmjdbcnwqadhsiybcnzxswedgap.ydns.eu 10.4.78.10, 2024 unknown unknown 36->48 50 mtspsmjeli.sch.id 36->50 64 Tries to detect Any.run 36->64 66 Hides threads from debuggers 36->66 signatures16
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f6083599947328d2637adb3cb9810fefd0d9195c504dc2e081fcfca776090c2b/
Threat name:
Win32.Trojan.Scarsi
Create hunting rule
Status:
Malicious
First seen:
2021-03-04 03:04:10 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6yedlgmuomuney323m6ltaip57insgk4kbg4fyeb7t6ko5qjbqvq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
064cad19bee4580a82bc4ee3558e8510100ebba8da83720749f553cc411d5cb3
RemcosRAT
0953e54968ca9407a172c0a35a00d8b30ec603770809bbd2901a070e1b83b7f8
RemcosRAT
21ba0bed0b05a2ce68496e73a5c103fb5b815ac2c77e997f46e5d09666c1c978
RemcosRAT
411e56b415d4c23a741958c3f1ada72b3e958c078d27c339678bb690b7a895c3
RemcosRAT
43aa01ebbd20c81ee60bd5b6bacabcdd0a84e0aeb892c0ea18383261dbcdb0fb
RemcosRAT
7c201535a28746b62adfa831cfccac096903f5b17ee83b8364fc890fa70a59fd
RemcosRAT
92f656d44d38fbc5e7964e36634bf95d18e157228624d1b38ea933633579ddc4
RemcosRAT
a6f46c55982462a48a9fa43feb02b514df87a97b06a1ee073c57ae132cc1bec7
RemcosRAT
af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991
RemcosRAT
e3670bfc1db6fb7223bb6b231ef4c3afd9d34de1d8f87b7a8e7a4cb27cfaa37d
RemcosRAT
+ 285 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat
Link:
https://tria.ge/reports/210306-9k5pe8t2es/
Behaviour
Modifies registry class
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Remcos
Unpacked files
SH256 hash:
49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3
MD5 hash:
1f1b425190b2fb0396ad2d538b1060ba
SHA1 hash:
413f98641d46fdcabfcaf64f29495667de6282ea
Link:
https://www.unpac.me/results/74737ebd-a97f-440e-a0f1-c20d36ce41ad/
SH256 hash:
f6083599947328d2637adb3cb9810fefd0d9195c504dc2e081fcfca776090c2b
MD5 hash:
99548f77a249924a7355728f3ba1c328
SHA1 hash:
8bd6a8afb1f7749a1de864c6cbbf297ccdb83b1f
Link:
https://www.unpac.me/results/74737ebd-a97f-440e-a0f1-c20d36ce41ad/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f6083599947328d2637adb3cb9810fefd0d9195c504dc2e081fcfca776090c2b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
URLhaus
https://urlhaus.abuse.ch/url/1026031/
Cape
Cape
https://www.capesandbox.com/analysis/122573/

Comments