MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 227c14f96fe815771903d9c8050d094efc19423e072f06b75a40a5305fb04476. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 227c14f96fe815771903d9c8050d094efc19423e072f06b75a40a5305fb04476
SHA3-384 hash: 8e4756218ab7a65572fa2678a68dd4fd2ee6f57bf2063a9849ac7dfc3342a40f48706eb0160a45afb9ce51538fb409e1
SHA1 hash: 7a3e4a05fa7a88567457ef55e2e133371a40e724
MD5 hash: 8a1a0f3f4305c2d377e49ef3ed00c958
humanhash: green-fillet-ack-gee
File name:Purchase Order SZ5-9-020,pdf.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:343'040 bytes
First seen:2020-05-12 08:52:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 6144:h6RLqSY6oAlR1OqkhT4NTdseAeFfVxjvZwTfD9gTG9HO5pKpAZNr2:h6RL8gP1OFhsjs+Ff3jvGThgTaHO5BnS
Threatray 908 similar samples on MalwareBazaar
TLSH 31749DC6B644A917CD5E42FA4032D87057723D79A5B2E6892CCA7CEF3AF73D21492807
Reporter abuse_ch
Tags:exe nVpn RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: host422.dgtr-network.com
Sending IP: 169.48.194.22
From: Gopinathan <sales@afcmalaysia.com>
Subject: Purchase Order SZ5-9-020
Attachment: Purchase Order SZ5-9-020,pdf.zip (contains "Purchase Order SZ5-9-020,pdf.exe")

RemcosRAT C2:
youngboss1994.ddns.net:1965 (185.244.30.17)

Pointing to nVpn:

% Information related to '185.244.30.0 - 185.244.30.255'

% Abuse contact for '185.244.30.0 - 185.244.30.255' is 'abuse@FOS-VPN.org'

inetnum: 185.244.30.0 - 185.244.30.255
netname: Freedom_Of_Speech_Foundation_Hungary
remarks: Budapest, Hungary
country: HU
org: ORG-FOSF3-RIPE
admin-c: FOSF1-RIPE
tech-c: FOSF1-RIPE
status: ASSIGNED PA
mnt-by: FOS-VPN-MNT
created: 2019-10-29T14:10:27Z
last-modified: 2020-04-06T19:58:39Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-12 03:31:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
24 of 31 (77.42%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ej6bj6lp5akxogid3heakdijj36bsqr6a4xqnn22icstax5qir3a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
277753aba8bad16e15be999ec98b5eee72e3000558d12d572c732b09d006f4d8
RemcosRAT
28b6bbc6b1d6ee21ccdc25c5eefccad5e21556954542cd19a0a87f7dde91df78
RemcosRAT
2db4ee21ea51c36e7dac362a31f5791643de1ced086758c80ad2cb8b8b70f80e
RemcosRAT
6307b6ffc48a88aeeff567c7a296ca6daf830f9b4eecf9f48352c489e5256fca
RemcosRAT
6883ab02c6b5c22d0035e476501021e228dd1b94f5a1f301a343b731fc847d45
RemcosRAT
936aa436f6a85762fe0fa8f9f14af43e5a53ba7bf398f279925f73dc511c09b4
RemcosRAT
a7d93e9c9bb80f0f8a271ae4a101f305bac535e197697b35f291794fa83ef538
RemcosRAT
ae160b749914bd56aecbcf43d56a59bde2069a145682b2911fe50c6adabe1b54
RemcosRAT
ca6d1749f9645475aa7ab0ca268e31ba00817a8c70467c4d6d88bb2ca54d596d
RemcosRAT
fc7132bfc8c4903b686f088ec38b8c4e36d0e5071aca8f7310070526afd83bee
RemcosRAT
+ 898 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos coreentity rat rezer0
Link:
https://tria.ge/reports/201109-s9saszsq5j/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
rezer0
CoreEntity .NET Packer
Remcos
Malware Config
C2 Extraction:
youngboss1994.ddns.net:1965
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip 79fa7a8cef490b50a5ce9d102e4e2af0e0f4e151ed2d3ed9222fec8994af0212

RemcosRAT

Executable exe 227c14f96fe815771903d9c8050d094efc19423e072f06b75a40a5305fb04476

(this sample)

  
Dropped by
MD5 80010761105b865ea4aaf1334b89b89c
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 79fa7a8cef490b50a5ce9d102e4e2af0e0f4e151ed2d3ed9222fec8994af0212

Comments