MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09394473fc2c076486970d70011c480439b9e799be2966197e1d35bb9ee7b506. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 09394473fc2c076486970d70011c480439b9e799be2966197e1d35bb9ee7b506
SHA3-384 hash: ea378b94017d91e70aa86f8e06f72491b496d9f408fe957f5c4d3c378a879f7ae88b82d73536423aa0a8e3b618eee24c
SHA1 hash: b4d90930a846853abc55ce46ba6f7890f66a67e8
MD5 hash: 190d1afd030d80e7b449ad78e97d8cb7
humanhash: purple-eleven-black-coffee
File name:PO#21-4574,pdf.scr
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:621'568 bytes
First seen:2020-06-23 13:25:04 UTC
Last seen:2020-06-23 13:50:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 37ec15e12a6a58142524cbf63ac13fd6 (6 x RemcosRAT, 2 x FormBook, 1 x NetWire)
ssdeep 12288:EARldIm597ql0ynjNHEJRXZdL38YN2Je7qWWWy/z:/XHql9njNHE5Z3PN2My/z
Threatray 938 similar samples on MalwareBazaar
TLSH 6BD4AF33F2C08876C57E29B9AD0F45E5951ABE757E18A48A3BCC1E4C4FBD2913C29193
Reporter abuse_ch
Tags:RAT RemcosRAT scr


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: cloudhost-433778.us-west-1.nxcli.net
Sending IP: 173.249.144.98
From: IZABELLE <info@gbp-international.com>
Subject: PO#21-23062020-Urgente
Attachment: PO21-4574.IMG (contains "PO#21-4574,pdf.scr")

RemcosRAT C2:
206.123.129.103:4565

Intelligence

File Origin
# of uploads :
2
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/12987/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/09394473fc2c076486970d70011c480439b9e799be2966197e1d35bb9ee7b506/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-06-23 13:27:03 UTC
AV detection:
35 of 48 (72.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=be4ui474fqdwjbuxbvyachciaq43tz4zxyuwmgl6du23xhxhwuda._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0f307822855aabba644e0f79751eeb5f26e0575ae5ade7c6507c6d1ea7a64725
RemcosRAT
3b13ea61e91a0312f8c187096e435168cee2d2277c46373d01899497345bd0e9
RemcosRAT
667d35d2cff2979ca84df0afe1eca6c164e1d919b989e16b97166c7a30c77a87
RemcosRAT
6d6c5f16e0a786ca6fd218be24a98fe8ea46b6d73fa77a84e31b22717d81aad8
RemcosRAT
738ea925d9f26dc03c18efd41de5e310285a36eef0147e7767a25dcf3fb1b24d
RemcosRAT
93c327b46d6354a91a9b20311a2f1e1873e132765816ec26443eb1971ccd2946
RemcosRAT
af1cf572150e95fd75306a13eb3d2306e1e1fb4ef6c238f53f30f2525389e07b
RemcosRAT
b8a03fd14b3a3695af8b6c781eb946214a98986279678c6b2a477f22ba1ac3cf
RemcosRAT
c0a656a2f73c254ed2f1e73630083849890b7c1e36161e89fe29d2fd014f9fff
RemcosRAT
f9441d3651d67748ec1a2fd325ea1aa9d914208c7fae0853e5b769e52e66ccb8
RemcosRAT
+ 928 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
persistence rat family:remcos
Link:
https://tria.ge/reports/200624-se73yx935j/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Adds Run entry to start application
Remcos
Malware Config
C2 Extraction:
206.123.129.103:4565
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

img 16435e63718eb63e34245e94841c47fef3a10776c09fcab8956c3d7dd60c1804

RemcosRAT

Executable exe 09394473fc2c076486970d70011c480439b9e799be2966197e1d35bb9ee7b506

(this sample)

  
Dropped by
MD5 8768cf53dce45f0e54f8c6ff4781a211
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 16435e63718eb63e34245e94841c47fef3a10776c09fcab8956c3d7dd60c1804
Cape
Cape
https://www.capesandbox.com/analysis/12987/

Comments