MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1bd10c722c9663ae4a843abd46ffa762347832a3e3b077831ed0f4be42cf63cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 3


Intelligence 3 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1bd10c722c9663ae4a843abd46ffa762347832a3e3b077831ed0f4be42cf63cb
SHA3-384 hash: 8be1be2a82c86fc1d8c19725a773f2add375be6617eeaf668c9722c66b73fba9604d96565bc0fc613629b56b83ad488a
SHA1 hash: de087164e5c1358f2599844a40bc4f1729388db1
MD5 hash: cd82f16c71550ee67e5c266e5c053c8e
humanhash: seventeen-double-lion-october
File name:readme.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'253'378 bytes
First seen:2020-05-21 15:58:37 UTC
Last seen:2020-05-22 07:41:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1575c5aefc86fbc5de966811c53ee526 (4 x RemcosRAT)
ssdeep 24576:CcxpdRIs2lc1FjLaotEnvkd3OOiAiLEnsaj6LriI3j:CcVf2cEvs368l6d3j
Threatray 789 similar samples on MalwareBazaar
TLSH 6F459F32F3D18937C1232B799C1BA2B95829BF603D2868876FE87D4C5F357913829197
Reporter abuse_ch
Tags:exe nVpn RAT RemcosRAT UPS


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: dddd2.eastus.cloudapp.azure.com
Sending IP: 52.170.90.207
From: "UPS Customer Service" <customer@ups.com>
Subject: UPS - Pending delivery
Attachment: myattachment.iso (contains "readme.exe")

RemcosRAT C2s:
u864246.nvpn.so
u864245.nerdpol.ovh (185.140.53.21)
u864244.nsupdate.info

Pointing to nVpn:

% Information related to '185.140.53.0 - 185.140.53.255'

% Abuse contact for '185.140.53.0 - 185.140.53.255' is 'abuse@FOS-VPN.org'

inetnum: 185.140.53.0 - 185.140.53.255
netname: Freedom_Of_Speech_VPN
remarks: Before you contact us, please read:
remarks: 185.140.53.0/24 belongs to a NON-LOGGING VPN service.
remarks: We don't log any user activities.
remarks: We believe that the right to informational self-determination and the
remarks: right to privacy are essential to all citizens of all countries.
remarks: We don't host anything else on our servers than VPN software and our
remarks: customers can open a fixed number of Ports.
remarks: Like Public WiFi or Tor Exit Node Operators we cannot be held responsible
remarks: for the actions of our customers, because we simply can't (and to be
remarks: honest: don't want) to control them.
country: EU
org: ORG-SL751-RIPE
admin-c: SL12644-RIPE
tech-c: SL12644-RIPE
status: ASSIGNED PA
mnt-by: FOS-VPN-MNT
created: 2016-10-17T23:24:00Z
last-modified: 2020-04-06T18:59:49Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Mbt
Create hunting rule
Status:
Malicious
First seen:
2020-05-21 16:28:00 UTC
File Type:
PE (Exe)
Extracted files:
46
AV detection:
23 of 31 (74.19%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
27353906a9ebdd03dcbd51a518eccf7785d1c16aad3f77f31f10176ddf739ad1
RemcosRAT
5941e3b05a645ffb82a712032bbab4895e98bea0ee45da0942ed3ec64f32ad59
RemcosRAT
654dcb8cbaca77d6679523c36f44ea656e39a97ce7e4d6f91b089fe8d54f9787
RemcosRAT
7c7e874dd337e6f0ca2988aee1752a9da6a676599d1fd6e3d1c9d543816184a0
RemcosRAT
991998c5dfb7659dd3cc3cefb68486e082e935bdd3e2ff3d166724cca6b9f7dc
RemcosRAT
af310a991fa5f286d25c0c8e8977fc3b7d5c80cd79e288622877b7ac790d7478
RemcosRAT
ccf70fc876f2a85c183622317c0e2e08bb1a70121e8d3f7116a2f61c888cc5e3
RemcosRAT
d49d4ffb155ec1f6b8fc62853fa7784d8e4e226f3159070d38d4c0ab430751ad
RemcosRAT
f6b725654c8d666688aaa90def223e8592a17110aead0e275c35c64e18c10985
RemcosRAT
fd4e2f9a772d8d1f532b2f924fda838d553a5bcb0d5ccc5b6972969e8eec4002
RemcosRAT
+ 779 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-chjxlg78la/
Behaviour
Script User-Agent
Legitimate hosting services abused for malware hosting/C2
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

iso 3886af6b75a55e1b2ae1202456ab7297217866554b4cd48a38f174c11be1673e

RemcosRAT

Executable exe 1bd10c722c9663ae4a843abd46ffa762347832a3e3b077831ed0f4be42cf63cb

(this sample)

  
Dropped by
MD5 6ec16bdacee4edcb67a561f2ffb43228
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 3886af6b75a55e1b2ae1202456ab7297217866554b4cd48a38f174c11be1673e

Comments