MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56a559cba0b0d2eef43c8d32d4b2a2710fb04f1c3f18dd65ddebdcdf3ee4e89d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56a559cba0b0d2eef43c8d32d4b2a2710fb04f1c3f18dd65ddebdcdf3ee4e89d
SHA3-384 hash: ce852d1a3301f34aed6e78773f41fae41fcd5142a08582683c723e96f18b2e0ea436057324b408c11f27046407a4aa58
SHA1 hash: 3cd2642d74a5cf310393a9debb2e8b806a4052c2
MD5 hash: eb77beaa7be32993b6f4b0a3514f0b14
humanhash: fourteen-seven-kitten-nevada
File name:RFQ 20200622Kloepfel Consulting GmbH.scr
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'135'104 bytes
First seen:2020-06-22 13:54:14 UTC
Last seen:2020-06-22 14:48:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8299f715d855d2a6068b551514417b5d (2 x RemcosRAT, 2 x FormBook, 1 x NetWire)
ssdeep 12288:HjDbd29xj+02YMHFpC0cjKdOaQKj7sHkp1OcM+u4n/rpRzxgh:HfR29002pHFpC0cjKdjQKsEnOdL4Dz
Threatray 939 similar samples on MalwareBazaar
TLSH 7A357C22F380C837D0631B758C5FD7A86826BE546E28984B3AE93F0D5FB5351353A297
Reporter abuse_ch
Tags:scr


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: cloudhost-433669.us-west-1.nxcli.net
Sending IP: 173.249.144.88
From: Sabrina Bachhuber <info@kloepfel-consulting.com>
Subject: RFQ 20200618-Kloepfel Consulting GmbH...
Attachment: RFQ 20200618Kloepfel Consulting GmbH.img (contains "RFQ 20200622Kloepfel Consulting GmbH.scr")

Intelligence

File Origin
# of uploads :
2
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/12649/
Detection(s):
SecuriteInfo.com.BScope.Trojan.Downloader.18485.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/56a559cba0b0d2eef43c8d32d4b2a2710fb04f1c3f18dd65ddebdcdf3ee4e89d/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-06-22 13:56:04 UTC
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k2svts5awdjo55b4ruznjmvcoeh3aty4h4mn2zo55pon6pxe5coq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0f307822855aabba644e0f79751eeb5f26e0575ae5ade7c6507c6d1ea7a64725
RemcosRAT
18aae95253ffa453609ef3e1150cf9c2b167a1b1c59ae1270e279f8d5e070c27
RemcosRAT
3b13ea61e91a0312f8c187096e435168cee2d2277c46373d01899497345bd0e9
RemcosRAT
667d35d2cff2979ca84df0afe1eca6c164e1d919b989e16b97166c7a30c77a87
RemcosRAT
93c327b46d6354a91a9b20311a2f1e1873e132765816ec26443eb1971ccd2946
RemcosRAT
b8a03fd14b3a3695af8b6c781eb946214a98986279678c6b2a477f22ba1ac3cf
RemcosRAT
c0a656a2f73c254ed2f1e73630083849890b7c1e36161e89fe29d2fd014f9fff
RemcosRAT
de45e137eeda4de58d4840e499559e36ee01256b6180e87249ec035525db6b9c
RemcosRAT
eee72be9b19c5e0fa5fd1b5404798a7ccd5b73830249562f9465583004980a18
RemcosRAT
f9441d3651d67748ec1a2fd325ea1aa9d914208c7fae0853e5b769e52e66ccb8
RemcosRAT
+ 929 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
evasion spyware trojan persistence rat family:remcos
Link:
https://tria.ge/reports/200624-1qb5nlqh96/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Modifies system certificate store
Adds Run entry to start application
Remcos
Malware Config
C2 Extraction:
coronanancy14-50163.portmap.io:50163
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

88214bc7382d9fe97556ae0f59a8a906

RemcosRAT

Executable exe 56a559cba0b0d2eef43c8d32d4b2a2710fb04f1c3f18dd65ddebdcdf3ee4e89d

(this sample)

  
Dropped by
MD5 88214bc7382d9fe97556ae0f59a8a906
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/12649/

Comments