MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9725f6f873762b24d044b1f95de44760fe1d84aab60f989fbc4ba25337fe1b86. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9725f6f873762b24d044b1f95de44760fe1d84aab60f989fbc4ba25337fe1b86
SHA3-384 hash: 7d5c6de75b85f3f9f4c2585b4155d36766129e6fb7afc85a72b9ae98e27b6d4074849a8fc5969c99436b85a2507199e5
SHA1 hash: c9a28a3b4cd31b7e6895f3aafdfa126f008628ab
MD5 hash: 525404e2cbe0f27566d0271332778eda
humanhash: queen-fanta-kitten-gee
File name:Attachment.iso
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'572'864 bytes
First seen:2020-05-20 11:21:12 UTC
Last seen:Never
File type: iso
MIME type:application/x-iso9660-image
ssdeep 24576:AKTBS07b0q/bC23zgs4tYj+RL4EXpONR08:AKY+e23MsIoM4ZRX
TLSH 5D757E22F2919433C223297CDD1B97A4AC2ABE513E546C467BEC5D4C9F3E392343A197
Reporter abuse_ch
Tags:iso nVpn RAT RemcosRAT UPS


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: 52-252-7-55.plesk.page
Sending IP: 52.252.7.55
From: UPS Customer Service <pkinfo@ups.com>
Subject: Your Order Arrival Notification email
Attachment: Attachment.iso (contains "Attachment.exe")

RemcosRAT C2s:
yakuza.nsupdate.info
u864246.nvpn.so:2404 (185.244.30.223)
u864245.nerdpol.ovh
u864244.nsupdate.info

Pointing to nVpn:

% Information related to '185.244.30.0 - 185.244.30.255'

% Abuse contact for '185.244.30.0 - 185.244.30.255' is 'abuse@FOS-VPN.org'

inetnum: 185.244.30.0 - 185.244.30.255
netname: Freedom_Of_Speech_Foundation_Hungary
remarks: Budapest, Hungary
country: HU
org: ORG-FOSF3-RIPE
admin-c: FOSF1-RIPE
tech-c: FOSF1-RIPE
status: ASSIGNED PA
mnt-by: FOS-VPN-MNT
created: 2019-10-29T14:10:27Z
last-modified: 2020-04-06T19:58:39Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Geniso
Create hunting rule
Status:
Malicious
First seen:
2020-05-19 20:15:58 UTC
File Type:
Binary (Archive)
AV detection:
15 of 30 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=s4s7n6dtoyvsjucewh4v3zchmd7b3bfkwyhzrh54jorfgn76doda._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

iso 9725f6f873762b24d044b1f95de44760fe1d84aab60f989fbc4ba25337fe1b86

(this sample)

RemcosRAT

Executable exe 5e499f9a72195ce2d1d2e0ca6dffbacc880ae5bc0847ea03e65060c993e35146

  
Dropping
MD5 732ea79dd6dc94740854fababee3a6e0
  
Dropping
RemcosRAT
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 5e499f9a72195ce2d1d2e0ca6dffbacc880ae5bc0847ea03e65060c993e35146
Cape
Cape
https://www.capesandbox.com/analysis/4230/
Cape
Cape
https://www.capesandbox.com/analysis/4229/

Comments