MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e95efa58f769fb4f5312936a0d947125f5eca38bb3f6c258e0e15ee3648947d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e95efa58f769fb4f5312936a0d947125f5eca38bb3f6c258e0e15ee3648947d
SHA3-384 hash: 8d1ebe32b34ab332650abb3606b08200dab66e57f1974c9c57b9d5a9978282edfb66e98bd4c1d02ca14956e2215e62bd
SHA1 hash: 8b28b523e005c43f10930837cdcf6c6f86633370
MD5 hash: 92e5e5fc9cf9588fd9a71694c41b5bf3
humanhash: march-winter-emma-vermont
File name:Loading-Documents,pdf.iso
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:495'616 bytes
First seen:2020-07-07 08:39:33 UTC
Last seen:Never
File type: iso
MIME type:application/x-iso9660-image
ssdeep 6144:0aZ+aON+V3vebw+DFHzSeCO09SJl20VJV0niQ34YNr:pgcV3veU+BHtCODl20HanT3h
TLSH A2B418B0B6619FA2C9390BF45130E5300FB23D5B6539D2587DC938EB36B7B448951AB3
Reporter abuse_ch
Tags:iso Maersk nVpn RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: s29.ultimate-solution.com.pk
Sending IP: 144.76.235.53
From: Maersk Shipping Line <no-reply@maersk.com>
Subject: ARRIVAL INFORMATION FOR FEEDER VSL: KUO TAI V.212S // NO: CCLU6276718/40'HC & DFSU216
Attachment: Loading-Documents,pdf.iso (contains "Loading-Documents,pdf.exe")

RemcosRAT C2:
jamesanderson68986.ddns.net:1965 (194.5.98.23)

Pointing to nVpn:

% Information related to '194.5.98.0 - 194.5.98.255'

% Abuse contact for '194.5.98.0 - 194.5.98.255' is 'abuse@inter-cloud.tech'

inetnum: 194.5.98.0 - 194.5.98.255
netname: Privacy_Online
descr: Longyearbyen, Svalbard und Jan Mayen
country: SJ
admin-c: RA9926-RIPE
tech-c: RA9926-RIPE
org: ORG-NFAS6-RIPE
status: ASSIGNED PA
mnt-by: inter-cloud-mnt
created: 2019-04-26T16:42:54Z
last-modified: 2020-03-13T23:11:55Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
63
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8e95efa58f769fb4f5312936a0d947125f5eca38bb3f6c258e0e15ee3648947d/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-07-07 08:41:04 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=r2k67jmpo2p3j5jrfe3kbwkhcjpv5sryxm7wyjmobyk64nsisr6q._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

iso 8e95efa58f769fb4f5312936a0d947125f5eca38bb3f6c258e0e15ee3648947d

(this sample)

RemcosRAT

Executable exe 18f32daab9bac5909cf9fe9bfaba3183104ae5ec60bdafc8091214887e966195

  
Dropping
MD5 4df66339be6f263c7c6e398cc65de65e
  
Dropping
RemcosRAT
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 18f32daab9bac5909cf9fe9bfaba3183104ae5ec60bdafc8091214887e966195

Comments