MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 8599ded7ef4b89944c5a5330e8608d9e1ab28acd67706284b617ddca1a7d74ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
RemcosRAT
Vendor detections: 5
| SHA256 hash: | 8599ded7ef4b89944c5a5330e8608d9e1ab28acd67706284b617ddca1a7d74ab |
|---|---|
| SHA3-384 hash: | 3abdb4a811e4f8f7599b112836bdf4c19a0810f998c76e2e4f8720f31cbcf9341466116ee65f3757a77a6668d10f010a |
| SHA1 hash: | c77362f9d82fba23822c6bac1459c3c75a5a5695 |
| MD5 hash: | 90de1602c5900c2a81bcbbad0eb754e7 |
| humanhash: | paris-video-california-autumn |
| File name: | Attached pdf.exe |
| Download: | download sample |
| Signature | RemcosRAT |
| File size: | 801'792 bytes |
| First seen: | 2020-03-29 19:16:42 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 5d2177892dbcac7e6ad93ec3a689854b (1 x RemcosRAT) |
| ssdeep | 24576:NphRzrzOrpeHi2b2fdGhIYQdCdu+iP2NDy:Npbq7wsL2Z |
| Threatray | 892 similar samples on MalwareBazaar |
| TLSH | 4D058E21F2914437D1332A388D5F57A9983ABE103E28EC467BF56D8C5F3A7417C292A7 |
| Reporter |  abuse_ch |
| Tags: | exe GuLoader nVpn RemcosRAT |
abuse_ch
COVID-19 themed malspam campaign dropping GuLoader->RemcosRAT:iso->zip->exe
HELO: smmt
Sending IP: 52.162.94.61
From: irs gov <Help@irs.gov>
Subject: Covid-19 Emergency funds Update
Attachment: Attachment.iso (contains "Attached pdf.zip" -> "Attached pdf.exe")
GuLoader payload URL:
https://drive.google.com/u/0/uc?id=1bpSwXgeTfUQhGF7a4lwQmZroVPGuKeUO
RemcosRAT C2:
rex2015.freeddns.org:2404
Resolves to:
185.244.30.125
% Information related to '185.244.30.0 - 185.244.30.255'
% Abuse contact for '185.244.30.0 - 185.244.30.255' is 'abuse@FOS-VPN.org'
inetnum: 185.244.30.0 - 185.244.30.255
netname: Freedom_Of_Speech_VPN
remarks: Before you contact us, please read:
remarks: 185.244.30.0/24 belongs to a NON-LOGGING VPN service.
remarks: We don't log any user activities.
remarks: We believe that the right to informational self-determination and the
remarks: right to privacy are essential to all citizens of all countries.
remarks: We don't host anything else on our servers than VPN software and our
remarks: customers can open a fixed number of Ports.
remarks: Like Public WiFi or Tor Exit Node Operators we cannot be held responsible
remarks: for the actions of our customers, because we simply can't (and to be
remarks: honest: don't want) to control them.
remarks: For further information please read: http://www.torservers.net/abuse.html
country: EU
Intelligence
File Origin
# of uploads :
1
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Result
Threat name:
Remcos
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Behaviour
Behavior Graph:
n/a
Gathering data
Threat name:
Win32.Trojan.Delf
Status:
Malicious
First seen:
2020-03-29 19:35:33 UTC
File Type:
PE (Exe)
Extracted files:
69
AV detection:
24 of 31 (77.42%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
remcos
Similar samples:
+ 882 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_NX | Missing Non-Executable Memory Protection | critical |
| CHECK_PIE | Missing Position-Independent Executable (PIE) Protection | high |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| COM_BASE_API | Can Download & Execute components | ole32.dll::CLSIDFromProgID ole32.dll::CoCreateInstance ole32.dll::CreateStreamOnHGlobal |
| WIN32_PROCESS_API | Can Create Process and Threads | kernel32.dll::CloseHandle kernel32.dll::CreateThread |
| WIN_BASE_API | Uses Win Base API | kernel32.dll::LoadLibraryExA kernel32.dll::LoadLibraryA kernel32.dll::GetStartupInfoA kernel32.dll::GetDiskFreeSpaceA kernel32.dll::GetCommandLineA |
| WIN_BASE_IO_API | Can Create Files | kernel32.dll::CreateFileA kernel32.dll::GetFileAttributesA kernel32.dll::FindFirstFileA version.dll::GetFileVersionInfoSizeA version.dll::GetFileVersionInfoA |
| WIN_BASE_USER_API | Retrieves Account Information | kernel32.dll::GetComputerNameA |
| WIN_REG_API | Can Manipulate Windows Registry | advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA |
| WIN_USER_API | Performs GUI Actions | user32.dll::ActivateKeyboardLayout user32.dll::CreateMenu user32.dll::FindWindowA user32.dll::PeekMessageA user32.dll::PeekMessageW user32.dll::CreateWindowExA |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.