MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8696093df77ec1475d11a8a12d50e51896b6be1aeb8e5740e0d386c24b8f8210. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8696093df77ec1475d11a8a12d50e51896b6be1aeb8e5740e0d386c24b8f8210
SHA3-384 hash: 8cdb694c6dc8e3a9e80f393ed87bc31c4a967d3b5cb4dd08d2c9d8418de0f060f2f3262f11473018b2fb063f6780d3d6
SHA1 hash: 38795c70fa6cd92aa11cba05001f4cd912927c60
MD5 hash: adbcc61d0b93a9f9eb63455bc6e7511c
humanhash: comet-sierra-winner-carolina
File name:DHL_4112438.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:946'688 bytes
First seen:2020-06-26 06:03:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e4ea71003f2e4bb27bd8bad8c2c3305e (6 x RemcosRAT, 2 x FormBook, 1 x NetWire)
ssdeep 12288:Ls7OYB2c+UHVuEp4tZEmfZE7wuLzMLqPbziLlv039vSZ+mJpdgjSV99:LsKYIguEpKGk+XicU3dg499
Threatray 982 similar samples on MalwareBazaar
TLSH 00157E23F2914477C1631678AC6B5769993ABF112E28694B6BF83C0C5F393513C3E29B
Reporter abuse_ch
Tags:DHL exe nVpn RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: 52-247-208-187.plesk.page
Sending IP: 52.229.8.143
From: DHL <support@dhl.com>
Subject: Your Parcel has Arrived
Attachment: DHL_4112438.IMG (contains "DHL_4112438.exe")

RemcosRAT C2:
boot.awsmppl.com:2266 (194.5.99.59)

Pointing to nVpn:

% Information related to '194.5.99.0 - 194.5.99.255'

% Abuse contact for '194.5.99.0 - 194.5.99.255' is 'abuse@inter-cloud.tech'

inetnum: 194.5.99.0 - 194.5.99.255
netname: Privacy_Online
remarks: ------------------------------------------------------------------------
remarks: This prefix is used by a non-logging VPN service provider.
remarks: We don't log any user activities.
remarks: We don't host anything else on our servers than VPN software (OpenVPN,
remarks: IKEv1 & 2, WireGuard ...).
remarks: Our customers can open up to 8 Ports (TCP & UDP).
remarks: We support the Tor Project: https://www.torproject.org
remarks: Before sending us potential complaints, please read:
remarks: https://www.torservers.net/abuse.html
remarks:
remarks: We are under constant pressure by Spamhaus.
remarks: Spamhaus issues tons of fake SBL listings in order to destroy our service.
remarks: They use fake identities, violate EU laws and hide outside the EU in
remarks: Andorra to avoid legal consequences.
remarks: Please don't trust this organization.
remarks: If you have any questions related to our service, please contact us
remarks: directly via e-mail: support@inter-cloud.tech
remarks:
remarks: Thank you.
remarks: ------------------------------------------------------------------------
admin-c: RA9926-RIPE
tech-c: RA9926-RIPE
org: ORG-NFAS6-RIPE
country: GB
status: ASSIGNED PA
mnt-by: inter-cloud-mnt
created: 2019-07-20T20:42:53Z
last-modified: 2020-03-10T21:28:31Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/14579/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.generic.ml.6960.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Sending an HTTP GET request
Launching the default Windows debugger (dwwin.exe)
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8696093df77ec1475d11a8a12d50e51896b6be1aeb8e5740e0d386c24b8f8210/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-06-26 06:05:07 UTC
AV detection:
35 of 48 (72.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=q2lasppxp3auoxirvcqs2uhfdcllnpq25ohfoqha2odmes4pqiia._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
28e5fa8a71a61c9a963340efa4179b8e1e966eca430c77f86c5795a28b66162a
RemcosRAT
2f07a5d8c1e6ac465e5d306b0fb8335aa41f3204b9bf9793337a849a93921a9a
RemcosRAT
3bdfaf82d5d56f2546be44b3355f8d72cc0508984586e0fba3d704a5adabf7d1
RemcosRAT
417022af236bc97978cd14c5ffb8e5ced3392987a8b73ae3a5f1906367419abd
RemcosRAT
5623d23f830311afc91586eeae9824ede5dd4233d9b45a45a6bea4110514db48
RemcosRAT
56a2574ca6e3e3036a5bdcc9f17deade4bff0920373a8d9944fc9e297b970650
RemcosRAT
64ba0f4265f9ed3f3f9315ee0256b360827074d5f898a7eb07ed98dd5f7fec7e
RemcosRAT
a9b90669d9cd5ec23e141533e94adc37e8f27eeb683aa59c5cac7f17bf9ac827
RemcosRAT
c59842c19c1b3f0171b40eebfb3e98ddccc4237edcaaa62990a0881ee1f6f798
RemcosRAT
da7ce8060ef04b847aeb11d727b9d8fad9526dc3314adce4ffa5e0b597ac5547
RemcosRAT
+ 972 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
persistence rat family:remcos
Link:
https://tria.ge/reports/200626-p3y66th74x/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Modifies registry key
Legitimate hosting services abused for malware hosting/C2
Adds Run entry to start application
Executes dropped EXE
Remcos
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

img ce49f862e9bc0cd4adf5c627e432ee45e2fb7a7fd57d2a0ca0957dda254ca5f5

RemcosRAT

Executable exe 8696093df77ec1475d11a8a12d50e51896b6be1aeb8e5740e0d386c24b8f8210

(this sample)

  
Dropped by
MD5 e31350c4182b365ef999d5ea3e847087
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/14579/
  
Dropped by
SHA256 ce49f862e9bc0cd4adf5c627e432ee45e2fb7a7fd57d2a0ca0957dda254ca5f5

Comments