MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9dbdec587ca0c7713c3b5bb6e95803937226529b3b4515df219a8860cecfe76d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9dbdec587ca0c7713c3b5bb6e95803937226529b3b4515df219a8860cecfe76d
SHA3-384 hash: 34db912420c00dd88bed8d6566c138e981f41fe9b6a4ab1f2dc668fc5be66d6a70f591b3101806f526ef08066626787c
SHA1 hash: e1a1335a312b46d6fa2076076ea7a7135eeaaa42
MD5 hash: ca2515407da5152297aef4e50a789d58
humanhash: zebra-snake-cold-table
File name:DHL.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:978'946 bytes
First seen:2020-05-20 11:20:03 UTC
Last seen:2020-05-20 11:46:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4607f28103cd21942f0cdd09b7a3d4f8 (3 x RemcosRAT)
ssdeep 24576:8KTBS07b0q/bC23zgs4tYj+R64TXpONR087:8KY+e23MsIoZ4wRX7
Threatray 928 similar samples on MalwareBazaar
TLSH 4C258E22F2D19433C223297CDD1B97A4AC2ABE513E546C467BE85D4C9F3E392343A197
Reporter abuse_ch
Tags:DHL exe nVpn RAT RemcosRAT


Avatar
abuse_ch
Malspam distributing RemcosRAT:

HELO: xray-sector
Sending IP: 103.1.185.133
From: DHL <support@dhl.com>
Subject: Dear Customer
Attachment: dhl.img (contains "DHL.exe")

RemcosRAT C2s:
u863495.awsmppl.com:2404 (91.193.75.81)
lakeside007.awsmppl.com

Pointing to nVpn:

% Information related to '91.193.75.0 - 91.193.75.255'

% Abuse contact for '91.193.75.0 - 91.193.75.255' is 'abuse@kgb-vpn.org'

inetnum: 91.193.75.0 - 91.193.75.255
netname: NON-LOGGING-VPN-SERVICE
descr: Please note that we don't store any user data.
descr: Our main effort is not to make money, but to preserve values like the
descr: freedom of expression, the freedom of press, the right to data protection
descr: and informational self-determination.
descr: We ask all employees of Spamhaus and all self-proclaimed deputy sheriffs
descr: to stop your attacks against us.
country: EU
admin-c: KA7109-RIPE
tech-c: KA7109-RIPE
org: ORG-KHd1-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-by: KGB-MNT
mnt-routes: KGB-MNT
sponsoring-org: ORG-MW1-RIPE
created: 2012-06-04T11:05:55Z
last-modified: 2019-12-05T05:39:00Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-20 11:35:35 UTC
File Type:
PE (Exe)
Extracted files:
100
AV detection:
25 of 30 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tw66ywd4uddxcpb3lo3oswadsnzcmuu3hncrlxzbtkegbtwp45wq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0f307822855aabba644e0f79751eeb5f26e0575ae5ade7c6507c6d1ea7a64725
RemcosRAT
18aae95253ffa453609ef3e1150cf9c2b167a1b1c59ae1270e279f8d5e070c27
RemcosRAT
3b13ea61e91a0312f8c187096e435168cee2d2277c46373d01899497345bd0e9
RemcosRAT
667d35d2cff2979ca84df0afe1eca6c164e1d919b989e16b97166c7a30c77a87
RemcosRAT
93c327b46d6354a91a9b20311a2f1e1873e132765816ec26443eb1971ccd2946
RemcosRAT
b8a03fd14b3a3695af8b6c781eb946214a98986279678c6b2a477f22ba1ac3cf
RemcosRAT
c0a656a2f73c254ed2f1e73630083849890b7c1e36161e89fe29d2fd014f9fff
RemcosRAT
de45e137eeda4de58d4840e499559e36ee01256b6180e87249ec035525db6b9c
RemcosRAT
eee72be9b19c5e0fa5fd1b5404798a7ccd5b73830249562f9465583004980a18
RemcosRAT
f9441d3651d67748ec1a2fd325ea1aa9d914208c7fae0853e5b769e52e66ccb8
RemcosRAT
+ 918 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-smn1sxlk1x/
Behaviour
Script User-Agent
Legitimate hosting services abused for malware hosting/C2
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemcosRAT

img 80c4314ef4834ab9ea84c51934649c57ba98d331b08503081fbb35c5721cc378

RemcosRAT

Executable exe 9dbdec587ca0c7713c3b5bb6e95803937226529b3b4515df219a8860cecfe76d

(this sample)

  
Dropped by
MD5 70bf77982e30fef42fd6556cfa5dc696
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 80c4314ef4834ab9ea84c51934649c57ba98d331b08503081fbb35c5721cc378

Comments