MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc5e7fc7fa6726c617fe423091e586193e356903db0ee9c6e0b464fcd29da37a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc5e7fc7fa6726c617fe423091e586193e356903db0ee9c6e0b464fcd29da37a
SHA3-384 hash: 5b1abc6fb36457b212823782fe787a9dc6931465ac6ba05e60db9f7975b5b3e3db1ef7c2f54bb9a63547c777b99686d7
SHA1 hash: 463d1c5cc269bac5bfa00bb3d318010b122c1468
MD5 hash: d3eb7232d7947d17eb33e71e87cc7d7a
humanhash: island-kentucky-nine-harry
File name:RFQ - KDF202304778.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:561'608 bytes
First seen:2023-04-25 09:10:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 12288:Dg/9QredHGfxsZSS+LYc+bH1KVKeiBfnYKbQkSL1UGH8:DglQredHSxsSS+LYc+bHkVonxzlGc
Threatray 618 similar samples on MalwareBazaar
TLSH T1ACC49E4697354385E45D9A305C9B483B6F683E3B82F5046FB6847E0DA373A6CF40AE1B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 6899b898b232d8a3 (2 x RemcosRAT)
Reporter lowmal3
Tags:exe RemcosRAT signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-11-06T07:41:42Z
Valid to:2025-11-05T07:41:42Z
Serial number: 6bc75d7c108124838982d7bb2b9384d09fcf726d
Thumbprint Algorithm:SHA256
Thumbprint: 5db98f8166d45e6b9e95ccde6e1c1c223dede69721c5792defb50457cb3ccafc
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
271
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
RFQ - KDF202304778.exe
Verdict:
Malicious activity
Analysis date:
2023-04-25 09:13:07 UTC
Tags:
remcos rat keylogger
Link:
https://app.any.run/tasks/8fc8ddd2-07ab-418a-bc00-429d12da68b2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/384757/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Creating a process from a recently created file
Launching a process
Sending an HTTP GET request
Modifying a system file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/81373/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
guloader icedid overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/64479928115cd381d96cbfd4/reports/5f6781e5-a6cf-4fea-8702-efbd4971ca88/overview
Verdict:
Suspicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/fc5e7fc7fa6726c617fe423091e586193e356903db0ee9c6e0b464fcd29da37a
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/0e2babad-af11-4cbc-8f7e-244743cfb764
Result
Threat name:
GuLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1220567
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Installs a global keyboard hook
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Remcos
Suspicious powershell command line found
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Very long command line found
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 853516 Sample: RFQ_-_KDF202304778.exe Startdate: 25/04/2023 Architecture: WINDOWS Score: 100 32 googlehosted.l.googleusercontent.com 2->32 34 geoplugin.net 2->34 36 2 other IPs or domains 2->36 48 Multi AV Scanner detection for domain / URL 2->48 50 Found malware configuration 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 5 other signatures 2->54 9 RFQ_-_KDF202304778.exe 1 22 2->9         started        signatures3 process4 file5 28 C:\Users\user\AppData\...nglnderindes.Lsb, ASCII 9->28 dropped 30 C:\Users\user\AppData\Local\...\prldap60.dll, PE32 9->30 dropped 60 Suspicious powershell command line found 9->60 62 Obfuscated command line found 9->62 13 powershell.exe 12 9->13         started        signatures6 process7 signatures8 64 Very long command line found 13->64 16 powershell.exe 13 13->16         started        19 conhost.exe 13->19         started        process9 signatures10 44 Writes to foreign memory regions 16->44 46 Tries to detect Any.run 16->46 21 ieinstal.exe 3 18 16->21         started        process11 dnsIp12 38 172.96.14.18, 2404, 49850, 49866 UNREAL-SERVERSUS Canada 21->38 40 googlehosted.l.googleusercontent.com 142.250.185.161, 443, 49849 GOOGLEUS United States 21->40 42 2 other IPs or domains 21->42 26 C:\ProgramData\remcos\logs.dat, data 21->26 dropped 56 Tries to detect Any.run 21->56 58 Installs a global keyboard hook 21->58 file13 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fc5e7fc7fa6726c617fe423091e586193e356903db0ee9c6e0b464fcd29da37a/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-04-25 08:27:28 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7rph7r72m4tmmf76iiyjdzmgde7dk2id3mhotrxawrspzuu5un5a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
19bc779bdb31a070d3b122e2c58547649586b5481655a52db8b3ccadd958bed3
RemcosRAT
2c02e5bec85fedefe1d21d2cc02b0d7e91eebfedcb53f444127463987de67bc0
RemcosRAT
4d9cdd7526f05343fda35aca3e0e6939abed8a037a0a871ce9ccd0e69a3741f2
RemcosRAT
536a5d0e0a0283a2037d9a01efaf92c4e119647ad3b8aa4d644461de984399f8
RemcosRAT
59b71cb2c5a14186a5069d7935ebe28486f49b7961bddac0a818a021373a44a3
RemcosRAT
6b33dcd29a3bddb0574c50b604db51b808c0909df8beeb575fea8979ce55dd49
RemcosRAT
8e2592445728a1950fab0e7367efa48a84863658d968a090d0cf9e080b42d11b
RemcosRAT
974d4a3b79743a94417f467ffbaeb5de6616d2f5f5aef742f41b7a5d5a3d9ba7
RemcosRAT
a91b5b3e7fecc3165c0fe4ef988a41b6b99a825a1a40b22fde67ffae6e81db22
RemcosRAT
c7a282bb4bc111616da14a7f6bac27b0b7c7437156a7992382dc695f50d6300a
RemcosRAT
+ 608 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos botnet:remotehost downloader rat
Link:
https://tria.ge/reports/230425-k5la5sbd51/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Guloader,Cloudeye
Remcos
Malware Config
C2 Extraction:
172.96.14.18:2404
Unpacked files
SH256 hash:
1188fbf20b7df9e51ec6cba5f1dbff81955a5d0c0b669d9435121c65114e5e01
MD5 hash:
c78acbfe4dfb94888d5620c507a283f6
SHA1 hash:
118e6a02ba6d3670e51d5f9982c159bb6504cd43
Link:
https://www.unpac.me/results/1f1d359e-fa86-424b-9bc6-88e234cf9af6/
SH256 hash:
fc5e7fc7fa6726c617fe423091e586193e356903db0ee9c6e0b464fcd29da37a
MD5 hash:
d3eb7232d7947d17eb33e71e87cc7d7a
SHA1 hash:
463d1c5cc269bac5bfa00bb3d318010b122c1468
Link:
https://www.unpac.me/results/1f1d359e-fa86-424b-9bc6-88e234cf9af6/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fc5e7fc7fa67/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/fc5e7fc7fa6726c617fe423091e586193e356903db0ee9c6e0b464fcd29da37a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

Executable exe fc5e7fc7fa6726c617fe423091e586193e356903db0ee9c6e0b464fcd29da37a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/384757/

Comments