MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ea9da4ed018d0d17891bc301d0d42c637482f8ecdac6ebff94ac9dd41d5d7a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ea9da4ed018d0d17891bc301d0d42c637482f8ecdac6ebff94ac9dd41d5d7a3
SHA3-384 hash: be4d4472f260910e69464a7023bd8b159a68033f7692927bf7187496ed9e010ba13a270fee366a6282e763659d6d7145
SHA1 hash: a99ee0301a352ecd3255a64da62579d04d5bdad3
MD5 hash: 03be770b4cd4a4290d56c7fda10b5b71
humanhash: nevada-washington-jupiter-five
File name:Remittance-2020429.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:229'888 bytes
First seen:2020-04-29 19:44:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:qFaj5U/8VnDrVyltmZAyuCfxMcaIqhl4m+P9GjS4SqIQR2XPi9y:lDrwGzuAM9I4gUjS4SqH
Threatray 786 similar samples on MalwareBazaar
TLSH AE24F43D1DFDA227D074D6B1CFD2C8A3B699E46631A5AA2258DB13940793D0736C313E
Reporter abuse_ch
Tags:exe geo HRV nVpn RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: dobarhosting.com
Sending IP: 78.47.62.128
From: Talha Ayaad <sales@emsolutions.com.au>
Subject: FW: Kopija Swift doznake MONTAVAR METALNA LOLA DOO BEOGRAD EUR 44, 074\x0a\x0920200428124605
Attachment: Remittance-2020429.img (contains "Remittance-2020429.exe")

RemcosRAT C2:
prantiexport.myq-see.com:3535 (79.134.225.71)

Pointing to nvpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.43191.4560.6598.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-04-29 08:23:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
27 of 31 (87.10%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=n2u5utwqddinc6erxqyb2dkcyy3uql4ozwwg5p7zjle52qov26rq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0b8d469babc7b057403a1d7ca0f781c9a675523941cfcc8bb6eae582680746c4
RemcosRAT
277753aba8bad16e15be999ec98b5eee72e3000558d12d572c732b09d006f4d8
RemcosRAT
2ddbe8b9f04a4a672878c6b54b8a3440d2f7d89b2fe0c5949df21c997c5443f7
RemcosRAT
40838317f53ebe7b37fab29e95826e44ffd7eb7b349e8bed0f5d7ae5db013df1
RemcosRAT
4692d4716a224f54c928808d2d7ee7e9eaeb8531f1cd29b91886fa511a12f07a
RemcosRAT
59b1b0e770b3b964f7ad3290b9ebfa845b828c7819cf8282b2b7aa89530cff78
RemcosRAT
7215dbd809c1e16811d3e5981ad879bfe02898a514e8a0d5243e86f3adf9f0d6
RemcosRAT
a7d93e9c9bb80f0f8a271ae4a101f305bac535e197697b35f291794fa83ef538
RemcosRAT
ac120fadb0fde46db30df42a52a0b65d34fa6621fa13f18c11b5fe93626dcf6d
RemcosRAT
cdeef97d61eac6dce398d5f1ab3b9885d203493cb93d445165eda9a8c19a56dd
RemcosRAT
+ 776 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

img 9640573998280900bbaab48ea85f674275d76b8bdde1642aa0c59898c6a79a21

RemcosRAT

Executable exe 6ea9da4ed018d0d17891bc301d0d42c637482f8ecdac6ebff94ac9dd41d5d7a3

(this sample)

  
Dropped by
MD5 777c491c3860714002e67364de5af30c
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 9640573998280900bbaab48ea85f674275d76b8bdde1642aa0c59898c6a79a21

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments