MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9640573998280900bbaab48ea85f674275d76b8bdde1642aa0c59898c6a79a21. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9640573998280900bbaab48ea85f674275d76b8bdde1642aa0c59898c6a79a21
SHA3-384 hash: 091222aff905eb55d35e36a9aab54a34163dfb652c32e04ec609ee5b4f6226c3f66ac5d61f9d8d207dc5aa06d03c19e0
SHA1 hash: fc4f9f1833683eb76a8a2ced9529d8dadcbb95f8
MD5 hash: 777c491c3860714002e67364de5af30c
humanhash: alabama-wolfram-december-salami
File name:Remittance-2020429.img
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'245'184 bytes
First seen:2020-04-29 19:44:04 UTC
Last seen:Never
File type: img
MIME type:application/x-iso9660-image
ssdeep 3072:TBFaj5U/8VnDrVyltmZAyuCfxMcaIqhl4m+P9GjS4SqIQR2XPi9y:TgDrwGzuAM9I4gUjS4SqH
TLSH DC45F43D1DFDA227D064D6B1CFD2C8A3B699E46631A5AA2268DF13940793D0736C313E
Reporter abuse_ch
Tags:geo HRV img nVpn RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: dobarhosting.com
Sending IP: 78.47.62.128
From: Talha Ayaad <sales@emsolutions.com.au>
Subject: FW: Kopija Swift doznake MONTAVAR METALNA LOLA DOO BEOGRAD EUR 44, 074\x0a\x0920200428124605
Attachment: Remittance-2020429.img (contains "Remittance-2020429.exe")

RemcosRAT C2:
prantiexport.myq-see.com:3535 (79.134.225.71)

Pointing to nvpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.43191.4560.6598.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-04-29 08:07:29 UTC
File Type:
Binary (Archive)
Extracted files:
3
AV detection:
18 of 31 (58.06%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=szafoomyfaeqbo5kwshkqx3hij25o24l3xqwikvaywmjrrvhtiqq._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

img 9640573998280900bbaab48ea85f674275d76b8bdde1642aa0c59898c6a79a21

(this sample)

RemcosRAT

Executable exe 6ea9da4ed018d0d17891bc301d0d42c637482f8ecdac6ebff94ac9dd41d5d7a3

  
Dropping
MD5 03be770b4cd4a4290d56c7fda10b5b71
  
Dropping
RemcosRAT
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 6ea9da4ed018d0d17891bc301d0d42c637482f8ecdac6ebff94ac9dd41d5d7a3

Comments