MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79fa7a8cef490b50a5ce9d102e4e2af0e0f4e151ed2d3ed9222fec8994af0212. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79fa7a8cef490b50a5ce9d102e4e2af0e0f4e151ed2d3ed9222fec8994af0212
SHA3-384 hash: 863dc1a82aca5e438e4211c40acd11db719eb77612d4399a1e589eaf0e4484012d2b51eeb8238cd3ec1f76b107ef94a7
SHA1 hash: 819c81f2f7f7f9dc2a584a72809543eefa8d1482
MD5 hash: 80010761105b865ea4aaf1334b89b89c
humanhash: mexico-helium-march-fifteen
File name:Purchase Order SZ5-9-020,pdf.zip
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:224'899 bytes
First seen:2020-05-12 08:52:53 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 6144:a9QBAWO48+osZgP5y4fZbEjBXk3ChDW8bzQYc:PY48+Bc5/AB0X1
TLSH 042423653ABCAD438EB3592D39D108E04872E6E6B0A78C1DD95C946F233EF4E144FA25
Reporter abuse_ch
Tags:nVpn RAT RemcosRAT zip


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: host422.dgtr-network.com
Sending IP: 169.48.194.22
From: Gopinathan <sales@afcmalaysia.com>
Subject: Purchase Order SZ5-9-020
Attachment: Purchase Order SZ5-9-020,pdf.zip (contains "Purchase Order SZ5-9-020,pdf.exe")

RemcosRAT C2:
youngboss1994.ddns.net:1965 (185.244.30.17)

Pointing to nVpn:

% Information related to '185.244.30.0 - 185.244.30.255'

% Abuse contact for '185.244.30.0 - 185.244.30.255' is 'abuse@FOS-VPN.org'

inetnum: 185.244.30.0 - 185.244.30.255
netname: Freedom_Of_Speech_Foundation_Hungary
remarks: Budapest, Hungary
country: HU
org: ORG-FOSF3-RIPE
admin-c: FOSF1-RIPE
tech-c: FOSF1-RIPE
status: ASSIGNED PA
mnt-by: FOS-VPN-MNT
created: 2019-10-29T14:10:27Z
last-modified: 2020-04-06T19:58:39Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.26176.ZipHeur.BadExt.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.22205.ZipHeur.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-12 13:16:37 UTC
File Type:
Binary (Archive)
Extracted files:
11
AV detection:
31 of 48 (64.58%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ph5hvdhpjefvbjootuic4trk6dqpjykr5uwt5wjcf7witffpaija._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

zip 79fa7a8cef490b50a5ce9d102e4e2af0e0f4e151ed2d3ed9222fec8994af0212

(this sample)

RemcosRAT

Executable exe 227c14f96fe815771903d9c8050d094efc19423e072f06b75a40a5305fb04476

  
Dropping
MD5 8a1a0f3f4305c2d377e49ef3ed00c958
  
Dropping
RemcosRAT
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 227c14f96fe815771903d9c8050d094efc19423e072f06b75a40a5305fb04476

Comments