MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6895305f9210132874ed3a348dbf1ee637994533f5bb8cff2eaae83da810e4dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6895305f9210132874ed3a348dbf1ee637994533f5bb8cff2eaae83da810e4dd
SHA3-384 hash: f98f13ac35f0c4c777d8c6a7db99bc6a626c0dd4f778364873e14d06762e0a2b4021860ae9414a5a241a03a0b6343e11
SHA1 hash: aea808ed7b51fccb66e55d0e22f2428f530981bc
MD5 hash: d038c4698a10783e15acfcda26dea60c
humanhash: comet-high-uncle-spaghetti
File name:Bestellung 20200632 Stenzel E.K.scr
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:946'688 bytes
First seen:2020-06-25 13:15:12 UTC
Last seen:2020-06-25 13:51:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e4ea71003f2e4bb27bd8bad8c2c3305e (6 x RemcosRAT, 2 x FormBook, 1 x NetWire)
ssdeep 12288:ns7OYB2c+UHVuEp4tZEmfZE7wuLzMLqPbziLlv039vSZ+mEpdgjaV9w:nsKYIguEpKGk+XicUqdgY9w
Threatray 944 similar samples on MalwareBazaar
TLSH 17157E23F2914477C1631678AC6B5769993ABF112E28694B6BF83C0C5F393513C3E29B
Reporter abuse_ch
Tags:DEU geo RemcosRAT scr


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: host.itamarket.cl
Sending IP: 199.167.202.17
From: Monika Meyer <markus.stenzel@stenzellogistics.de>
Subject: Bestellung: 20200632 Stenzel E.K.
Attachment: Bestellung 20200632 Stenzel E.K.img (contains "Bestellung 20200632 Stenzel E.K.scr")

Intelligence

File Origin
# of uploads :
2
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/14314/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a file
Launching a process
Creating a file in the %AppData% subdirectories
Setting a single autorun event
Unauthorized injection to a recently created process by context flags manipulation
Setting a global event handler for the keyboard
Connection attempt to an infection source
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6895305f9210132874ed3a348dbf1ee637994533f5bb8cff2eaae83da810e4dd/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-06-25 13:37:31 UTC
AV detection:
33 of 48 (68.75%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ncktax4scajsq5hnhi2i3py64y3zsrjt6w5yz7zovlud3kaq4toq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0f307822855aabba644e0f79751eeb5f26e0575ae5ade7c6507c6d1ea7a64725
RemcosRAT
18aae95253ffa453609ef3e1150cf9c2b167a1b1c59ae1270e279f8d5e070c27
RemcosRAT
3b13ea61e91a0312f8c187096e435168cee2d2277c46373d01899497345bd0e9
RemcosRAT
667d35d2cff2979ca84df0afe1eca6c164e1d919b989e16b97166c7a30c77a87
RemcosRAT
93c327b46d6354a91a9b20311a2f1e1873e132765816ec26443eb1971ccd2946
RemcosRAT
b8a03fd14b3a3695af8b6c781eb946214a98986279678c6b2a477f22ba1ac3cf
RemcosRAT
c0a656a2f73c254ed2f1e73630083849890b7c1e36161e89fe29d2fd014f9fff
RemcosRAT
de45e137eeda4de58d4840e499559e36ee01256b6180e87249ec035525db6b9c
RemcosRAT
eee72be9b19c5e0fa5fd1b5404798a7ccd5b73830249562f9465583004980a18
RemcosRAT
f9441d3651d67748ec1a2fd325ea1aa9d914208c7fae0853e5b769e52e66ccb8
RemcosRAT
+ 934 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
evasion spyware trojan persistence rat family:remcos
Link:
https://tria.ge/reports/200625-q8mfq14e6a/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Modifies system certificate store
Adds Run entry to start application
Remcos
Malware Config
C2 Extraction:
coronanancy14-50163.portmap.io:50163
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

img 9af48c3764144b77216158ffcba210f43ccefc7f51f8fd2b936f3144bd78bb90

RemcosRAT

Executable exe 6895305f9210132874ed3a348dbf1ee637994533f5bb8cff2eaae83da810e4dd

(this sample)

  
Dropped by
MD5 56b0eb7667e4384fc380bc55eaa8fe4b
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 9af48c3764144b77216158ffcba210f43ccefc7f51f8fd2b936f3144bd78bb90
Cape
Cape
https://www.capesandbox.com/analysis/14314/

Comments